Platform: Hack The Box
Season: 9
Difficulty: Easy
OS: Windows
Date: 2025-12-09
Author: x4cc3
Monitor Four is a Windows machine hosting a PHP website behind nginx. An exposed .env file leaks database credentials. A PHP type-juggling vulnerability in the /user?token= endpoint bypasses authentication and dumps user records including MD5 password hashes. The admin hash is cracked via CrackStation. Subdomain enumeration reveals a Cacti monitoring instance (cacti.monitorsfour.htb), where the admin password works for login. A Cacti CVE provides a webshell inside a Docker container. The Docker API (port 2375) is exposed, allowing a container escape to mount the host Windows filesystem.
nmap -Pn -sV -sC -T4 -A 10.10.11.98
| Port | Service | Version |
|---|---|---|
| 80/tcp | HTTP | nginx (redirects to monitorsfour.htb) |
| 5985/tcp | WinRM | Microsoft HTTPAPI httpd 2.0 |
Added monitorsfour.htb to /etc/hosts.
dirsearch -u <http://monitorsfour.htb> -x 404
Key findings:
/.env (200) — exposed environment file with database credentials