--- # System prepended metadata title: 'HTB Machines :: MonitorsFour' --- # HTB Machines :: MonitorsFour Writeup ![image](https://hackmd.io/_uploads/HJqput0Fbx.png) ## Reconnaissance We begin by setting up DNS resolution using the `etc/hosts` file and conducting an `nmap` scan to enumerate the open ports. ### Network Scan Initial `nmap` scan shows port 80 and 5985 is open, indicating that the machine is hosting a php webserver on top of nginx ![image](https://hackmd.io/_uploads/rkEiiKCKZx.png) ## Enumeration ### Website Enumeration Going to `http://monitorsfour.htb` shows us a landing page for a networking service, however there is nothing interesting to be found here. ![image](https://hackmd.io/_uploads/SkFYcKCFbe.png) A simple header check shows us that the server is running PHP v.8.3.27 ![image](https://hackmd.io/_uploads/BkuFTtCYbg.png) ### Subdomain Enumeration Using `gobuster`, we enumerated the subdomain and found an additional subdomain called `cacti` ![image](https://hackmd.io/_uploads/S1cD2tRY-e.png) Going to `http://cacti.monitorsfour.htb` shows us a user login page for Cacti v1.2.28 ![image](https://hackmd.io/_uploads/H1C23KRtbl.png) ### Directory Enumeration Using `gobuster` again, we checked the main domain for anything interesting and we found a `/user` endpoint. ![image](https://hackmd.io/_uploads/SyBhGqCF-g.png) ## Exploitation Accessing the user endpoint for possible IDOR vulnerability dumps us the entire user array when accessing using `0` as the user token. ![image](https://hackmd.io/_uploads/HkZSyq0tWl.png) ### Hash Cracking Cracking the hash for the user `admin` using `hashcat` and MD5 as the mode gives us the credentials that we can use for the cacti service ![image](https://hackmd.io/_uploads/SkoLx9RKbl.png) ![image](https://hackmd.io/_uploads/H1kdl9CKWl.png) However, logging in using the username admin doesn't work, we tried `higgins` and `marcus`, and `marcus` works. ``` marcus : wonderful1 ``` ### CVE-2025-24367 ![image](https://hackmd.io/_uploads/Syx7rW5AK-g.png) Since the Cacti service is running v1.2.28, it's vulnerable to a Post-Auth RCE by creating a malicious graph template containing a PHP reverse shell, which was published [here](https://nvd.nist.gov/vuln/detail/CVE-2025-24367) ![image](https://hackmd.io/_uploads/BJVAMcAt-g.png) Using this [script](https://github.com/TheCyberGeek/CVE-2025-24367-Cacti-PoC), we were able to gain a reverse shell on the target machine ![image](https://hackmd.io/_uploads/S1TlQc0FZl.png) ## Privilege Escalation (User) Since www-data has misconfigured permission, we can get the user flag by simply reading the `user.txt` file from `/home/marcus` ![image](https://hackmd.io/_uploads/HkBKQ9CYbg.png) ``` User Flag : 61eebf8c6161e53926e98376c3b93096 ``` ## Privilege Escalation (Root) From the hostname, we could deduce that the service is running within a docker container, to enumerate information about the docker version, we have to query the Docker API ![image](https://hackmd.io/_uploads/r1csN9CF-l.png) However, since the docker internal hostname doesn't work, we enumerate the subnet for a reachable service with port 2375 open and found out that `192.168.65.7:2375` is open ![image](https://hackmd.io/_uploads/ryPLHqRKZl.png) From here, we found out that the machine is running Docker Desktop on top of WSL, specifically v28.3.2 which allows a container to access the Docker API of the host machine ### CVE-2025-9074 ![image](https://hackmd.io/_uploads/S1yOIqCtZx.png) This vulnerability allows the docker container to execute arbitrary docker commands via the Docker API, allowing the host machine drive to be mounted and accessed via a containerized instance. The details can be read [here](https://nvd.nist.gov/vuln/detail/CVE-2025-9074) we proceeded by creating a docker image that mounts the root flag and outputting it to the logs ![image](https://hackmd.io/_uploads/rJS9KqCFZe.png) ![image](https://hackmd.io/_uploads/S1yn_cRKbg.png) And then we use the exposed Docker API to run the image, outputting the logs to stdout ![image](https://hackmd.io/_uploads/Hywkt5RtWx.png) ![image](https://hackmd.io/_uploads/S1MbYcCt-e.png) And just like that, we earned the root flag ![image](https://hackmd.io/_uploads/H1mSt9RFbl.png) ``` Root Flag : 266aa41a9130955c69e8f21ef0297679 ```