Vhost

Box info | OS: Linux (nginx 1.14.2) | Difficulty: Very Easy | Tier: 1 | Status: Starting Point Skills: Virtual host discovery, Magento 2 enumeration, default credential testing Pwned: 2026-04-28 TL;DR Ignition is a Tier 1 box running Magento 2.4-dev behind nginx with a virtual hostname ignition.htb. A port scan finds only 80/tcp. The HTTP response redirects IP-based requests to the virtual hostname — adding it to /etc/hosts unlocks the site. The Magento admin panel is at /admin. The default developer credentials admin:qwerty123 grant access immediately. The flag is displayed in the Magento Advanced Reporting dashboard. The lesson is twofold: always discover virtual hostnames from redirect responses, and Magento — like all CMSes — ships with well-known default credentials that must be changed on every deployment. ...

Box info | OS: Ubuntu 18.04.6 LTS (Apache 2.4.29) | Difficulty: Very Easy | Tier: 1 | Status: Starting Point Skills: Virtual host enumeration, AWS S3/LocalStack, webshell upload, RCE Pwned: 2026-04-27 TL;DR Three is a Tier 1 box that teaches S3 bucket enumeration combined with virtual host discovery. A port scan finds SSH and HTTP. The website identifies the hostname thetoppers.htb. Subdomain fuzzing reveals s3.thetoppers.htb — a LocalStack (mock AWS S3) endpoint. The thetoppers.htb S3 bucket is publicly writable with no authentication. Uploading a PHP webshell to the bucket places it in the web root (LocalStack syncs bucket contents to /var/www/html/). The webshell provides RCE as www-data. The flag is at /var/www/flag.txt. The lesson: S3 bucket misconfiguration can be a direct path to server-side code execution when the bucket contents are served as a web application. ...