Hack The Box Lab: Unveiling Preignition

Starting Point — Tier 0 — Preignition Lab

As we continue our exploration of cybersecurity challenges, we find ourselves in the “Preignition” lab on Hack The Box (HTB). This lab presents interesting tasks that will test and enhance your penetration testing skills. For those who are new to this field, this journey will provide a solid foundation.

Lab Overview

• Target IP: target_IP (Remember to replace target_IP with the respective IP of the target machine.)

In this lab, we will delve into the following questions and tasks:

1. Task 1: Directory brute-forcing is a technique used to check a lot of paths on a web server to find hidden pages. Which is another name for this? (i) Local File Inclusion, (ii) dir busting, (iii) hash cracking.
2. Task 2: What switch do we use for nmap’s scan to specify that we want to perform version detection?
3. Task 3: What does Nmap report is the service identified as running on port 80/tcp?
4. Task 4: What server name and version of service is running on port 80/tcp?
5. Task 5: What switch do we use to specify to Gobuster that we want to perform dir busting specifically?
6. Task 6: When using gobuster to dir bust, what switch do we add to make sure it finds PHP pages?
7. Task 7: What page is found during our dir busting activities?
8. Task 8: What is the HTTP status code reported by Gobuster for the discovered page?
9. Task 9: Submit root flag

The answers to these questions (except for tasks where hints are provided, including the root flag) will be highlighted in bold and italic for your convenience.

Task 1: Unraveling the Directory Brute-forcing Alias

Let’s kick things off with Task 1, which quizzes us on directory brute-forcing. This technique involves checking numerous paths on a web server to uncover hidden pages. Can you identify another term for this process among the options provided? Hint: The abbreviation for “directory” is “dir” — let’s crack this alias!

Task 2: Version Detection with Nmap

Task 2 introduces us to Nmap, a powerful network scanning tool. To perform version detection, what switch do we need to use? We can find the answer by consulting Nmap’s help function using the command nmap -h. Here’s a glimpse of what we find:

Version Detection with Nmap

As you can see, the switch we need is -sV. For those who’ve read our previous article exploring HTB’s “Explosion” lab, this might already be familiar territory.

Task 3 and Task 4: Unveiling Port 80’s Secrets

Our exploration continues as we probe port 80/tcp. For those unfamiliar with what lies behind this port, it’s worth noting that it typically houses the “HTTP” service, a fundamental component of web communication. For the interested reader, you may want to check out the comprehensive list of TCP and UDP port numbers.

For many enumeration tasks, Nmap becomes our invaluable guide. By utilizing the -sV switch, we initiate a scan to not only unveil the service concealed within port 80 but also to extract its specific version. The command that leads us to this revelation is as follows:

nmap -sV -p80 target_IP

The relevant part of our scan results reveal that the service identified as running on port 80/tcp is “nginx 1.14.2”.

Version Detection on Port 80

Task 5: Gobuster’s Dir Busting

Task 5 brings us to Gobuster, a directory brute-forcing tool. What switch should we use to specify that we want to perform directory busting explicitly? Let’s explore Gobuster’s functionality by entering the command gobuster -h to find the answer.

Usage of Gobuster

Scanning the output reveals that for directory hunting, we need to work with the command “dir”. For those who want a more comprehensive grasp of Gobuster’s directory hunting mode, invoking the help function for the directory mode is a valuable resource. Simply use the command:

gobuster dir -h

Gobuster’s Directory Enumeration Mode

Task 6: Seeking PHP Pages

In Task 6, we elevate our Gobuster proficiency. When using Gobuster for directory busting, what switch do we add to ensure it finds PHP pages? The output of gobuster dir -h, as shown above, reveals that the switch we need to extract PHP pages is -x php.

Task 7: Determining PHP Pages

With the answer of Task 6 in mind, we perform the following command for directory brute-forcing:

gobuster dir -x php -w /usr/share/wordlists/dirb/common.txt -u target_IP

The additional switches we used in the above command are:

• -w: Specifies the path to the wordlist, in our case, it's /usr/share/wordlists/dirb/common.txt.
• -u: Specifies the target URL or domain.

With these settings, Gobuster reveals the sought-after directory, admin.php.

Directory retrieved by Gobuster

It’s worth noting that Gobuster isn’t the only tool at your disposal for such tasks; another great one written in Go is Ffuf.

Task 8: Understanding HTTP Status Codes

The output of our performed dir busting attempt of Task 7 revealed the directory /admin.php. Alongside this discovery came its associated HTTP status code 200. This status code, denoting “OK”, is the standard response for a successful HTTP request. In our case, Gobuster performs various HTTP GET requests following the format:

GET http://target_IP/{directory}

These requests spanned a multitude of directories denoted by {directory}, including admin.php.

For those interested in digging deeper into HTTP status codes, here’s a comprehensive list of HTTP status codes for your reference.

Task 9: The Final Step

In Task 9, we’re ready for the last leg of our journey — capturing the root flag. Here’s how we do it. First, we open our web browser and visit the site http://target_IP/admin.php. This URL takes us to an admin console login (see below).

Admin Console Login when http://target_IP/admin.php is visited.

We try several of the following {username:password} combinations:

1. {admin:admin}
2. {admin:password}
3. {administrator:password}
4. {admin:password1}
5. {administrator:password1}

Luck is on our side, and one of these combinations, in our case, {admin:admin}, grants us access as an administrator. Once logged in, the root flag is displayed. Congratulations, you’ve captured the root flag!

Conclusion

The “Preignition” lab on HTB offers an adventure for newcomers in cybersecurity. Throughout our journey, we’ve navigated through fundamental concepts like directory brute-forcing and harnessed the power of Nmap. Remember to replace target_IP with the specific IP address of your target machine. Enjoy the journey and the knowledge gained along the way!

Thanks for reading! If you want to learn more about Ethical Hacking, please subscribe to this blog. We will constantly be posting articles to help you start your cyber security journey as an ethical hacker!