Adam Bytes

// HTB · Getting Started · Tier 0

HTB: Preignition

17 October 2025

Lab Objective: Preignition is the sixth machine in the Starting Point Tier 0 series. It focuses on web enumeration and the discovery of administrative interfaces through directory brute-forcing — an introduction to gobuster and the concept of default login credentials.

Enumeration

Starting with an Nmap scan: nmap -sV {targetIP}.

The scan reveals a single open port: 80 (HTTP), running nginx 1.14.2. Navigating to http://{targetIP} in the browser shows a standard Nginx welcome page — no visible links or clues. We need to look for hidden files or directories.

Directory Brute-Forcing with gobuster

To find hidden paths we use gobuster. This was my first introduction to the tool. The general principle: use a common wordlist and look specifically for .php files, a common extension for administrative portals.

gobuster dir -u http://{targetIP} -w /usr/share/wordlists/dirb/common.txt -x php

Result: /admin.php (Status: 200) — successfully identified as a login page.

Task 1 — What is the common name for directory brute-forcing?
Answer: Dir busting.

Task 2 — What switch performs a service version scan with Nmap?
Answer: -sV.

Task 3 — What service is running on port 80?
Answer: HTTP.

Task 4 — What is the version of the Nginx server?
Answer: 1.14.2.

Task 5 — Which gobuster switch specifies we are looking for directories?
Answer: dir.

Task 6 — Which gobuster switch specifies file extensions to look for?
Answer: -x.

Task 7 — What is the HTTP status code for a successful request?
Answer: 200.

Establishing a Foothold

Navigate to http://{targetIP}/admin.php — a simple login form. Before trying complex exploits, it is standard practice to test default credentials. "admin/admin" is left as the default surprisingly often.

The page refreshes to show the internal dashboard. The flag is displayed on screen.

Task 8 — Submit the Flag.
Answer: Follow the steps above.

Final Thoughts

HTB: Explosion HTB: Mongod →