Hack The Box - Season 10 HTB CCTV Writeup - Easy- Weekly - March 07th, 2026
Difficulty: Easy
OS: Linux
Theme: Video surveillance software exploitation chain
Overview
CCTV is a Linux box themed around IP camera management software. The attack chain involves exploiting two different CCTV management platforms — ZoneMinder and motionEye — chaining a SQL injection for credential extraction, password cracking, and a command injection CVE for root access.
Full chain:
ZoneMinder SQLi → hash crack → SSH foothold → motionEye config leak → EXPLOIT → root
Reconnaissance
Port Scan
Running a full TCP scan revealed two open ports:
nmap -sV -sC -p- --min-rate 5000 -oN nmap_full.txt <TARGET_IP>
Results:
| Port | Service | Version |
|---|---|---|
| 22 | SSH | OpenSSH 9.6p1 Ubuntu |
| 80 | HTTP | Apache 2.4.58 |
Added the target to /etc/hosts:
<TARGET_IP> cctv.htb
Enumeration
Web Application (Port 80)
Browsing to http://cctv.htb/ revealed a marketing page for "SecureVision CCTV & Security Solutions". Navigation led to /zm/ — a ZoneMinder installation.
ZoneMinder version: 1.37.63
Default credentials admin:admin worked on the login page at http://cctv.htb/zm/index.php.
ZoneMinder User Enumeration
After logging in as admin, the ZoneMinder API revealed three users:
curl -s -b <session_cookie> http://cctv.htb/zm/api/users.json
| ID | Username | System Perm |
|---|---|---|
| 1 | superadmin | Edit |
| 2 | mark | View |
| 3 | admin | View |
The current admin session only had System: View — not enough to change log paths for PHP injection. The superadmin user had System: Edit but we didn't have its credentials yet.
SQL Injection — CVE-2024-51482
Vulnerability
ZoneMinder versions 1.37.* through 1.37.64 contain a time-based blind SQL injection in the tid parameter of the event tag removal endpoint: