HackTheBox - MonitorsFour

The video walks through the Hack The Box "Monitors4" machine, showing a hands‑on, manual exploitation path rather than relying on pre‑written scripts. The presenter starts with basic reconnaissance, discovers a single HTTP service running Nginx on Windows, and then fuzzes a token endpoint to expose a PHP type‑juggling flaw that yields a 32‑character MD5 hash. Using that token, he cracks the hash on hashes.com, logs in as admin, and pivots to deeper enumeration. Key steps include exploiting two CVEs: a remote command execution flaw in Cacti and a privilege‑escalation vulnerability in Docker Desktop 4.44.2. The analyst demonstrates how to use tools like fuff, GoBuster, and curl, while emphasizing the importance of correct filter settings—highlighting a mistake where filtering on HTTP 302 hid the Cacti endpoint. He also explains Windows’ “worst‑fit” character translation, which can bypass filters in PHP CGI contexts. Notable moments feature the discovery of the Windows translation bug, the manual reconstruction of the admin credentials (admin / wonderfulone), and the use of MD5 hash cracking to gain initial access. The presenter notes that the Cacti version appears in the HTTP banner and that mis‑filtering size versus status code can delay discovery, illustrating common pitfalls in automated fuzzing. Overall, the walkthrough underscores that manual exploitation reinforces understanding of underlying primitives, making future attacks more efficient. It also serves as a reminder that even easy boxes contain nuanced configuration errors—like improper filter usage and legacy Windows quirks—that can be leveraged for full system compromise.