Hack The Box Lab: Unveiling Preignition
Starting Point — Tier 0 — Preignition Lab
As we continue our exploration of cybersecurity challenges, we find ourselves in the “Preignition” lab on Hack The Box (HTB). This lab presents interesting tasks that will test and enhance your penetration testing skills. For those who are new to this field, this journey will provide a solid foundation.
Lab Overview
- Target IP:
target_IP
(Remember to replacetarget_IP
with the respective IP of the target machine.)
In this lab, we will delve into the following questions and tasks:
- Task 1: Directory brute-forcing is a technique used to check a lot of paths on a web server to find hidden pages. Which is another name for this? (i) Local File Inclusion, (ii) dir busting, (iii) hash cracking.
- Task 2: What switch do we use for nmap’s scan to specify that we want to perform version detection?
- Task 3: What does Nmap report is the service identified as running on port 80/tcp?
- Task 4: What server name and version of service is running on port 80/tcp?
- Task 5: What switch do we use to specify to Gobuster that we want to perform dir busting specifically?
- Task 6: When using gobuster to dir bust, what switch do we add to make sure it finds PHP pages?
- Task 7: What page is found during our dir busting activities?
- Task 8: What is the HTTP status code reported by Gobuster for the discovered page?
- Task 9: Submit root flag
The answers to these questions (except for tasks where hints are provided, including the root flag) will be highlighted in bold and italic for your convenience.
Task 1: Unraveling the Directory Brute-forcing Alias
Let’s kick things off with Task 1, which quizzes us on directory brute-forcing. This technique involves checking numerous paths on a web server to uncover hidden pages. Can you identify another term for this process among the options provided? Hint: The abbreviation for “directory” is “dir” — let’s crack this alias!
Task 2: Version Detection with Nmap
Task 2 introduces us to Nmap, a powerful network scanning tool. To perform version detection, what switch do we need to use? We can find the answer by consulting Nmap’s help function using the command nmap -h
. Here’s a glimpse of what we find:
As you can see, the switch we need is -sV
. For those who’ve read our previous article exploring HTB’s “Explosion” lab, this might already be familiar territory.
Task 3 and Task 4: Unveiling Port 80’s Secrets
Our exploration continues as we probe port 80/tcp. For those unfamiliar with what lies behind this port, it’s worth noting that it typically houses the “HTTP” service, a fundamental component of web communication. For the interested reader, you may want to check out the comprehensive list of TCP and UDP port numbers.
For many enumeration tasks, Nmap becomes our invaluable guide. By utilizing the -sV
switch, we initiate a scan to not only unveil the service concealed within port 80 but also to extract its specific version. The command that leads us to this revelation is as follows:
nmap -sV -p80 target_IP
The relevant part of our scan results reveal that the service identified as running on port 80/tcp is “nginx 1.14.2”.
Task 5: Gobuster’s Dir Busting
Task 5 brings us to Gobuster, a directory brute-forcing tool. What switch should we use to specify that we want to perform directory busting explicitly? Let’s explore Gobuster’s functionality by entering the command gobuster -h
to find the answer.
Scanning the output reveals that for directory hunting, we need to work with the command “dir”. For those who want a more comprehensive grasp of Gobuster’s directory hunting mode, invoking the help function for the directory mode is a valuable resource. Simply use the command:
gobuster dir -h
Task 6: Seeking PHP Pages
In Task 6, we elevate our Gobuster proficiency. When using Gobuster for directory busting, what switch do we add to ensure it finds PHP pages? The output of gobuster dir -h
, as shown above, reveals that the switch we need to extract PHP pages is -x php
.
Task 7: Determining PHP Pages
With the answer of Task 6 in mind, we perform the following command for directory brute-forcing:
gobuster dir -x php -w /usr/share/wordlists/dirb/common.txt -u target_IP
The additional switches we used in the above command are:
-w
: Specifies the path to the wordlist, in our case, it's/usr/share/wordlists/dirb/common.txt
.-u
: Specifies the target URL or domain.
With these settings, Gobuster reveals the sought-after directory, admin.php
.
It’s worth noting that Gobuster isn’t the only tool at your disposal for such tasks; another great one written in Go is Ffuf.
Task 8: Understanding HTTP Status Codes
The output of our performed dir busting attempt of Task 7 revealed the directory /admin.php
. Alongside this discovery came its associated HTTP status code 200. This status code, denoting “OK”, is the standard response for a successful HTTP request. In our case, Gobuster performs various HTTP GET requests following the format:
GET http://target_IP/{directory}
These requests spanned a multitude of directories denoted by {directory}
, including admin.php
.
For those interested in digging deeper into HTTP status codes, here’s a comprehensive list of HTTP status codes for your reference.
Task 9: The Final Step
In Task 9, we’re ready for the last leg of our journey — capturing the root flag. Here’s how we do it. First, we open our web browser and visit the site http://target_IP/admin.php
. This URL takes us to an admin console login (see below).
http://target_IP/admin.php
is visited.We try several of the following {username:password}
combinations:
{admin:admin}
{admin:password}
{administrator:password}
{admin:password1}
{administrator:password1}
Luck is on our side, and one of these combinations, in our case, {admin:admin}
, grants us access as an administrator. Once logged in, the root flag is displayed. Congratulations, you’ve captured the root flag!
Conclusion
The “Preignition” lab on HTB offers an adventure for newcomers in cybersecurity. Throughout our journey, we’ve navigated through fundamental concepts like directory brute-forcing and harnessed the power of Nmap. Remember to replace target_IP
with the specific IP address of your target machine. Enjoy the journey and the knowledge gained along the way!
Thanks for reading! If you want to learn more about Ethical Hacking, please subscribe to this blog. We will constantly be posting articles to help you start your cyber security journey as an ethical hacker!