MonitorsFour
HackTheBox MonitorsFour machine writeup — reconnaissance and enumeration walkthrough.
MonitorsFour is a Windows-based HackTheBox machine that demonstrates a multi-stage attack chain combining web application vulnerabilities, authentication bypass through PHP type juggling, CVE exploitation, and Docker API abuse for privilege escalation. This writeup details the complete exploitation process from initial reconnaissance to root access.
Environment Configuration
Configure DNS resolution for the target domain:
1
echo "10.10.11.98 monitorsfour.htb cacti.monitorsfour.htb" | sudo tee -a /etc/hosts
Target: 10.10.11.98
Attacker: 10.10.14.143
Reconnaissance & Information Gathering
Network Enumeration
Initial port scanning reveals the attack surface:
1
nmap -A -O 10.10.11.98
Open Ports:
- 80/tcp: nginx HTTP service redirecting to monitorsfour.htb
- 5985/tcp: WinRM (Microsoft HTTPAPI httpd 2.0)
Operating System: Windows Server (2022/2012/2016)
Virtual Host Discovery
Enumerate subdomains using ffuf with virtual host fuzzing:
1
2
3
ffuf -t 400 -w /usr/share/seclists/Discovery/DNS/combined_subdomains.txt \
-u http://monitorsfour.htb \
-H "Host: FUZZ.monitorsfour.htb" -ac
Discovered: cacti.monitorsfour.htb (Status: 302)
Web Directory Enumeration
Scan for hidden directories and files:
1
2
ffuf -t 400 -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt \
-u http://monitorsfour.htb/FUZZ -ac
Critical Findings:
- /views - Status 301
- /symposium - Status 200
- /logis - Status 200
- /videofiles - Status 200
Note: The scan encountered numerous timeout errors, indicating rate limiting or network instability. Reducing thread count (-t 100) improves reliability.
Premium Content
The full exploitation walkthrough, privilege escalation, and flags are available exclusively for members.
Unlock Full Writeup →