Hack the Box — Mission Ignition

10 min readSep 3, 2024

Networking knowledge is foundational for anyone aspiring to become a cybersecurity engineer. The ability to dissect and understand various protocols and services such as Active Directory, Kerberos Authentication, Server Message Block, HTTP, and SSH can greatly enhance your ability to secure and troubleshoot systems. In this guide, we’ll focus on three critical aspects of networking — HTTP, Virtual Hosts (VHosts), and DNS — using a target environment to demonstrate how they interconnect and how they can be analyzed.

Task 1

The Importance of Networking Knowledge in Cybersecurity

Networking forms the backbone of all cybersecurity efforts. Understanding how different protocols and services operate at a network level allows cybersecurity professionals to identify vulnerabilities, secure systems, and respond to incidents more effectively. Whether you’re dealing with web servers, authentication mechanisms, or file-sharing protocols, a strong grasp of networking principles is essential.

Exploring HTTP, VHosts, and DNS

In this guide, we will narrow our focus to three key networking components:

HTTP (Hypertext Transfer Protocol): This is the foundation of any data exchange on the Web, and it’s crucial to understand how it operates to secure web applications effectively.
VHosts (Virtual Hosts): These allow multiple domain names to be hosted on a single server, often under a single IP address. Understanding VHosts is essential for configuring and securing web servers, especially in shared hosting environments.
DNS (Domain Name System): DNS is the system that translates human-friendly domain names into IP addresses. Knowing how DNS works is crucial for understanding how internet traffic is routed and for detecting potential security issues like DNS spoofing.

Starting with an Nmap Scan

To begin exploring the target environment, we use the nmap command to scan the server:

nmap -sVC -T4 -Pn -p- --min-rate 5000 <target ip>

Let’s break down this command:

-sVC: Combines service version detection with default scripts to gather detailed information about open ports.
-T4: Sets the timing template for a faster scan.
-Pn: Treats the host as online, skipping the ping check.
-p-: Scans all 65,535 ports.
--min-rate 5000: Ensures the scan runs at a minimum rate of 5,000 packets per second for speed.

This scan provides detailed information about open ports and the services running on those ports. In this example, we discover that the target server is running an HTTP service on port 80, with the service version identified as nginx 1.14.2.

Task 2

When accessing a webpage, encountering errors can be frustrating, especially when you’re unsure of the cause. One common issue involves DNS resolution and Virtual Hosting (VHosting). Understanding how these systems work is crucial for troubleshooting and ensuring smooth web access. In this guide, we’ll explore how to diagnose and resolve issues related to DNS and VHosting using a practical example.

Diagnosing the DNS_PROBE_FINISHED_NXDOMAIN Error

Upon attempting to access a webpage via a browser, you might encounter the error DNS_PROBE_FINISHED_NXDOMAIN. This error indicates that the DNS servers couldn’t find an IP address corresponding to the domain name you entered. There are two main reasons for this:

Typo in the URL: A simple mistake in typing the domain name (e.g., ignition.htb) can lead to this error.
Missing Hostname: If you haven’t entered a specific hostname expected by the website, the browser might be unable to resolve the correct IP address.

Since we haven’t entered a hostname but only the IP address, the error likely stems from an issue with Virtual Hosting.

Understanding Virtual Hosting (VHosting)

Virtual Hosting allows multiple domain names to share the same IP address, each with its own distinct content. The server relies on the hostname provided in the HTTP request to deliver the correct content. If the DNS isn’t functioning or the hostname isn’t specified, the server might return a default page or an error.

Here’s how VHosting works:

Name-Based VHosting: The server differentiates between sites based on the hostname in the HTTP request. This is why you need to specify the correct hostname (like ignition.htb) rather than just the IP address.
DNS Role: DNS translates domain names into IP addresses. Without proper DNS configuration, accessing a virtually hosted website using just an IP address may lead to errors.

Confirming the Issue with cURL

To verify the issue and see the exact requests and responses, use the cURL command. cURL is a powerful tool that allows you to interact with web servers directly from the terminal.

Increasing Verbosity with cURL:

Run a cURL Command:

Use the curl command

curl -v http://<target ip>

This command will show the detailed output of the HTTP request and response.
Analyze the Output: Look for the Host field in the request. If it contains the IP address instead of the hostname, it confirms that the server expects a specific hostname.
Redirect Confirmation: The 302 Found status code and Location header in the response indicate a redirection to the correct hostname (http://ignition.htb/), confirming our initial assumption.

Task 3

In web development and server management, virtual hosting is a powerful method that allows multiple domain names to be hosted on a single server. Knowing how to identify and configure virtual hosts is crucial for ensuring that your web applications are accessible as intended. In this guide, we’ll explore how to determine the expected virtual host name for a webpage, specifically focusing on a scenario where the correct hostname is required for access.

What is Virtual Hosting?

Virtual hosting allows a single server to host multiple websites, each accessible by a unique domain name. This is particularly useful for managing multiple sites on the same server without needing additional IP addresses. Virtual hosts rely on the correct domain name being provided in the HTTP request to serve the appropriate content.

Identifying the Expected Virtual Host

When a web server hosts multiple sites, it often expects requests to be made to a specific domain name, or “virtual host.” If you try to access the site using just the IP address, the server might not know which site to serve, leading to errors or default pages being displayed.

In the scenario we’re exploring, the web server expects to be accessed using the domain name http://ignition.htb.

Task 4

When you’re troubleshooting web access issues, especially when dealing with virtual hosts and DNS errors, modifying your local hosts file can be a quick and effective solution. In this guide, we’ll walk you through how to resolve a common DNS issue by editing the hosts file on a Linux system. This will allow your web client to access a website that was previously unreachable due to a DNS resolution error.

Understanding the Hosts File

The /etc/hosts file is a local DNS file that maps hostnames to IP addresses. By editing this file, you can manually associate a specific IP address with a hostname, bypassing external DNS servers. This is particularly useful when the DNS server is unable to resolve the domain name or when working in isolated environments.

Modifying the Hosts File

To solve the issue of the web client being unable to access the target website, you’ll need to add an entry to the hosts file. This entry will map the target’s IP address to its associated hostname, allowing your browser to load the website correctly.

Steps to Modify the Hosts File:

Open the Hosts File: Use a text editor like nano to open the hosts file with superuser privileges:

sudo nano /etc/hosts

Add the Target IP and Hostname: At the bottom of the file, add the following entry:

{Target_IP}  ignition.htb

Save and Exit: After adding the entry, save the file and exit the editor. This action requires superuser privileges, so you may be prompted to enter your password.

Verify the Changes: To ensure the changes were applied correctly, read the contents of the hosts file:

cat /etc/hosts

You should see an entry that maps ignition.htb to the target IP address.

Reloading the Webpage

Once the hosts file has been updated, you can reload the target webpage in your browser. The hostname ignition.htb now resolves to the correct IP address, allowing the site to load without errors. With the website accessible, you can proceed with your task of gaining a foothold on the target system.

Task 5

When exploring a website, especially in a cybersecurity context, simply browsing the landing page may not reveal all the valuable information you need. That’s where tools like Gobuster come in handy. Gobuster allows you to uncover hidden directories and files that might not be accessible through standard navigation. In this guide, we’ll walk you through using Gobuster to explore a website more thoroughly and discover potentially valuable pages, such as an admin login page.

What is Gobuster?

Gobuster is a powerful tool used for brute-forcing URIs (directories and files) and DNS subdomains on a web server. It’s commonly used in penetration testing to discover hidden content that isn’t linked directly on a website.

Command Breakdown

Let’s break down the command we’re using to explore the website:

gobuster dir: The dir command is used to enumerate directories and files on a web server.
-u: This flag specifies the URL of the target website. In our case, it’s http://ignition.htb/.
-w: This flag indicates the wordlist to be used for brute-forcing directories. The wordlist we’re using is located at /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt, which is a popular list of potential directory names.

Example Command:

gobuster dir -u http://ignition.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

In our exploration of the website http://ignition.htb/, using Gobuster revealed the /admin directory, which is accessible and likely important. By navigating to http://ignition.htb/admin, you can continue your investigation into the site’s potential vulnerabilities or further explore its features. Tools like Gobuster are invaluable for cybersecurity professionals and anyone interested in digging deeper into a website’s structure.

Task 6

When faced with a login screen, especially one tied to a platform like Magento, the first approach might be to rely on known credentials gathered from previous reconnaissance or vulnerabilities. However, when that isn’t an option, trying default credentials can sometimes be the key to gaining access. In this guide, we’ll explore how to approach a Magento Admin login page by using common tactics, focusing on default usernames and passwords while understanding the security measures Magento has in place.

Understanding Magento’s Security Layers

Magento Admin is safeguarded by several security layers designed to protect sensitive store and customer data. Here are some key points about Magento’s security:

Two-Factor Authentication (2FA): Upon the first login, Magento requires you to set up 2FA, adding an extra layer of security beyond just a username and password.
CAPTCHA Challenges: To prevent automated bots from attempting to access the Admin panel, Magento may require users to solve CAPTCHA challenges, ensuring the login attempts are made by humans.
Login Attempt Limits: To deter brute force attacks, Magento locks an account after six failed login attempts. After a short period, the account can be retried or reset by an Admin.
Password Requirements: Magento passwords must be at least seven characters long and include a mix of letters and numbers, making simple passwords less likely to succeed.

Avoiding Brute Force Attempts

Given Magento’s anti-bruteforce measures, attempting a brute force attack on the login form is not advisable. Instead, the strategy here involves intelligently guessing the credentials. Knowing that the password needs to be a mix of letters and numbers and at least seven characters long, you can focus your guesses on common passwords that meet these criteria.

Example Approach:

Username: Start with common usernames like admin.
Password: Use widely known passwords from lists such as “most common passwords of 2021” that meet the Magento password criteria.

By carefully considering Magento’s security features and avoiding brute force attempts, you can strategize your approach to the Admin login. Default credentials, while simple, can sometimes be the key to gaining access when more sophisticated methods are unavailable or risky. Remember, understanding the security measures in place is crucial to forming an effective approach.

Capture the Flag!

Submit the Flag!

After manually attempting a number of these credentials, we land on a successful login. The correct combination is: admin:qwerty123 . We are presented with the Magento administrative panel, where the flag can be found under the Advanced Reporting section of the Dashboard.

Congrats on finding the flag!

For more guides please feel free to follow me on Substack.