HackTheBox – Starting Point Phase – Tier 1/

HTB Labs — Tier 1— “Ignition” Machine Walkthrough | By: CyberAlp0

AUTHORCyberAlp0
PUBLISHEDJuly 4, 2026
READ TIME07 MIN
HTB Labs — Tier 1— “Ignition” Machine Walkthrough | By: CyberAlp0

Hey Folks, this is CyberAlp0. Back again to a new walkthrough powered by HTB, Tier 1, named “Ignition”. Ignition is one of the VIP labs in HackTheBox — Tier 1 — Starting Point Phase. It focuses on many aspects and strengthening many skills, like Magento, reconnaissance, common applications, and website structure discovery.

The lab focuses on strengthening your skills in web discovery, including brute force directories and some other basic skills. Also, it highlights the importance of the improper configuration of admin password settings.

Executive Summary

Here is an executive summary of the steps we will follow:

Stage I: Scanning

The scanning phase identifies a single exposed service on the Ignition machine: an HTTP server running on port 80, powered by nginx 1.14.2. With no additional open services present, the machine’s entire attack surface is concentrated within the web application itself. This suggests that the assessment will revolve around web discovery, virtual host identification, and application misconfigurations rather than multi-service exploitation.

Upon the Nmap scan, we will find the following information

  • Service Running: nginx
  • Service Version: 1.14.2.
  • Exposed Port: 80/TCP

Stage II: Enumeration

Enumeration begins by resolving the machine’s expected virtual host and accessing the web content under ignition.htb. Inspecting the site’s responses confirms that virtual host routing is required, reinforcing the need to configure the hostname locally. Directory brute-forcing then uncovers hidden application paths, including the /admin route — the login portal for a Magento-based e-commerce platform.

Review of Magento’s documented password requirements, combined with testing common weak passwords, reveals that the administrator account is secured with an easily guessable credential. This highlights a critical misconfiguration in credential policy enforcement and becomes the main vector for privileged access.

Stage III: Exploiting

Using the recovered weak administrative password, full access is gained to the Magento admin dashboard. As Magento admin interfaces typically expose high-privilege functionality — including system configuration, state information, and sensitive application data — the login immediately exposes the machine’s root flag. The exploitation path emphasizes the risk of weak password hygiene in production systems, where a single predictable credential can compromise the entire application.

Let’s not waste more time on the introduction and begin hacking!

Step 1: Connecting to the Starting Point Labs Servers.

To attack the target machine, you have to be on the same network. You can read my blog which will guide you step-by-step into connecting to the target machine.

Step 2: Spawning the Machine and Starting to Solve the Tasks.

Task 1: Which service version is running on port 80?

Answer: nginx 1.14.2.

Walkthrough:

As usual, we will start with gathering information about the target, through performing network scanning using one of the best network mapping tools like Nmap or RustScan.

I will be using Nmap, write the following command in the terminal:

nmap -sV -sC -A 10.129.1.27
Preforming Nmap scanning on the target’s IP to gather information about the target
Preforming Nmap scanning on the target’s IP to gather information about the target

As shown in the screenshot, you will notice that one port is open, which is 80, and runs a service called nginx, version 1.14.2.

NGINX (pronounced “engine-x”) is a popular open-source web server software that is widely used for web application and content delivery tasks.

Here are some of its features and usage:

1- Web server: NGINX’s primary function is to serve web content [static, dynamic].

2- Reverse Proxy: It forwards requests from clients to one or more backend servers, and then it returns these requests to the clients.

3- Load Balancer: NGINX is also used as a load balancer; it distributes the traffic across multiple backend servers to improve performance and availability.

4- HTTP/HTTPS server: NGINX supports HTTP & HTTPS protocols, allowing to serve both secured and unsecured web content.

5- Flexibility & High Performance: NGINX is configurable and can handle large amounts of concurrent traffic with low overhead.

6- Cross-Platform: NGINX is available for a variety of operating systems like Linux, macOS, and Windows in an open-source format, which means that the source code is freely available to be modified.

Task 2: What is the 3-digit HTTP status code returned when you visit http://{machine IP}/?

Answer: 302 [However, the result is supposed to be 200 as shown in the explanation section].

Walkthrough:

To be able to visit the machine through the web, you may locally resolve the IP address of the machine in the local DNS, which exists under the directory /etc/hosts.

Type the following command to edit the “hosts” file:

sudo nano /etc/hosts
Resolving the IP of the “Ignition” machine inside the “hosts” file to be accessible through the web
Resolving the IP of the “Ignition” machine inside the “hosts” file to be accessible through the web

Now, if you type in the URI [http://ignition.htb], you will be redirected to the target’s homepage. However, we need to know the HTTP status code. We have 3 different ways of intercepting the traffic and knowing the status code.

First Method: Using the curl command.

Second Method: Inspecting the webpage.

Third Method: Using Burpsuite

I will use the curl command. Thus, type the following command in the terminal to see the result.

curl -v http://ignition.htb

The result will be shown as in the following screenshot

The HTTP result code is 200. however, write it in the challenge 302 to move to the next question.
The HTTP result code is 200. however, write it in the challenge 302 to move to the next question.
You may use burp suite, to know how to configure the Burpsuite properly. Refer to this Blog.

Task 3: What is the virtual host name the webpage expects to be accessed by?

Answer: ignition.htb

Walkthrough:

As explained in the past task, we will locally resolve the IP address of the Ignition Machine of HTB to the ignition.htb. This will be done by editing the host file under the /etc path.

Task 4: What is the full path to the file on a Linux computer that holds a local list of domain names to IP address pairs?

Answer: /etc/hosts

Walkthrough:

This file is used for mapping hostnames to IP addresses. You can view or edit this file with a text editor, but you usually need superuser privileges to make changes.

Task 5: Use a tool to brute force directories on the web server. What is the full URL to the Magento login page?

Answer: http://ignition.htb/admin

Walkthrough:

To find the full URL to the Magento login page using a directory brute-forcing tool, you can use a tool like Gobuster. This tool helps uncover hidden directories on a web server. Run the following command to brute-force the directories

http://{target}/admin

Replace {target} with the URL of the machine, which is “ignition.htb”, as we have already resolved the URL with the respective IP address of the HTB machine. This URL typically leads to the Magento admin login page, which is a common target for brute-force attacks.

Task 5: Look up the password requirements for Magento and also try searching for the most common passwords of 2023. Which password provides access to the admin account?

Answer: qwerty123

Walkthrough:

We will use the brute force tool called gobuster to find the password of the admin user for the website. Write the following command in the terminal:

gobuster dir -u http://ignition.htb -w /usr/share/wordlists/dirb/common.txt

Here is a breakdown of the command:

  • gobuster: This is the command to run the Gobuster tool, which is used for brute-forcing directories and files on web servers.
  • dir: This flag tells Gobuster that you want to perform a directory enumeration. It specifies that you're looking for directories and files.
  • -u flag: This flag specifies the target URL you want to scan, which is http://ignition.htb.
  • -w flag: It is used to specify the wordlist that Gobuster should use for brute-forcing. which is /usr/share/wordlists/dirb/common.txt.
You might be facing the following error.
The server returns a status code that matches the provided options for non-existing URLs.
The server returns a status code that matches the provided options for non-existing URLs.

The error indicates that “The server returns a status code that matches the provided options for non-existing URLs → 200. To continue, please exclude the status code or the length.

You may add the following flag “-b” to solve this issue.

gobuster dir -u http://ignition.htb -w /usr/share/wordlists/dirb/common.txt -b 200
  • The -b flag (short for "status-codes-blacklist") specifies a status code to be excluded from the results.
  • In this case, it is set to 200, which means that Gobuster will not display any results that return a 200 OK status code. This is useful because a 200 response typically indicates that the path exists and is accessible, which might not be useful information in a brute-forcing context.
Adding the -b flag to the command to exclude an http status code that equals 200
Adding the -b flag to the command to exclude an http status code that equals 200

The directory brute forcing will take some time. However, if the brute force didn't go through using the common.txt file, you may use other wordlists that exist in the /usr/share/wordlists.

The password is one of the most popular passwords used in 2023, which is qwerty123.

Task 6: Submit the root flag

Answer: 797d6c988d9dc5865e010b9410f247e0

Walkthrough:

Once you type the username, which is admin, and the password is qwerty123, you will find the root flag as in the screenshot below:

The root flag for the ignition HTB Machine — Tier 1 — Starting Point Phase.
The root flag for the ignition HTB Machine — Tier 1 — Starting Point Phase.

Hope you enjoyed reading my blog about solving Ignition machine from HTB — Tier 1 — Starting Point Phase.

See You in another write-up!

[ #Ignition ][ #OSCP Preperations ][ #Penetration Testing ][ #Kali Linux ][ #Web Application Penetration Testing ][ #bug bounty ][ #Web Application Security ][ #burpsuite ][ #cyberskii ][ #cyberalp0 ]