About the Box

None

Preignition is a Very Easy Box from Hack the Box and is a part of their starting point series to teach newbies the basics of hacking. This particular box focuses on exploiting a misconfigured website, the first webapp exploit we've seen in the series so far!

Specifically we're going to be learning about directory busting, using tools to find hidden pages on websites.

I'm a bit excited to start this box, so let's get to it!

Initial Setup

As in previous boxes we first get our IP and add it to our /etc/hosts file

echo "10.129.15.188 preignition.htb" | sudo tee -a /etc/hosts

And then ping the box to make sure we have a connection.

None

All good, so let's move onto running a nmap scan and see what might be listening on this box!

Nmap Scan

So we'll do a basic scan on the box and see if we get any hits:

nmap -sC -sV preignition.htb

And the results:

None

Looks like there is only 1 hit, and looks like it's a webserver. Specifically nginx 1.14.2. So let's take a look at the website itself using a webbrowser!

Checking the Site

Navigating to the website we're greeted with the default nginx home page:

None

Looks like this is a fresh website without much content on it, but that doesn't mean it's empty. So let's see if there might be a hidden page on the site.

GoBuster for Dir Busting

GoBuster is an open source tool designed for brute-forcing URIs in web sites. With it we can find hidden pages or files that might not be linked directly through other pages. For example: Admin pages. This is typically called Dir Busting. GoBuster is a powerful tool with a lot more applications than we're going to cover, for this box we're going to run it and see what we can find!

To run a dir buster scan on a target gobuster needs two arguments: a wordlist and a url to attack, set with the -w and -u flags respectively. Gobuster will then try different combinations of the words on the list looking for requests that return successfully.

There are a few good word lists out there and the Pwnbox comes installed with several of them. The one we'll use is at /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://preignition.htb:80

The scan might take awhile, and in all fairness there is probably a shorter wordlist we could have used. When the scan completes, we get the following results:

None

Big ol nothing. A reason for this could be because our wordlist doesn't have any file types. For example it might find home but not home.php unless home.php was explicitly on the list. Some word lists have common filetypes included, but for those that don't (such as the one we're using) gobuster has some flags that can help us.

We can use the '-x php' flag to have gobuster check for pages that have the .php file type. So let's run the scan one more time:

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://preignition.htb:80 -x php
None

BINGO! This time we have a hit, looks like there's a hidden admin.php page on the site! Let's access it now.

Logging into the Admin Panel

Navigating to the admin panel in our browser we can see this:

None

Since this is a fresh nginx install (and a "very easy" htb box), we can deduce that some default credentials might work to login. I tried a few combinations, and found that using admin:admin for the username/password gave us access!

None

With that we have our Flag!

Bonus: Using Hydra on Admin Panel

Alright, I'm not going to lie, just "guessing" the admin password wasn't very satisfying for me. So instead I decided to go back and try my hand at a new tool for brute forcing username/password combinations: hydra

Hydra is a logon cracker that automates the testing of usernames and passwords. The idea is that you give it a set of usernames and passwords and a target and it tries to log into that system using combinations from the set. It's a classic brute-force tool.

For this box we'll just start with one username 'admin' and we'll take a subset of the infamous rockyou.txt list, which is a MASSIVE list of millions of common passwords. We won't use the full list, as that will take hours (if not days), instead we'll take a subset of the first 20,000 passwords on the list.

The rockyou.txt list comes on our pwnbox but we have to unzip it first, which we can with this command:

sudo gzip -d /usr/share/wordlists/rockyou.txt.gz

Next we'll take the first 20k passwords from the list and make a tiny_rockyou.txt list.

head -n 20000 /usr/share/wordlists/rockyou.txt > tiny_rockyou.txt

Now we're ready to load it all into hydra and find the password!

Hydra has a bit of a weird syntax, so I'm going to show you the command we'll run, and then we'll go through the arguments step by step.

hydra -l admin -P tiny_rockyou.txt \
preignition.htb http-post-form \
"/admin.php:username=^USER^&password=^PASS^:F=Wrong username or password."
  • the First flag is -l which defines the username we want to use 'admin' if we wanted to supply a list of usernames to test we could have used "-L filename" instead. Capital flags indicate that a file is being used as input, where each line is one entry.
  • Next we have -P which is for passwords. Capitalized to indicate we're passing in a list file, if we only wanted to use one password we could have used "-p known_password" instead.
  • Next we indicate our target, which could also be the direct ip address
  • After the target we indicate the submission method, for preignition that's our http form The final string is the most confusing to understand, but it's the location of where to attack, how to submit requests and what to look for in failure and/or success responses. Each section is separated with ":" delimiters, so we'll go through each now:
  • /admin.php indicates the endpoint on our target to hit, in this case our hidden admin page
  • next we define the arguments to pass into the endpoint for each request, we only have 2, username and password, we define like so "username=^USER^&password=^PASS^" If the request needs more arguments we would also add them here,
  • last is how we define if a request was successful or not. Since we'll get a full page back in response to our request, we can do string matching to look for specific words or phrases. We know that if we submit a bad request we get an error message saying that it was "Wrong username or password" so we can look for that. We define the F for failure mode to be if that string is included in the response. Hopefully that makes sense, with that all out of the way we can run the command and see what we get back!
None

The run took about x minutes, but it successfully found what the correct password is!

So, obviously for an easy box this method was overkill, and we can intuit the password as being some common weak credentials, but this was a perfect chance to try out a new tool!

Final Thoughts

Overall this was a fun box! Getting a chance to use tools like gobuster and hydra was fun and I was looking forward to when the series would start to introduce webapps into the challenges.

We only have a few boxes left in Tier 0, I'm excited to get to the next tier and start getting some more challenging boxes!

Happy Hacking!