HTB MonitorsFour: IDOR to RCE to Docker Escape
An unauthenticated IDOR on an internal API leaks user credentials. Cracking an MD5 hash grants access to a Cacti instance vulnerable to CVE-2025-24367 (authenticated RCE). From a www-data shell inside a Docker container, an exposed Docker Engine API (port 2375) enables container escape and host compromise.
