Part of the OSAI Prep series → — HTB writeups mapped to OWASP LLM Top 10.
Machine Summary
| Field | Value |
|---|---|
| Platform | HackTheBox |
| Difficulty | Very Easy |
| OS | Linux |
| Vulnerability | Default admin credentials on an enumerable admin panel |
| OWASP Mapping | A07 — Identification and Authentication Failures |
Reconnaissance
nmap -sC -sV -oN nmap.txt 10.129.21.71Single open service: HTTP on port 80, running nginx 1.14.2. No SSH, no FTP, no unusual ports — the entire attack surface is the web server. With nothing useful on the visible homepage, we move to directory enumeration:
gobuster dir -u http://10.129.21.71 -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt -x .php
GoBuster finds admin.php — a PHP admin panel not linked from anywhere on the visible site. Without enumeration, this stays invisible.
Entry
We navigate to admin.php and find a login page. Before trying anything sophisticated, we test the obvious: admin / admin.
It works.
The admin console grants immediate access and the flag is retrieved.
Privilege Escalation
Not required. The default credential login gave us direct access to the admin console.
Root Cause
Two failures combined:
1. The admin panel was publicly accessible. admin.php sat in the public web root with no IP restriction, no authentication gateway, and no rate limiting. Directory enumeration found it in seconds.
2. Default credentials were never changed. The application shipped with admin/admin and the operator never rotated them.
Neither failure alone is fatal — a locked-down panel with default creds is annoying but unreachable; an accessible panel with strong credentials requires real effort. Together, they hand over the keys.
The AI Equivalent
OWASP LLM Top 10 Mapping: LLM07 — Insecure Plugin Design
The Preignition attack pattern — enumerate to find a management interface, authenticate with the default key — maps directly to how AI agent tool endpoints get compromised in practice. LangServe, Ollama’s management API, LlamaIndex server deployments, and open-source agent frameworks routinely expose admin or inference endpoints on default ports with no authentication, or with a default API key published in the project’s own README.
Finding them requires the same move as GoBuster: a port scan of a cloud-hosted IP, a /.well-known/ probe, or a simple GET /admin request. Getting in requires the same move as admin/admin: try the default key from the docs, or no key at all.
The plugin was deployed with a powerful management interface the operator never locked down. In the web app world, that’s an exposed admin.php with default creds. In the agentic world, that’s an exposed /v1/chat/completions endpoint with a default API token — or no token at all — that lets any caller send arbitrary instructions to the model, modify its system prompt, or extract its configuration. The attacker doesn’t need to break anything. They just need to find the door and try the key that was never changed.
Lessons Learned
- Restrict admin interfaces by network, not just by password.
admin.phpshould not be reachable from the public internet. IP allowlists, a VPN requirement, or a separate internal vhost would have made GoBuster irrelevant. - Never deploy with default credentials. Force a password change on first login, or generate a random credential at install time.
admin/adminis the first thing every attacker tries. - Directory enumeration finds what you forgot to hide. Files in the web root are discoverable regardless of whether you link to them. If it shouldn’t be public, it shouldn’t be in the public web root.
- Defense in depth means neither failure alone should be sufficient. Access restriction + strong credentials = two independent gates. Remove either one and the other has to hold by itself — which it often won’t.
- Audit every agent plugin and inference API for default tokens and open ports. The GoBuster scan and
admin/admintest take 30 seconds. Run them against your own AI infrastructure before someone else does.