> For the complete documentation index, see [llms.txt](https://cybersecurity-cloud-and-it-notes.gitbook.io/kyles-cybersecurity-cloud-and-it-gitbook/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://cybersecurity-cloud-and-it-notes.gitbook.io/kyles-cybersecurity-cloud-and-it-gitbook/hack-the-box/labs/offense/tier-0-pen-testing/preignition-htb-apache-recon-web-structure-discovery-and-default-credentials-exploit.md).

# Preignition HTB: Apache Recon, Web Structure Discovery, & Default Credentials Exploit

<figure><img src="/files/xHHbXNL0kVu4criKQhzD" alt=""><figcaption></figcaption></figure>

Task 1

Directory Brute-forcing is a technique used to check a lot of paths on a web server to find hidden pages. Which is another name for this? (i) Local File Inclusion, (ii) dir busting, (iii) hash cracking.

\*\*\* \*\*\*\*\*\*g

I have no idea what the answer to this is without digging deeper.

<figure><img src="/files/TwxhoRj6xXkX7KvBVDcJ" alt=""><figcaption></figcaption></figure>

The answer was in the writeup - "dir busting".

Task 2

What switch do we use for nmap's scan to specify that we want to perform version detection

\*\*\*

I'd say the answer to this is most likely -sV

<figure><img src="/files/WPfKVq4uxOczkp2NYX4q" alt=""><figcaption></figcaption></figure>

I was correct...

Task 3

What does Nmap report is the service identified as running on port 80/tcp?

\*\*\*p

The answer for this is in the writeup, but I sort of know this already because I work with Ignition Scada, which runs on port :8088 https, so port 80 is most likely http.

<figure><img src="/files/fnaX7DF8leUZkIOTAAYw" alt=""><figcaption></figcaption></figure>

The answer is correct.

I will now run nmap though on the target just to see what happens.

<figure><img src="/files/ancBAbuSmbYlmDJkSfPL" alt=""><figcaption></figcaption></figure>

Yep, the nmap scan shows http on port 80.

Task 4

What server name and version of service is running on port 80/tcp?

\*\*\*\*\* \*.\*\*.2<br>

According to the nmap scan the name and version of the service running on the port 80 is "nginx 1.14.2"

<figure><img src="/files/WaZdlk3SQBINRynkHlKj" alt=""><figcaption></figcaption></figure>

The answer was correct.

Task 5

What switch do we use to specify to Gobuster we want to perform dir busting specifically?

\*\*\*<br>

The switch tha should be used to specify to gobuster when we want to perform dir busting specifically is "dir." That is what I remembered reading in the writeup.

<figure><img src="/files/xc7pFNBF6Yqg2WK6J1Dk" alt=""><figcaption></figcaption></figure>

The answer is correct.

Task 6

When using gobuster to dir bust, what switch do we add to make sure it finds PHP pages?

-\* \*\*p<br>

I'm not 100% of the answer, its -\* php where the \* is another character, I'll have to check the writeup again.

The answer was not in the writeup so I searched with Grok 2

<figure><img src="/files/gr4aRRq606ArNnbX9JfX" alt=""><figcaption></figcaption></figure>

According to Grok 2, the switch for looking specifically for PHP pages is "-x php." This switch allows one to specify file extension for php.

<figure><img src="/files/X2utfKIYkyI4LjLvCxiW" alt=""><figcaption></figcaption></figure>

The answer is correct. I guess this is a hint that I should use gobuster with the php switch on the web server.

gobuster dir -u example.com -w wordlist.txt -x php

This is the output from my command:

<figure><img src="/files/KeKcuzkd2UWoa6iv3njp" alt=""><figcaption></figcaption></figure>

Looks like there was two admin pages found or maybe that is a redundancy because I added the switch -x php

<figure><img src="/files/m0DjIPQDKjKRT1sxXKfE" alt=""><figcaption></figcaption></figure>

I ran it again without using the switch and found only one php file/page with admin name.

Task 7

What page is found during our dir busting activities?

\*\*\*\*\*.\*\*p<br>

The answer is admin.php

<figure><img src="/files/Xa0NdX7mEZcKcnhbQxtd" alt=""><figcaption></figcaption></figure>

Task 8

What is the HTTP status code reported by Gobuster for the discovered page?

\*\*\*

\
200?

<figure><img src="/files/E8CZeBIF6bQu28p2Q6uP" alt=""><figcaption></figcaption></figure>

Yep, that is correct, but that was shown from gobuster

<figure><img src="/files/jFdOjzk8cih4bXiBsSel" alt=""><figcaption></figcaption></figure>

I guessed the password and username as "user: admin password: admin"

<figure><img src="/files/nMh3HWjCKyLyLP97z6Ju" alt=""><figcaption></figcaption></figure>

Submit Flag

Submit root flag

\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*<br>

<figure><img src="/files/hyb3yBT0Bp9zEu1QAsCY" alt=""><figcaption></figcaption></figure>

I submited the root flag and completed the machine.

<https://www.hackthebox.com/achievement/machine/1971858/397>

write up is below.

#### Preignition Write-Up 🔥

**Prepared by: 0ne-nine9 from HTB**

**Optimized by: Kyle Cecil**

***

#### **Introduction**

Web servers are the unsung heroes of most infrastructures, quietly powering daily operations across departments. Depending on their role, web servers can:

* Be strictly internal, accessible only to employees.
* Or, more often, be **public-facing**—open to anyone on the Internet for retrieving information and files.

In either case, these servers are typically managed via **administrative panels**, which are securely locked behind a login screen.

***

#### **Let’s Break It Down with an Example**

Imagine you’ve decided to start your own blog. (Exciting, right? 🎉) To make life easier, you choose **WordPress**—a popular web application for managing content effortlessly.

Here’s how it works:

1. Once WordPress is installed, your blog will have two sides:
   * **Public-Facing Side**: The part of your site visible to everyone.
   * **Private-Facing Side**: Your **administrative panel** hosted at `www.yourwebsite.com/wp-admin`, where you manage all the magic behind the scenes.
2. The admin panel is locked behind a **login screen**, adding a layer of security to keep unauthorized users out.

***

#### **Pro Tip for Hackers**

Want to explore the inner workings (and vulnerabilities) of WordPress websites? Dive into the **Hacking WordPress** module on **HTB Academy** to learn all the sneaky tricks! 🕵️‍♂️

This introduction sets the stage for understanding the critical role of web servers and their admin panels, whether you’re securing them or looking for ways to ethically test their defenses. 🌐✨

<figure><img src="/files/Bt16FqRbY4Ley6PZQtyX" alt=""><figcaption></figcaption></figure>

#### Unlocking the Secrets of WordPress Administration: A Pentester's Perspective 🔍💻

Once you, as the **administrator** of a WordPress site, log into the admin panel, you’re greeted with a treasure chest of controls, including:

* **Content Management**: Uploading posts, images, and other media.
* **Theme Selection**: Customizing the look and feel of your site.
* **Script Editing**: Adding or tweaking scripts for specific pages.
* And much more!

***

#### **Why This Matters for Pentesting**

The more you explore WordPress, the more you’ll realize that this admin panel is a prime target in a penetration test. Why? Some of these features may:

* Be **outdated**, carrying critical vulnerabilities.
* Provide attackers with opportunities to gain a **foothold** in the system.
* Act as a springboard for **pivoting into the network**, escalating access with ease.

***

#### **The Key: Web Enumeration & Directory Busting**

Here’s the kicker: **Web enumeration**—especially **directory busting**—is an essential skill for any penetration tester. It’s your tool for uncovering hidden pages and functionalities that admins *never* intended to leave exposed.

Let’s break it down:

* **Manual Browsing**: Clicking links and exploring a site’s public-facing pages might yield some data, but most juicy targets (like admin panels) aren’t published publicly.
* **Directory Busting**: Tools like Gobuster or Dirbuster scan for directories and hidden pages that aren’t easily visible.

**Example**:\
Imagine you didn’t know that `wp-admin` is the default admin panel for WordPress. Without **web enumeration** and **directory busting**, how would you discover it? These techniques reveal the paths less traveled—where vulnerabilities often hide.

***

#### **Conclusion**

Whether you’re managing a WordPress site or ethically testing one, **web enumeration** and **directory busting** are non-negotiable skills. They uncover critical information and hidden assets, helping you secure or exploit a web application more effectively. Master them, and you’re one step closer to becoming a pentesting legend! 🥷🔥

<figure><img src="/files/kc6QfhMb8DJ5khAzuTHT" alt=""><figcaption></figcaption></figure>

#### Enumeration: The Journey Begins 🕵️‍♂️🌐

Before diving into the nitty-gritty of a target, let’s start with the basics: **connectivity checks.** After all, if you can’t talk to the target, you can’t enumerate it!

***

#### **Step 1: Verify Connectivity**

1️⃣ Grab the **IP address** of the target machine from the Starting Point lab page.\
2️⃣ Open your terminal and hit it with the classic **ping command**:

```bash
ping <target_IP>
```

3️⃣ Watch for those sweet, sweet **replies**. Two successful ones are all you need to confirm the connection is solid. 🎯

***

#### **Pro Tip: Don’t Overdo It**

You don’t need to let the ping command run forever. Once you’re confident the connection works, stop it. A **quick snippet of results** is often more efficient than waiting for a detailed report you don’t need.

***

**Why It Matters:**\
Checking connectivity is like shaking hands with your target—it’s polite, efficient, and sets the stage for everything to come. Plus, this quick step helps ensure you’re not wasting time troubleshooting non-existent connectivity issues. Let’s move forward with confidence! 🚀

<figure><img src="/files/V3eAqq5thI1QgnGn8BBJ" alt=""><figcaption></figcaption></figure>

To proceed with a **preliminary scan** of the target using `nmap`, you can use the `-sV` option, which probes open ports to determine the **service/version information** running on them.

Here’s how you can execute this step:

***

#### **Command Example:**

```bash
nmap -sV <target_IP>
```

#### **What Happens?**

* The `-sV` switch tells `nmap` to identify **services** and their **versions** on any open ports.
* This provides valuable insight into what’s running on the target and can hint at potential vulnerabilities.

***

#### **Pro Tip:**

* Combine the `-sV` flag with other options for more detailed scans (e.g., `-Pn` to skip ping checks, or `-A` for aggressive scanning).
* Use this information to prioritize targets for further enumeration or exploitation.

This step helps you move from “what’s open?” to “what’s running?” as you peel back layers of the target system. 🚀

<figure><img src="/files/tDJy1mfYx65x0lgaboJu" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/Nk7oM6RZ6zjuSuT55qRj" alt=""><figcaption></figcaption></figure>

#### Scanning Results: A Glimmer of Opportunity 🌐✨

From our **nmap scan**, one entry stands out:

* **HTTP Service** running on **port 80**.

This signals that the target is likely hosting some **web content**, ripe for exploration. Let’s dig in! 🕵️‍♀️

***

#### **Step 1: Check the Web Page**

1️⃣ Open your preferred web browser (Chrome, Firefox, etc.).\
2️⃣ In the URL bar, type the target’s IP address:

```plaintext
http://<target_IP>
```

3️⃣ Hit Enter, and voilà! The browser will automatically connect to the target’s **port 80**, initiating **client-server communication** and loading the web page’s content.

***

#### **Why This Matters**

Exploring the web page gives you valuable clues about:

* The server's configuration.
* Technologies in use (e.g., CMS platforms like WordPress).
* Potential entry points for further enumeration or exploitation.

***

#### **Pro Tip: Dig Deeper!**

After browsing, consider using tools like:

* **Gobuster/Dirbuster**: For directory busting and finding hidden paths.
* **WhatWeb**: To identify web technologies in use.
* **Burp Suite**: For more in-depth web app analysis.

Web content often holds keys to vulnerabilities. Start with a quick look, then dig deeper! 🚀

<figure><img src="/files/gqa814SvcGGg7RoynrFc" alt=""><figcaption></figcaption></figure>

#### Nginx Web Server: A Closer Look 🔎🌐

When we visit the target’s IP address, we see something interesting: a default **nginx post-installation page**. Let’s break this down:

***

#### **What is Nginx?**

Nginx is a powerful **web server** designed to:

* Serve content to users, such as web pages, images, videos, or audio.
* Handle traffic for internal or external purposes (think e-commerce, banking, or even simple blogs).

Its presence here confirms that the target is hosting **web content**, but...

***

#### **The Default Page: What Does It Tell Us?**

The default nginx page suggests:\
1️⃣ **Potential Misconfiguration**: The server might not be fully set up or secure yet.\
2️⃣ **Default Credentials in Use**: Admins often leave default settings for convenience during setup, which attackers love to exploit.

Unfortunately, this default page doesn’t offer links or buttons to navigate further. But we’re not done yet. **Hidden directories and content might still be lurking!** 👀

***

#### **Uncovering Hidden Content: Enter Dir Busting 🚪🛠️**

Rather than guess URLs manually (painful and inefficient), we turn to **directory busting**. This technique automates the process of finding hidden directories and files on the server.

**Tool of Choice: Gobuster**

**Gobuster** is a fast and effective directory-busting tool written in Go. If you’re using Pwnbox on Hack The Box, good news—it’s already installed! 🎉

***

#### **Getting Started with Gobuster**

1️⃣ **Install Gobuster (if needed):**\
For non-Pwnbox users, you can install Gobuster by running:

```bash
sudo apt install gobuster
```

2️⃣ **Run Gobuster:**\
To scan the target’s web server for hidden directories:

```bash
gobuster dir -u http://<target_IP> -w /path/to/wordlist.txt
```

**Explanation:**

* `dir`: Specifies the directory-busting mode.
* `-u`: The target URL (e.g., `http://<target_IP>`).
* `-w`: The wordlist to use (like `/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt`).

3️⃣ **Review the Output:**\
Gobuster will reveal any accessible directories or files, including those not linked on the default page.

***

#### **Why Dir Busting Matters**

Hidden directories often house:

* Admin panels.
* Configuration files.
* Debug logs or backups.
* Forgotten or unprotected sensitive content.

By uncovering these, you might find potential entry points or critical information for further enumeration and exploitation.

Let’s see what secrets this nginx server is hiding! 🚀

<figure><img src="/files/3kKWzhwLZ4vkNogFFY7Q" alt=""><figcaption></figcaption></figure>

#### Installing Gobuster: Step-by-Step Guide 🛠️💻

To use **Gobuster**, you first need **Go** (the programming language) installed on your system. Follow these steps to get everything up and running:

***

#### **Step 1: Install Go**

Open your terminal and run the following command to install Go:

```bash
sudo apt install golang-go
```

This will install the required **Go environment** on your Linux system. Ensure you have at least Go **version 1.19** or later.

***

#### **Step 2: Install Gobuster**

**Option 1: Use `apt` Package Manager (Easiest Method)**

Once Go is installed, you can install Gobuster with:

```bash
sudo apt install gobuster
```

This method handles everything for you—quick and simple!

**Option 2: Compile Gobuster from Source (Manual Method)**

If you want more control or the latest version, compile Gobuster from its source code:

1️⃣ Clone the Gobuster repository:

```bash
sudo git clone https://github.com/OJ/gobuster.git
```

2️⃣ Change to the cloned directory:

```bash
cd gobuster
```

3️⃣ Install dependencies and build the tool:

```bash
go get && go build
```

4️⃣ Install Gobuster:

```bash
go install
```

***

#### **Need More Help?**

If anything is unclear, refer to the Gobuster creator’s README file for detailed instructions:\
[GitHub Gobuster README](https://github.com/OJ/gobuster)

***

Once installed, you’re ready to use Gobuster for directory busting and uncovering hidden web content. Let the hunt begin! 🎯🚀

<figure><img src="/files/tb0WLHSG7NtsIWQA0XZW" alt=""><figcaption></figcaption></figure>

#### Using Gobuster for Directory Busting 🛠️🌐

Now that Gobuster is installed, let’s explore how to use it for **directory busting**! 🕵️‍♂️

***

#### **Step 1: Discover Gobuster’s Capabilities**

To view all the available commands and switches, use:

```bash
gobuster --help
```

Here’s a quick overview of some useful commands:

* **dir**: Use Gobuster in directory/file enumeration mode (this is what we need).
* **dns**: Perform DNS subdomain enumeration.
* **fuzz**: Use fuzzing mode for advanced enumeration.
* **s3**: Search AWS S3 buckets.
* **vhost**: Enumerate virtual hosts.

***

#### **Step 2: Required Flags for Directory Busting**

For our case, we’ll focus on directory busting. The key flags are:\
1️⃣ **`dir`**: Specifies directory enumeration mode.\
2️⃣ **`-w`**: Defines the path to the wordlist for directory names.\
3️⃣ **`-u`**: Sets the target's IP address or URL.

**Example Command:**

```bash
gobuster dir -u http://<target_IP> -w /path/to/wordlist.txt
```

***

#### **Step 3: Get a Wordlist**

We need a wordlist to feed into Gobuster, which contains common directory names. Use the following command to download the **common.txt** wordlist from SecLists:

```bash
wget https://github.com/danielmiessler/SecLists/raw/master/Discovery/Web-Content/common.txt -O /usr/share/wordlists/common.txt
```

***

#### **Final Command to Start Dir Busting**

Once everything is ready, start Gobuster:

```bash
gobuster dir -u http://<target_IP> -w /usr/share/wordlists/common.txt
```

***

#### **Explanation of the Flags**

* `dir`: Runs Gobuster in directory enumeration mode.
* `-u`: Specifies the target URL (e.g., `http://192.168.1.1`).
* `-w`: Points to the wordlist (e.g., `/usr/share/wordlists/common.txt`).

***

#### **What’s Next?**

Gobuster will output a list of discovered directories or files on the target server. Use this data to further explore hidden or sensitive content that could aid in your pentesting journey.

Let’s uncover those hidden paths and see what secrets the server is holding! 🚀

<figure><img src="/files/HHlxhRovgDtc5TWbttPw" alt=""><figcaption></figcaption></figure>

#### **Directory Busting Success: Uncovering `admin.php` 🚪✨**

By using **Gobuster** with our chosen wordlist, we successfully identified a page named **`admin.php`** on the target server. Here's what happened:

***

#### **How Gobuster Works**

Gobuster used the **HTTP GET method** to request web pages by trying different URL variations from the wordlist. Some examples:

```plaintext
GET http://{target_IP}/kittens
GET http://{target_IP}/hackers
GET http://{target_IP}/admin.php
GET http://{target_IP}/hackthebox
GET http://{target_IP}/yourespecial
```

When the server responded positively to **`admin.php`**, it was flagged in the output as an **existing page**. This confirms that the file is present on the server and accessible. 🎯

***

#### **What’s Next? Manually Check `admin.php`**

Now that we know the **`admin.php`** page exists, navigate to it manually in your browser to explore its contents:

1️⃣ Open your browser.\
2️⃣ Enter the following in the URL bar:

```plaintext
http://{target_IP}/admin.php
```

3️⃣ Hit Enter to load the page.

***

#### **What to Look For on `admin.php`**

Once you access the page, keep an eye out for:

* **Login Pages**: Could this be an admin portal?
* **Exposed Data**: Look for any sensitive information.
* **Default Credentials**: Test commonly used username/password combinations (e.g., `admin:admin`, `admin:password`).

***

#### **Pro Tip: Automate Login Testing**

If `admin.php` is a login page, you can use tools like **Hydra** or **Burp Suite** to brute-force credentials efficiently (but always ensure this is within the rules of your pentest or lab!).

***

Finding **`admin.php`** is a big step forward in your enumeration process. Let’s see what secrets this page holds! 🚀

<figure><img src="/files/KkPyKpShLN9ZkMpjtQX9" alt=""><figcaption></figcaption></figure>

#### Wrapping Up Gobuster: What’s Next? 🎉

We’ve successfully used **Gobuster** to identify the hidden **`admin.php`** page, and it’s time to move forward. But if you’re eager to take your **web enumeration** skills even further, there’s another tool you should check out: **Ffuf**! 🚀

***

#### **What is Ffuf?**

**Ffuf** (Fast Fuzz) is another powerful tool designed for:

* **Directory Busting**: Like Gobuster, but with added flexibility.
* **Web Fuzzing**: Replacing placeholders in URLs, headers, or request bodies to uncover hidden functionality or vulnerabilities.

***

#### **Learn More with HTB Academy**

For an in-depth look at Ffuf and advanced web enumeration, head over to HTB Academy and explore these modules:

1️⃣ **Attacking Web Applications with Ffuf**

* Master Ffuf’s advanced features.
* Learn how to find hidden web directories and services efficiently.

2️⃣ **Comprehensive Module on Web Enumeration**

* Explore various enumeration techniques for web applications.
* Go beyond basics with tools like Ffuf and others.

***

#### **What’s the Difference Between Gobuster and Ffuf?**

* **Gobuster**: Simple and fast, great for straightforward directory busting.
* **Ffuf**: More advanced, allowing fuzzing of other components (e.g., POST parameters, HTTP headers).

***

Now that you’ve unlocked the basics with Gobuster, dive deeper with Ffuf to become a true web enumeration expert! 🕵️‍♂️✨

<figure><img src="/files/DqnK1O7ww3cJPNxU4pl3" alt=""><figcaption></figcaption></figure>
