10.129.2.132

Enumeration

Nmap

PORT   STATE SERVICE    REASON         VERSION
22/tcp open  ssh        syn-ack ttl 63 OpenSSH 9.6p1 Ubuntu 3ubuntu13.14 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 76:1d:73:98:fa:05:f7:0b:04:c2:3b:c4:7d:e6:db:4a (ECDSA)
|_ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDZ15GCLPzC4gTM0nqzpUbr/2L77bM1C9sbBecivQPX/KcKvJrP88peCJXwTug7T/EORHr7M7JeHtMQJ6hYihFA=
80/tcp open  tcpwrapped syn-ack ttl 63
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

• Ports
  • 22 (SSH
  • 80 (HTTP) → Redirected to http://cctv.htb/

Port 80 (HTTP)

• SecureVision website

• Login portal at http://cctv.htb/zm/

Fuzzing cctv

• Feroxbuster (FUZZING with Medium words and php,html

403      GET        9l       28w      273c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404      GET        9l       31w      270c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301      GET        9l       28w      309c <http://cctv.htb/javascript> => <http://cctv.htb/javascript/>
200      GET      224l      562w     6177c <http://cctv.htb/index.html>
200      GET      224l      562w     6177c <http://cctv.htb/>
301      GET        9l       28w      301c <http://cctv.htb/zm> => <http://cctv.htb/zm/>
301      GET        9l       28w      306c <http://cctv.htb/zm/ajax> => <http://cctv.htb/zm/ajax/>
200      GET       68l      338w     2610c <http://cctv.htb/zm/cache/js_Server-base-1752558138.js>
200      GET       48l      165w     1205c <http://cctv.htb/zm/cache/js_ajaxQueue-base-1752558138.js>
200      GET      200l      785w     6565c <http://cctv.htb/zm/cache/js_logger-base-1752558138.js>
200      GET      193l      799w     6820c <http://cctv.htb/zm/includes/csrf/csrf-magic.js>
200      GET       77l      301w     1960c <http://cctv.htb/zm/cache/css_reset-base-1752558138.css>
200      GET       10l      459w    20347c <http://cctv.htb/zm/cache/skins_classic_js_bootstrap-table-1.22.3_extensions_auto-refresh_bootstrap-table-auto-refresh.min-base-1752558138.js>
200      GET     1134l     2233w    19195c <http://cctv.htb/zm/cache/skins_classic_css_base_skin-base-1752558138.css>
301      GET        9l       28w      307c <http://cctv.htb/zm/cache> => <http://cctv.htb/zm/cache/>
200      GET       94l      649w    42622c <http://cctv.htb/zm/cache/skins_classic_js_tableExport.min-base-1752558138.js>
200      GET        1l     1717w    78221c <http://cctv.htb/zm/skins/classic/js/luxon-3.4.4.min.js>
301      GET        9l       28w      310c <http://cctv.htb/zm/includes> => <http://cctv.htb/zm/includes/>
200      GET       10l     1943w   136763c <http://cctv.htb/zm/cache/skins_classic_js_bootstrap-table-1.22.3_bootstrap-table.min-base-1752558138.js>
301      GET        9l       28w      305c <http://cctv.htb/zm/api> => <http://cctv.htb/zm/api/>
301      GET        9l       28w      304c <http://cctv.htb/zm/js> => <http://cctv.htb/zm/js/>
301      GET        9l       28w      305c <http://cctv.htb/zm/css> => <http://cctv.htb/zm/css/>
301      GET        9l       28w      309c <http://cctv.htb/zm/cgi-bin> => <http://cctv.htb/zm/cgi-bin/>
301      GET        9l       28w      306c <http://cctv.htb/zm/lang> => <http://cctv.htb/zm/lang/>
301      GET        9l       28w      307c <http://cctv.htb/zm/skins> => <http://cctv.htb/zm/skins/>
200      GET        0l        0w        0c <http://cctv.htb/zm/includes/config.php>
301      GET        9l       28w      307c <http://cctv.htb/zm/fonts> => <http://cctv.htb/zm/fonts/>
200      GET      183l      561w     8477c <http://cctv.htb/zm/>
200      GET       11l      374w    10220c <http://cctv.htb/zm/skins/classic/js/chosen/chosen.min.css>
500      GET        0l        0w        0c <http://cctv.htb/zm/includes/database.php>
200      GET        1l        2w      438c <http://cctv.htb/zm/graphics/favicon.ico>
200      GET     1391l     3433w    47814c <http://cctv.htb/zm/cache/skins_classic_js_chosen_chosen.jquery-base-1752558138.js>
200      GET     1205l     4255w    42091c <http://cctv.htb/zm/cache/skins_classic_js_skin-base-1752558138.js>
200      GET       10l      316w     9395c <http://cctv.htb/zm/cache/skins_classic_js_bootstrap-table-1.22.3_bootstrap-table.min-base-1752558138.css>
301      GET        9l       28w      307c <http://cctv.htb/zm/views> => <http://cctv.htb/zm/views/>
200      GET        4l       66w    31000c <http://cctv.htb/zm/cache/css_font-awesome.min-base-1752558138.css>
200      GET        5l       17w      151c <http://cctv.htb/zm/cache/skins_classic_views_js_login-base-1752558138.js>
200      GET        7l      820w    35415c <http://cctv.htb/zm/skins/classic/js/moment.min.js>
200      GET       10l      945w    36468c <http://cctv.htb/zm/cache/skins_classic_js_bootstrap-table-1.22.3_extensions_toolbar_bootstrap-table-toolbar.min-base-1752558138.js>
200      GET        5l      260w    15560c <http://cctv.htb/zm/cache/skins_classic_js_jquery-ui-1.13.2_jquery-ui.structure.min-base-1752558138.css>
200      GET        8l       71w     4455c <http://cctv.htb/zm/cache/js_fontfaceobserver.standalone-base-1752558138.js>
200      GET        6l     2099w   160358c <http://cctv.htb/zm/cache/css_bootstrap.min-base-1752558138.css>
200      GET       10l      491w    20361c <http://cctv.htb/zm/cache/skins_classic_js_bootstrap-table-1.22.3_extensions_page-jump-to_bootstrap-table-page-jump-to.min-base-1752558138.js>
200      GET     2291l     8530w    78475c <http://cctv.htb/zm/cache/skins_classic_js_dateTimePicker_jquery-ui-timepicker-addon-base-1752558138.js>
200      GET       10l      663w    32272c <http://cctv.htb/zm/cache/skins_classic_js_bootstrap-table-1.22.3_extensions_export_bootstrap-table-export.min-base-1752558138.js>
200      GET       48l       78w      661c <http://cctv.htb/zm/cache/skins_classic_css_base_views_login-base-1752558138.css>
200      GET       10l       50w      664c <http://cctv.htb/zm/cache/skins_classic_js_bootstrap-table-1.22.3_extensions_page-jump-to_bootstrap-table-page-jump-to.min-base-1752558138.css>
200      GET        2l     1262w    87533c <http://cctv.htb/zm/cache/skins_classic_js_jquery.min-base-1752558138.js>
200      GET        5l      290w    13891c <http://cctv.htb/zm/skins/classic/js/jquery-ui-1.13.2/jquery-ui.theme.min.css>
500      GET        0l        0w        0c <http://cctv.htb/zm/views/image.php>
200      GET       30l      187w     1945c <http://cctv.htb/zm/cache/skins_classic_js_dateTimePicker_jquery-ui-timepicker-addon-base-1752558138.css>
200      GET     3233l    12068w   119044c <http://cctv.htb/zm/cache/skins_classic_js_bootstrap-table-1.22.3_extensions_cookie_bootstrap-table-cookie-base-1752558138.js>
200      GET        6l     1657w   255084c <http://cctv.htb/zm/skins/classic/js/jquery-ui-1.13.2/jquery-ui.min.js>
200      GET     7033l    23033w   229201c <http://cctv.htb/zm/skins/classic/js/bootstrap-4.5.0.min.js>
200      GET      183l      561w     8477c <http://cctv.htb/zm/index.php>
301      GET        9l       28w      310c <http://cctv.htb/zm/graphics> => <http://cctv.htb/zm/graphics/>
500      GET        0l        0w        0c <http://cctv.htb/zm/includes/lang.php>
500      GET        0l        0w        0c <http://cctv.htb/zm/includes/auth.php>
500      GET        0l        0w        0c <http://cctv.htb/zm/views/archive.php>
500      GET        0l        0w        0c <http://cctv.htb/zm/includes/functions.php>
500      GET        0l        0w        0c <http://cctv.htb/zm/includes/User.php>
404      GET       27l       83w     1003c <http://cctv.htb/zm/api/text/css>
404      GET       27l       83w     1012c <http://cctv.htb/zm/api/zm/api/components>

Login Creds found:

• Login to the zoneminder with default creds admin:admin

• Version number 1.37.63
  • Potential SQL injection https://pentest-tools.com/vulnerabilities-exploits/zoneminder-v137-13764-sql-injection_27166
  • Seems to be RCE for older version https://github.com/m3m0o/zoneminder-snapshots-rce-poc/blob/main/README.md