CCTV HackTheBox Writeup - Season10
SUMMARY
This write-up covers the CCTV machine from HackTheBox Season 10. Web enumeration on port 80 uncovered a staff login page that redirected to a ZoneMinder surveillance portal. Access was obtained using default credentials, and the portal’s interface exposed the running version as 1.37.63, which is affected by CVE-2024-51482 a SQL injection vulnerability.
Using sqlmap against the vulnerable endpoint, usernames and password hashes were extracted from the backend database. The hashes were successfully cracked offline, yielding a plaintext password that was reused for SSH access to the system.
With a foothold established, enumeration of locally bound ports revealed port 7999 running Motion 4.7.1 a motion detection daemon. This version is vulnerable to a Local Privilege Escalation (LPE) via the on_event_start and on_motion_detect configuration parameters, which accept arbitrary shell commands executed in the context of the service owner. By injecting a malicious command into these parameters, full root access was achieved.
PATH TO FOLLOW
- Reconnaissance
- Web Enumeration & ZoneMinder Discovery
- Default Credential Access
- Version Fingerprinting & CVE-2024-51482 Identification
- SQL Injection with sqlmap
- Hash Extraction & Offline Cracking
- Initial SSH Access
- Local Port Enumeration & Motion 4.7.1 Discovery
- Local Privilege Escalation via Motion Event Parameters
- Root Access
CONTENT WILL BE RELEASED ONCE THE MACHINE IS RETIRED