Target IP Address: 10.129.24.104
Initial Recon
└──╼ [★]$ nmap -sV -sC -T4 -vv --max-rate 5000 -p- -oN initial-recon.txt 10.129.24.104Result
Nmap scan report for 10.129.24.104
Host is up, received echo-reply ttl 63 (0.24s latency).
Scanned at 2026-04-11 00:22:42 CDT for 179s
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 63 nginx 1.14.2
|_http-title: Did not follow redirect to http://ignition.htb/
|_http-server-header: nginx/1.14.2
| http-methods:
|_ Supported Methods: GET HEAD POST- Which service version is found to be running on port 80? Ans:
nginx 1.14.2
Check website via curl
- Note: Visiting the website via a browser doesn’t show the error
Curl result:
└──╼ [★]$ curl -v http://10.129.24.104
...
> Host: 10.129.24.104
...
< HTTP/1.1 302 Found
< Server: nginx/1.14.2
< Date: Sat, 11 Apr 2026 05:29:09 GMT
< Content-Type: text/html; charset=UTF-8
...
< Location: http://ignition.htb/
...- What is the 3-digit HTTP status code returned when you visit
hxxp[://]{machine IP}/? Ans:302 - What is the virtual host name the webpage expects to be accessed by? Ans:
ignition.htb
Change /etc/hosts
...
10.129.24.104 ignition.htb
...- What is the full path to the file on a Linux computer that holds a local list of domain name to IP address pairs? Ans:
/etc/hosts
Fuzz website
Using FFUF tool:
└──╼ [★]$ ffuf -u http://ignition.htb/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt Decided to stop when I saw the admin panel
contact [Status: 200, Size: 28673, Words: 6592, Lines: 504, Duration: 1959ms]
media [Status: 301, Size: 185, Words: 6, Lines: 8, Duration: 235ms]
0 [Status: 200, Size: 25803, Words: 5441, Lines: 426, Duration: 7234ms]
static [Status: 301, Size: 185, Words: 6, Lines: 8, Duration: 367ms]
catalog [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 6942ms]
admin [Status: 200, Size: 7095, Words: 1551, Lines: 149, Duration: 6674ms]
Home [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 6882ms]
cms [Status: 200, Size: 25817, Words: 5441, Lines: 426, Duration: 7206ms]- Use a tool to brute force directories on the webserver. What is the full URL to the Magento login page? Ans:
hxxp[://]ignition[.]htb/admin
Brute force Magento
First, check the required payload by capturing POST request using BurpSuite
Oops. Upon checking the documentation and official writeup (done this because I’m stuck), Magento has anti-bruteforce measures.
The Magento Admin is protected by multiple layers of security measures to prevent
unauthorized access to your store, order, and customer data. The first time you sign in
to the Admin, you are required to enter your username and password and to set up two-
factor authentication (2FA).
Depending on the configuration of your store, you might also be required to resolve a
CAPTCHA challenge such as entering a series of keyboard characters, solving a puzzle,
or clicking a series of images with a common theme. These tests are designed to
identify you has human, rather than an automated bot.
For additional security, you can determine which parts of the Admin each user has
permission to access, and also limit the number of login attempts. By default, after
six attempts the account is locked, and the user must wait a few minutes before trying
again. Locked accounts can also be reset from the Admin.
An Admin password must be seven or more characters long and include both letters and
numbers.Based on the the documentation, we will use admin as username and the following as password:
admin123
root123
password1
administrator1
changeme1
password123
qwerty123
administrator123
changeme123- Look up the password requirements for Magento and also try searching for the most common passwords of 2023. Which password provides access to the admin account? Ans:
qwerty123
Getting the flag
Flag is just found after getting into the Dashboard
