Preignition introduces web directory enumeration — the process of discovering hidden paths, admin panels, and files on a web server that aren't linked from the main site. The tools here are Gobuster (a fast directory brute-forcer) and SecLists (a curated collection of wordlists). Finding an exposed admin panel with default credentials is a classic and frequent web application finding.
| Skill | Why it matters |
|---|---|
| Web server fingerprinting with Nmap | Identifying the web server type and version guides wordlist selection |
| Directory brute-forcing with Gobuster | Finding hidden content is a core web application recon skill |
| SecLists wordlists | The most comprehensive public collection of wordlists for any enumeration scenario |
| Default admin credentials | Admin panels left on defaults are an immediate critical web finding |
What you're seeing: port 80 running nginx. The default nginx landing page title means no custom application is served at the root — but there may be content at subdirectories. This is exactly when directory enumeration is warranted.
/robots.txt and /sitemap.xml before running any brute-force tools.Gobuster's dir mode brute-forces paths against the target URL using a wordlist.
What you're seeing: /admin.php returns HTTP 200 — an accessible admin panel. Any 200 response is worth investigating immediately.
| Gobuster flag | Meaning |
|---|---|
| dir | Directory / file enumeration mode |
| -u <url> | Target URL |
| -w <wordlist> | Path to wordlist |
| -x <ext> | File extensions to append to each word (php, html, txt…) |
| -t <n> | Number of concurrent threads (default 10) |
| -b <codes> | Blacklist status codes to ignore (e.g. 404,403) |
| -o <file> | Save output to a file |
| --no-error | Suppress connection errors from output |
Navigate to http://10.129.x.x/admin.php in your browser. You're presented with a login form. Try the most common default credentials before any brute-force.
| Username | Password |
|---|---|
| admin | admin |
| admin | password |
| admin | 123456 |
| administrator | administrator |
| root | root |
admin / admin works. You're logged in — and the flag is displayed on the dashboard.
| Wordlist path | Best used for |
|---|---|
| /Discovery/Web-Content/common.txt | General directory and file discovery — good first choice |
| /Discovery/Web-Content/directory-list-2.3-medium.txt | Deeper directory discovery — larger, slower |
| /Discovery/Web-Content/raft-large-files.txt | File-focused enumeration |
| /Passwords/Default-Credentials/default-passwords.csv | Default credential pairs for services and applications |
| /Usernames/Names/names.txt | Username enumeration |
| /Fuzzing/LFI/LFI-Jhaddix.txt | Local File Inclusion path fuzzing |
An nginx default page at the root doesn't mean the server is empty. Directory enumeration is essential on every web target — the interesting content is almost never at /.
| Concept | Real-world relevance |
|---|---|
| Forced browsing | Web crawlers only follow links — brute-forcing finds content that's deployed but intentionally unlisted |
| -x php,html matters | Many admin panels are .php files — always append relevant extensions for the target stack |
| Default creds = instant critical | Never skip manual default-credential testing before reaching for Hydra or Burp Intruder |
| SecLists is your best friend | It covers directories, credentials, subdomains, fuzzing payloads, and more — install it on every pentest box |