MonitorsFour continues the Monitors series, this time on a Windows host. A company website exposes an authenticated API endpoint that returns every employee’s record. I’ll bypass auth with a PHP type juggling flaw to dump a collection of crackable password hashes. Those credentials open a Cacti instance, where I’ll exploit CVE-2025-24367 to inject commands into rrdtool and drop a webshell, landing in a Docker container. Enumeration shows the host is running Docker Desktop on a WSL2 backend, and that the container can reach the Docker Engine API directly (CVE-2025-9074). I’ll create a new container that mounts the Windows host’s drive and read the root flag. In Beyond Root, I’ll turn that filesystem access into a shell on Windows through a scheduled task, and break down the PHP type juggling bug.

0xdf hacks stuff

A detailed walkthrough of the HackTheBox machine MonitorsFour, a Windows host running Docker Desktop with WSL2 backend. The attack chain involves: exploiting a PHP type juggling flaw (loose == comparison with '0e' magic hashes) to bypass authentication and dump user credentials from an API endpoint; cracking MD5 password hashes to gain access to a Cacti 1.2.28 instance; exploiting CVE-2025-24367 (newline injection into rrdtool via cacti_escapeshellarg on Windows) to write a PHP webshell and get RCE inside a Docker container; and finally abusing CVE-2025-9074 (unauthenticated Docker Engine API accessible at 192.168.65.7:2375 from within containers in Docker Desktop) to create a new privileged container that mounts the Windows host's C: drive, enabling reading the root flag. A bonus section covers turning filesystem access into a Windows shell via scheduled tasks.

HTB: MonitorsFour