Sqli

Summary CCTV is a Linux HackTheBox machine exposing SSH and a ZoneMinder web application on HTTP. The key foothold is an authenticated SQL injection in ZoneMinder 1.37.63, specifically the removetag action affected by CVE-2024-51482. After authenticating to the panel, the SQLi can be exploited with sqlmap to dump zm.Users, recover password hashes, and crack the mark account password. Once on the box as mark, privilege escalation comes from a second service: motionEye. A world-readable /etc/motioneye/motion.conf exposes the motionEye admin credential hash. That hash is sufficient to compute valid request signatures for the localhost-only motionEye API on 127.0.0.1:8765. By updating camera configuration and setting command_storage_exec, it is possible to trigger root command execution through the snapshot action. ...