Preignition

October 14, 2025 - 3 mins read

Looks like for this box we’re going to be using Gobuster to do some web directory brute forcing shenanigans. After starting our Pwnbox and letting our instance spawn in we’re going to address the first task.

Task 1

Pasted image 20251014020734.png Dir busting is the other name for directory brute forcing, so that’s that.

Task 2

Pasted image 20251014020858.png That’s going to be the -sV flag in order to tell Nmap to do version detection (as we’ll see later).

Task 3

Pasted image 20251014021002.png Well this one is just http, but let’s go ahead and fire up Nmap and put out money where our mouth is. Pasted image 20251014021150.png Here you see me run

sudo nmap -sV -p 80 10.129.29.48

which runs a service scan on the target, as mentioned earlier. Additionally I use the -p flag to specify port 80 as that’s the only one we are interested. And under service we see http so ta dah.

Task 4

Pasted image 20251014021358.png We can refer to our previous Nmap scan to see that the name and version number is nginx 1.14.2.

Task 5

Pasted image 20251014021518.png Now time to use some gobuster. I don’t actually remember the flag to specify that so… Pasted image 20251014021619.png I ran gobuster -h for help using the command (most command use either -h or –help for usage information). Looks like we need the dir switch to perform dir busting which, yeah checks out.

Task 6

Pasted image 20251014022042.png Mmm another good question. Well, when we ran -h on gobuster a second ago we also saw there was a help command that gives us more info on other commands. Pasted image 20251014022155.png So after running that at the bottom here we see we can specify a file extension with the -x flag. So our answer is -x php.

Task 7

Pasted image 20251014022303.png Time to finally fire it up, let’s point gobuster at the target. Pasted image 20251014024322.png Here you can see my in progress gobuster scan

gobuster dir -x php -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u http://10.129.29.48

Just to break it down a little. The -x flag we’ve already covered, the -w flag is the wordlist we are using in order to try and brute force some of these web directories. We can already see at the bottom that admin.php has been found which, yeah sounds interesting. The -u flag specifies the target url, which in our case is just http:// and then the targets IP address. Pasted image 20251014024607.png After the scan completes we can see that it was just that admin page that was found making that the answer to this task.

Task 8

Pasted image 20251014024704.png From gobuster’s output we see it came back with an HTTP status code 200, which means OK or that it’s accessible. Just for fun let’s do this. Pasted image 20251014024818.png Here I use a command called curl

curl http://10.129.29.48/admin.php

which just rips down the html of the web page. Curl can do so much more than just this, but this is just to demonstrate we can in fact navigate to this page unrestricted through like a browser if we wanted to.

Task 9

Pasted image 20251014025044.png Huh, alright let’s go look for it. Maybe we’ll actually try going there in our browser next. Pasted image 20251014025141.png Yep, that’s a login page. Hang on, you don’t think that it would be admin:admin would you? Pasted image 20251014025304.png Oh come on now, that’s just too easy. Pasted image 20251014025351.png