Preignition — HTB (Starting Point) — Walkthrough
Found a hidden admin page via directory fuzzing, used default credentials to log in, then used the admin functionality to obtain a user shell and escalate to root. Final flag: 6483bee07c1c1d57f14e5b0717503c73
Hello Cyberfolks 👋
Today, we’re going to pwn Preignition machine (available on htb). This is pretty easy ctf, and requires you to have basic toolset and web fundamentals in your mind. Rather than simply following the steps, I aim to emphasize critical thinking, testing techniques, and insights gained from each stage of the lab.
Let’s Start Hacking!
After connecting to the VPN, we will be given an IP address that we will use to answer questions and submit flags.
However, before that, we need to answer a few questions first before we can submit a flag.
Task 1 : Directory Brute-forcing is a technique used to check a lot of paths on a web server to find hidden pages. Which is another name for this? (i) Local File Inclusion, (ii) dir busting, (iii) hash cracking.
dir busting
Task 2: What switch do we use for nmap’s scan to specify that we want to perform version detection
-sV
Task 3 : What does Nmap report is the service identified as running on port 80/tcp?
http
Task 4 : What server name and version of service is running on port 80/tcp?
To find out the version of the service on port 80, we can use this command:
sudo nmap -p80 -sV
The result of this command will look like this:
so the answer would be:
nginx 1.14.2
Task 5 : What switch do we use to specify to Gobuster we want to perform dir busting specifically?
dir
Task 6 : When using gobuster to dir bust, what switch do we add to make sure it finds PHP pages?
-x .php
Task 7 : What page is found during our dir busting activities?
For this. we will type the following command:
gobuster dir -u 10.129.240.126 -w /usr/share/dirb/wordlists/common.txt -x .php
Result would be:
From the result, we can see that there is one page that is open to the public, named as:
admin.php
Task 8 : What is the HTTP status code reported by Gobuster for the discovered page?
200
Submit Root Flag:
To find out the root of this machine, the first thing we will do is visit the web app from the IP address that has been provided.
We can see that this website displays the default nginx page.
Next, we will refer to our enumeration, and try to visit “/admin.php“ page that we previously found by directory bruteforcing using gobuster.
As we can see that there is a login page on admin.php . So we would first try some basic and default user&passwords for login pages.
One of the most common credentials are :
admin:admin
and luckily, this login page is vulnerable to admin default credentials :)
and when we type those credentials in login form and hit enter. Boom! Flag is right in front of you:
see , how easy was that. with little bit of effort, we managed to log in and find the flag to solve this machine ;)
The Preignition challenge highlighted the importance of thorough HTTP enumeration and endpoint analysis. By discovering and evaluating web-facing misconfigurations, I demonstrated how relatively minor weaknesses can enable further access. The exercise sharpened practical web-penetration skills and reinforced key defensive priorities for hardening web services.
If you have any question regarding this machine, dm me on X :
Have a good day, i’ll soon upload a new article about solving another machine, till then, stay blessed and keep hacking :)
