Web

Box info | OS: Linux (nginx 1.14.2) | Difficulty: Very Easy | Tier: 1 | Status: Starting Point Skills: Virtual host discovery, Magento 2 enumeration, default credential testing Pwned: 2026-04-28 TL;DR Ignition is a Tier 1 box running Magento 2.4-dev behind nginx with a virtual hostname ignition.htb. A port scan finds only 80/tcp. The HTTP response redirects IP-based requests to the virtual hostname — adding it to /etc/hosts unlocks the site. The Magento admin panel is at /admin. The default developer credentials admin:qwerty123 grant access immediately. The flag is displayed in the Magento Advanced Reporting dashboard. The lesson is twofold: always discover virtual hostnames from redirect responses, and Magento — like all CMSes — ships with well-known default credentials that must be changed on every deployment. ...

Box info | OS: Ubuntu (vsftpd 3.0.3 / Apache 2.4.41) | Difficulty: Very Easy | Tier: 1 | Status: Starting Point Skills: FTP enumeration, web directory discovery, credential stuffing, HTTP form brute-force Pwned: 2026-04-28 TL;DR Crocodile is a Tier 1 box that chains two services together: FTP and HTTP. A port scan finds both 21 and 80. Anonymous FTP login downloads two files — allowed.userlist and allowed.userlist.passwd — containing four usernames and four matching passwords in plaintext. The web server at port 80 runs an Apache 2.4.41 site with a login.php page. Trying all 16 username/password combinations against the login form reveals that admin:rKXM59ESxesUFHAd works. The dashboard at /dashboard displays the flag. This is credential stuffing applied to a small credential set — exactly the workflow used against real credential leaks. ...

Box info | OS: Linux Debian 10 (Apache/2.4.38) | Difficulty: Very Easy | Tier: 1 | Status: Starting Point Skills: SQL injection, authentication bypass, blind SQLi, sqlmap Pwned: 2026-04-28 TL;DR Appointment is a Tier 1 web box running Apache 2.4.38 on Debian 10 with a PHP login form backed by MariaDB. The username POST parameter is directly interpolated into a SQL query with no sanitization. A classic ' OR '1'='1' -- - payload bypasses authentication and triggers the flag to appear in the HTTP response. Going deeper with sqlmap confirms boolean-based blind injection, extracts the appdb database schema, and dumps two user records — including a plaintext password for a test user. The lesson: unsanitized SQL interpolation in authentication queries is still widespread, and it can be exploited by any attacker who knows three characters: ', --, and 1. ...

Box info | OS: Linux (nginx 1.14.2) | Difficulty: Very Easy | Tier: 0 | Status: Starting Point Skills: Web directory fuzzing, default credential testing, HTTP POST analysis Pwned: 2026-04-27 TL;DR Preignition is a Linux box with a single open port: 80/tcp running nginx 1.14.2. The root page is the default nginx placeholder — nothing interesting. Directory fuzzing with ffuf and a 4750-entry wordlist finds /admin.php (HTTP 200). The login form accepts admin:admin — default credentials that were never changed. The flag is returned directly in the HTML response body on successful login. No shell access required or possible; this is a pure web-authentication exercise demonstrating why directory enumeration and default credential testing are always in the methodology. ...