HackTheBox Writeup: Preignition

概要

HackThebox:Preignitionのflagを入手する手順を記す。

Port Scan

$ nmap -A -sV -v preignition.htb              
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-13 22:11 EDT
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 22:11
Completed NSE at 22:11, 0.00s elapsed
Initiating NSE at 22:11
Completed NSE at 22:11, 0.00s elapsed
Initiating NSE at 22:11
Completed NSE at 22:11, 0.00s elapsed
Initiating Ping Scan at 22:11
Scanning preignition.htb (10.129.194.18) [2 ports]
Completed Ping Scan at 22:11, 0.25s elapsed (1 total hosts)
Initiating Connect Scan at 22:11
Scanning preignition.htb (10.129.194.18) [1000 ports]
Discovered open port 80/tcp on 10.129.194.18
Increasing send delay for 10.129.194.18 from 0 to 5 due to max_successful_tryno increase to 4
Increasing send delay for 10.129.194.18 from 5 to 10 due to max_successful_tryno increase to 5
Completed Connect Scan at 22:11, 35.72s elapsed (1000 total ports)
Initiating Service scan at 22:11
Scanning 1 service on preignition.htb (10.129.194.18)
Completed Service scan at 22:12, 6.52s elapsed (1 service on 1 host)
NSE: Script scanning 10.129.194.18.
Initiating NSE at 22:12
Completed NSE at 22:12, 5.74s elapsed
Initiating NSE at 22:12
Completed NSE at 22:12, 1.00s elapsed
Initiating NSE at 22:12
Completed NSE at 22:12, 0.00s elapsed
Nmap scan report for preignition.htb (10.129.194.18)
Host is up (0.25s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
80/tcp open  http    nginx 1.14.2
|_http-title: Welcome to nginx!
|_http-server-header: nginx/1.14.2
| http-methods: 
|_  Supported Methods: GET HEAD

NSE: Script Post-scanning.
Initiating NSE at 22:12
Completed NSE at 22:12, 0.00s elapsed
Initiating NSE at 22:12
Completed NSE at 22:12, 0.00s elapsed
Initiating NSE at 22:12
Completed NSE at 22:12, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 49.62 seconds

Webサーバーが提供されていることが分かる。

gobuster

http://preignition.htb に対してgobusterでディレクトリ探索を行う。

$ gobuster dir -u http://preignition.htb -w /usr/share/wordlists/dirb/common.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://preignition.htb
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/09/13 22:19:19 Starting gobuster in directory enumeration mode
===============================================================
/admin.php            (Status: 200) [Size: 999]
                                               
===============================================================
2022/09/13 22:21:17 Finished
===============================================================

admin.phpを見つけたのでアクセスしてみる。

admin.php

とりあえず、admin/root/passwordなどの単語を入力してみる。
結果的にadmin:adminでログインできることが分かる。

ログインに成功するとページにflagが表示される。

以上。