HackTheBox - MonitorsFour

IppSec · Beginner ·☁️ DevOps & Cloud ·1mo ago

Key Takeaways

Demonstrates a cybersecurity challenge using HackTheBox's MonitorsFour

Original Description

00:00 - Introduction 00:57 - Start of nmap 03:20 - Looking at the webpage doing basic enumeration 05:30 - Talking about Orange Tsai Worst Fit -- Doesn't get us anything but a path i went down first 09:50 - Discovering the /user endpoint, fuzzing the token parameter discovering type juggling, cracking hashes 14:40 - Logging into the application, which seems like an odd static page 18:00 - Discovering the Cacti Domain, Logging in and showing we can enumerate if a user is valid or not by a timing attack 23:50 - Exploting CVE-2025-24367 , which lets us create php files on the target 28:40 - Creating the payload to drop the file to get RCE 36:00 - Shell returned. 38:10 - Using bash to be a basic port scanner, then dumping the database 45:00 - Manually exploiting CVE-2025-9074, talking to Docker over HTTP to create a container that mounts the host operating system in a container then reading the flag 55:00 - Getting code execution on the host by looking at scheduled tasks and changing a powershell script that runs every 3 minutes
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Related Reads

📰
Automating Spring Boot Deployments: A CI/CD Pipeline with GitHub Actions and AWS ECS
Automate Spring Boot deployments with a CI/CD pipeline using GitHub Actions and AWS ECS to streamline testing and deployment
Medium · DevOps
📰
I Caught a Dev Tool Stealing My Data — So I Built 7 Alternatives That Make Zero Network Calls
Learn how to build 7 alternative dev tools that make zero network calls, ensuring data security and privacy
Dev.to · SRINIVAS ESLAWATH
📰
The Archaeology of Git Blame: Why AI Doesn’t Understand the Panic Behind Your Code
Learn how Git Blame can be misleading and why AI models struggle to understand the context behind code changes, making it essential for developers to consider the human factor in code review
Dev.to · Bhavnish
📰
Deploying and Configuring Apache on a RHEL/CentOS Server
Learn to deploy and configure Apache on a RHEL/CentOS server for web hosting and development purposes.
Medium · DevOps

Chapters (13)

Introduction
0:57 Start of nmap
3:20 Looking at the webpage doing basic enumeration
5:30 Talking about Orange Tsai Worst Fit -- Doesn't get us anything but a path i we
9:50 Discovering the /user endpoint, fuzzing the token parameter discovering type j
14:40 Logging into the application, which seems like an odd static page
18:00 Discovering the Cacti Domain, Logging in and showing we can enumerate if a use
23:50 Exploting CVE-2025-24367 , which lets us create php files on the target
28:40 Creating the payload to drop the file to get RCE
36:00 Shell returned.
38:10 Using bash to be a basic port scanner, then dumping the database
45:00 Manually exploiting CVE-2025-9074, talking to Docker over HTTP to create a con
55:00 Getting code execution on the host by looking at scheduled tasks and changing
Up next
AWS, Azure, GCP: The One Thing Every Business Gets Wrong
AI Daily
Watch →