Post

CCTV

HackTheBox CCTV machine writeup — reconnaissance and enumeration walkthrough.

Posted
By Andrés
2 min read
CCTV

Table of Contents

  1. Overview
  2. Attack Chain Summary
  3. Phase 1 - Reconnaissance & Enumeration
  4. Phase 2 - Web Enumeration & ZoneMinder
  5. Phase 3 - SQL Injection (CVE-2024-51482)
  6. Phase 4 - Hash Cracking
  7. Phase 5 - Initial Access via SSH
  8. Phase 6 - Internal Service Enumeration
  9. Phase 7 - Port Forwarding to motionEye
  10. Phase 8 - Privilege Escalation via CVE-2025-60787
  11. Flags
  12. Tools & CVE Reference

Overview

CCTV is a Linux-based HackTheBox machine built around a real-world CCTV management stack. The machine hosts a ZoneMinder instance on port 80 and an internally exposed motionEye service on localhost. The attack path chains two CVEs - a blind SQL injection to extract database credentials, followed by a command injection in a misconfigured motionEye instance running as root - resulting in a full system compromise.

Attack Chain Summary

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

[Attacker]
    │
    ├─[1]─ Nmap scan → ports 22, 80 open
    │
    ├─[2]─ ZoneMinder v1.37.63 on /zm/ → login admin:admin
    │
    ├─[3]─ CVE-2024-51482 → sqlmap time-based blind SQLi on ?tid= parameter
    │           └─► Dump zm.Users table → 3 bcrypt hashes
    │
    ├─[4]─ Hashcat (bcrypt) → mark : opensesame
    │
    ├─[5]─ SSH as mark@cctv.htb
    │
    ├─[6]─ Internal enum → motionEye on 127.0.0.1:8765 running as ROOT
    │           └─► Admin password hash in /etc/motioneye/motion.conf
    │
    ├─[7]─ SSH local port forward → expose motionEye to attacker
    │
    └─[8]─ CVE-2025-60787 → JS bypass + command injection in picture_filename
                └─► Root reverse shell → root.txt + user.txt

Phase 1 - Reconnaissance & Enumeration

1.1 - Host Setup

Before scanning, the machine hostname was added to the local hosts file for clean resolution:

1

echo "10.129.244.156 cctv.htb" | sudo tee -a /etc/hosts

1.2 - Full Port Scan

A full TCP port scan was performed using Nmap with an aggressive rate to minimise scan time:

1

nmap -p- --min-rate 5000 -sS 10.129.244.156

Output:

1
2
3
4
5
6
7
8
9

Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-09 21:59 +0530
Nmap scan report for cctv.htb (10.129.244.156)
Host is up (1.1s latency).
Not shown: 52062 closed tcp ports (reset), 13471 filtered tcp ports (no-response)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 111.86 seconds

Only two ports were exposed externally - SSH (22) and HTTP (80). The attack surface is intentionally minimal, which points to a web-first approach.

1.3 - Service Version Detection

1

nmap -sV -sC -T4 10.129.244.156

Output:

1
2
3
4
5
6
7

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.14 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|_  256 76:1d:73:98:fa:05:f7:0b:04:c2:3b:c4:7d:e6:db:4a (ECDSA)
80/tcp open  http    Apache httpd 2.4.58
|_http-title: SecureVision CCTV & Security Solutions
Service Info: Host: default; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Key findings:

  • Apache 2.4.58 hosting a site titled SecureVision CCTV & Security Solutions
  • OpenSSH 9.6p1 on Ubuntu 24.04
🔒

Premium Content

The full exploitation walkthrough, privilege escalation, and flags are available exclusively for members.

Unlock Full Writeup →
HackTheBox, Writeup
htb hackthebox writeup pentest cctv
This post is licensed under CC BY 4.0 by the author.