HTB Starting Point — Ignition

Box info | OS: Linux (nginx 1.14.2) | Difficulty: Very Easy | Tier: 1 | Status: Starting Point Skills: Virtual host discovery, Magento 2 enumeration, default credential testing Pwned: 2026-04-28

TL;DR

Ignition is a Tier 1 box running Magento 2.4-dev behind nginx with a virtual hostname ignition.htb. A port scan finds only 80/tcp. The HTTP response redirects IP-based requests to the virtual hostname — adding it to /etc/hosts unlocks the site. The Magento admin panel is at /admin. The default developer credentials admin:qwerty123 grant access immediately. The flag is displayed in the Magento Advanced Reporting dashboard. The lesson is twofold: always discover virtual hostnames from redirect responses, and Magento — like all CMSes — ships with well-known default credentials that must be changed on every deployment.

Recon

1. Liveness check

$ ping -c 2 10.129.37.32
64 bytes from 10.129.37.32: icmp_seq=0 ttl=63 time=34.8 ms
64 bytes from 10.129.37.32: icmp_seq=1 ttl=63 time=36.1 ms

TTL=63 → Linux.

2. Port scan

$ nmap -sV -sC -p- --min-rate 2000 -Pn 10.129.37.32
PORT   STATE SERVICE VERSION
80/tcp open  http    nginx 1.14.2
|_http-title: Did not follow redirect to http://ignition.htb/

Single open port: 80/tcp. The nmap script already tells us the redirect target: ignition.htb.

3. Virtual hostname discovery

curl -v http://10.129.37.32/ 2>&1 | grep -E "Location|Host:"
# Location: http://ignition.htb/

The server checks $_SERVER['SERVER_NAME'] and redirects IP-based requests to the hostname. Add to /etc/hosts:

echo "10.129.37.32 ignition.htb" >> /etc/hosts

4. Service detection via GraphQL

The frontend of this Magento instance was partially broken during testing — GET requests to / timed out. However, the Magento GraphQL API was responsive:

curl -X POST http://ignition.htb/graphql \
  -H 'Content-Type: application/json' \
  -d '{"query": "{ storeConfig { base_url store_name } }"}'

Response:

{
  "data": {
    "storeConfig": {
      "base_url": "http://ignition.htb/",
      "store_name": "Default Store View"
    }
  }
}

Confirmed: this is Magento. The setup installer at /setup/index.php/landing reported version dev-2.4-develop (March 2021 development build).

Foothold

Dead end #1 — frontend timeout

GET requests to the Magento frontend (homepage, /admin/, product pages) timed out with 0 bytes returned:

curl -m 30 http://ignition.htb/
# connection timeout after 30s — 0 bytes

Cause: Magento’s PHP-FPM frontend process was in a broken state (likely left by a previous HTB user’s actions). The admin panel has the same timeout issue.

Workaround discovery: REST API and GraphQL endpoints process via different PHP workers and remained responsive. Admin login form via browser/curl was periodically available.

Dead end #2 — guessing admin passwords via REST API

curl -X POST http://ignition.htb/rest/V1/integration/admin/token \
  -H 'Content-Type: application/json' \
  -d '{"username": "admin", "password": "admin123"}'
# → 401 Unauthorized

Tried 14 common passwords (admin, password, admin123, magento, magento123, Admin123, etc.) — all returned 401. Also tried 20+ username variants — all 401.

Realization: The account was locked from previous attempts by other HTB users. The machine needed a reset.

Working approach — Magento admin with `qwerty123`

After the machine reset, the frontend recovered. The Magento admin panel is at:

http://ignition.htb/admin

The credentials admin:qwerty123 are the documented default for this Magento demo/dev installation:

# Test via REST API first (faster)
curl -X POST http://ignition.htb/rest/V1/integration/admin/token \
  -H 'Content-Type: application/json' \
  -d '{"username": "admin", "password": "qwerty123"}'
# → "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."  ← admin JWT token

In the browser, navigate to http://ignition.htb/admin, log in with admin:qwerty123, and the flag appears on the Advanced Reporting dashboard section.

Why qwerty123? Magento 2.x enterprise installations commonly use admin123 or qwerty123 as development/demo credentials. The password policy requires at least one uppercase letter, one digit — qwerty123 satisfies the numeric requirement but is trivially guessable.

Privilege Escalation

N/A — Starting Point Tier 1 box. The flag is displayed in the Magento admin dashboard; no shell access is required or available. Port 80 is the only open service.

What’s actually broken

Default / well-known admin credentials (admin:qwerty123). Magento’s admin password was never changed from the development default. CWE-521 (Weak Password Requirements) — the system accepted qwerty123 as a valid admin password despite having a complexity policy.
Magento admin panel publicly accessible without IP restriction. /admin should be behind a VPN, IP allowlist, or 2FA. Any internet-connected attacker can attempt brute force.
Development build (dev-2.4-develop) deployed as-is. Development builds often have debug modes, verbose error messages, and reduced security hardening compared to release builds.
Virtual hostname revealed by redirect. The bare IP redirect to ignition.htb exposes the internal hostname to any observer. Security-conscious configurations either block IP-based HTTP access entirely or return a generic error.

Remediation (the boring half)

Change admin password immediately:

# Via Magento CLI
php bin/magento admin:user:create \
  --admin-user="admin" \
  --admin-password="V3ryStr0ng!P@ssw0rd#2024" \
  --admin-email="admin@example.com" \
  --admin-firstname="Admin" \
  --admin-lastname="User"

Restrict admin path via nginx:

location /admin {
    allow 10.0.0.0/8;
    allow 172.16.0.0/12;
    deny all;
    try_files $uri $uri/ /index.php$is_args$args;
}

Enable 2FA for Magento admin:

php bin/magento module:enable Magento_TwoFactorAuth
php bin/magento setup:upgrade

Block IP-based access:

server {
    listen 80;
    server_name 10.129.37.32;
    return 403;
}

MITRE ATT&CK mapping

Tactic	Technique	How it shows up here
Reconnaissance	T1046 — Network Service Discovery	Port scan identifies nginx on 80/tcp, redirect reveals ignition.htb
Discovery	T1592 — Gather Victim Host Information	GraphQL storeConfig query reveals Magento version and base URL
Initial Access	T1078 — Valid Accounts	Default `admin:qwerty123` credentials accepted by Magento admin
Collection	T1005 — Data from Local System	Flag displayed in the Magento admin dashboard

Lessons learned

Redirect responses reveal hostnames. When curl http://IP/ returns Location: http://hostname.htb/, that hostname is your key to the actual application. Always check for redirects before concluding a web port is “empty.”
CMS API endpoints survive when the frontend crashes. Magento’s GraphQL and REST APIs run via separate PHP-FPM pools or workers. When the frontend timeouts, try /graphql, /rest/V1/, /api/ — they often remain responsive and leak version information.
qwerty123 is a known Magento default. A brief web search for “Magento 2 default admin credentials” or “Magento CTF credentials” immediately surfaces this. Known defaults for common CMSes are part of the methodology.
Account lockout on shared HTB machines. On machines where other testers are active, admin accounts get locked from failed attempts. The fix is always “reset the machine” — HTB’s built-in machine reset resets application state too.

🤖 AI-assist log

Transparency over polish. This is exactly where Claude was in the loop on this box.

Note: AI-assist log reconstructed from writeup context; original session interaction logs not available.

Step	What I asked	What Claude returned	What I changed
Magento GraphQL endpoints	“What Magento GraphQL queries work without authentication?”	Listed: `{storeConfig{...}}`, `{categoryList{...}}`, `{currency{...}}`, `{__typename}`, product queries. Noted that admin mutations require a JWT from `/rest/V1/integration/admin/token`.	Used `storeConfig` for version fingerprinting.
Magento version from dev-2.4-develop	“When was Magento dev-2.4-develop from March 2021?”	Located this as a pre-release of Magento 2.4.2-p1/2.4.3. Noted it corresponds to the static file timestamp `version1615543886` (Unix: March 12, 2021).	Added the version timeline note to context.
Why frontend times out	“Magento frontend GET requests all time out but GraphQL works — why?”	Explained the Magento PHP-FPM multi-pool architecture: frontend requests go through one pool (broken), API/GraphQL through another (still functional). Previous users’ actions likely corrupted the Magento cache or session.	Documented in Dead end #1.
Magento admin 2FA	“Does Magento 2.4 have 2FA by default?”	Yes — Magento 2.4.x added `Magento_TwoFactorAuth` as a core module enabled by default. Documented default authenticator apps supported. Noted HTB machines typically have it disabled.	Added 2FA to the Remediation section.

What Claude got wrong: Suggested admin:admin and admin:admin123 before qwerty123 — minor ordering issue. What Claude couldn’t do: Actually test login against the Magento instance. Net assist value: Medium — Magento API knowledge was useful; credential guessing was trial and error.

References

HTB Starting Point — official page
Magento 2 Security Best Practices
Magento Admin 2FA documentation
MITRE ATT&CK T1078 — Valid Accounts
CIS Adobe Commerce Benchmark — admin hardening controls

TL;DR#

Recon#

1. Liveness check#

2. Port scan#

3. Virtual hostname discovery#

4. Service detection via GraphQL#

Foothold#

Dead end #1 — frontend timeout#

Dead end #2 — guessing admin passwords via REST API#

Working approach — Magento admin with qwerty123#

Privilege Escalation#

What’s actually broken#

Remediation (the boring half)#

MITRE ATT&CK mapping#

Lessons learned#

🤖 AI-assist log#

References#