Port enumeration

Using nmap I found 2 open ports, 80 and 5985

nmap -p- --open -vvv -sS --min-rate 5000 -Pn 10.129.3.44 -oG allPorts.txt
nmap -p80,5985 -sCV 10.129.3.44

Web enumeration

Inside the web, I found a login form. f282bcc02452464b8ada9787c94a6730.png Using ffuf I found some type of API. 6c4f44e67d38965a903f8e662a6ff46c.png This API call for a token parameter, so, I tried this. 379cbdb3d3b99e56913d6c15e29c0d76.png With ffuf I found a subdomain, cacti.

ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-20000.txt -u http://monitorfours.htb/ -fw 3 -H "Host: FUZZ.monitorsfour.htb"

4eb94f9de062fb5af7742939979e24ba.png

Admin dashboard access

Using ffuf, I found that the token 0 print a database content.

ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-big.txt -fw 4 -u http://monitorsfour.htb/user\?token=FUZZ

9a12585df64f8868243dd9540790f56c.png cfb9f075bba93648874ac8af9a1c901b.png With john, I was able to crack the admin password. 4dea683785cf9fe98d43f33f65d88d3b.png With that password I was able to log as admin. 32604c14d87017876bdb518e37103344.png Here I can create a API key. 1948dbef1a98209c716c697101599a45.png

Cacti RCE

Into the cacti subdomain I found a cacti instance vulnerable to CVE-2025-66399. df2c8f7439c1ec39b7dfd7ef874554ab.png I just used an exploit to obtain the shell. 9e1052fa712e263566c47107cff594a0.png da77f0cef71adc6bc3c4e30691596cc1.png

Docker CVE-2025-9074

First thing I found is that I am inside a docker. 6d7a6adfce0a87cf808a4924f516211e.png This docker versión is vulnerable to CVE-2025-9074, exposing the docker API and allowing me to create other containers, mounting the disks. My objetive here is to create a docker with all the C disk mounted. 57d7022d81698eb6027e5c94b8268adb.png 5a460451123842cbb09f68901839e481.png This method allowed me to download files inside the new docker. 4eaab12b6e0b7e1f60de396cb9466630.png I decided to download the docker binary inside the docker. 80a2a286ca8edfb6b2b5126c5caf0595.png And I created another docker mounting the C disk.

./docker -H 192.168.65.1:2375 run -v /mnt/host/c:/host_root --rm -it alpine

585e8a002d5438f17708a4c832828ae3.png 9691c49abf621af9132ee487c170010d.png With this, now I have a shell inside the windows file system that allows me to read the root flag. d9c75e4bac9c6a460e0d3d5f6f68cd80.png