# Ignition

## Initial Scan

```nmap
sudo nmap -T4 -Pn -sV -sC -v 10.129.1.27 -oA Ignition
```

<figure><img src="/files/Kz2QwMeHxthjaKAmqM7k" alt=""><figcaption></figcaption></figure>

## Task 1

Which service version is found to be running on port 80? - Found within the initial scan

Answer: nginx 1.14.2

## Task 2

What is the 3-digit HTTP status code returned when you visit <http://10.129.1.27/>? - When going to the website, we get an error but doesn't tell us an error code.

<figure><img src="/files/IpKglL3kJmN4IWVE5XDr" alt=""><figcaption></figcaption></figure>

If we curl the site instead, we get the error code.

```bash
curl -v http://10.129.1.27/
```

<figure><img src="/files/ogQJpD1A58BdWEomrIbq" alt=""><figcaption></figcaption></figure>

Answer: 302

## Task 3

What is the virtual host name the webpage expects to be accessed by? - This is found in the URL when attempting to go to the website via it's IP instead of the hostname.

<figure><img src="/files/JH0RKjGUiShfKEQZ0wQ8" alt=""><figcaption></figcaption></figure>

Answer: ignition.htb

## Task 4

What is the full path to the file on a Linux computer that holds a local list of domain name to IP address pairs?

Answer: /etc/hosts

## Task 5

Use a tool to brute force directories on the webserver. What is the full URL to the Magento login page?

Add the IP and domain to our hosts file

<figure><img src="/files/Uiuzh2LxLp6fTWXoYigj" alt=""><figcaption></figcaption></figure>

Use Gobuster to do some directory traversal

```bash
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -u http://ignition.htb
```

<figure><img src="/files/sgOHYfidoGQ84qNcRswu" alt=""><figcaption></figcaption></figure>

Answer: <http://ignition.htb/admin>

## Task 6

Look up the password requirements for Magento and also try searching for the most common passwords of 2023. Which password provides access to the admin account?

After looking into Magento default credentials and none of the defaults(admin:admin etc) worked, I loaded up BurpSuite, used the Burp Browser, attempted to login with creds, put the POST request into Intruder and performed a BruteForce attack with various default passwords.

<figure><img src="/files/vvsRulldaRUxzYMnRaEB" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/p8WsGRS7AvtrslMASyyE" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/RKc7pN9oicFW3viPakyZ" alt=""><figcaption></figcaption></figure>

Answer: qwerty123

## Task 7

Submit root flag

<figure><img src="/files/Xb20TreJbgSf8aC7Bf6R" alt=""><figcaption></figcaption></figure>

Answer: 797d6c988d9dc5865e010b9410f247e0


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://cybersec.th4ntis.com/hackthebox/starting-point/tier-1/ignition.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.