https://phucrio.me/tags/sqli/Recent content in Sqli on Rio BlogHugo -- 0.150.0enSun, 31 May 2026 17:38:09 -0400https://phucrio.me/posts/htb-cctv-write-up/Sun, 31 May 2026 16:48:47 -0400https://phucrio.me/posts/htb-cctv-write-up/<h2 id="summary">Summary</h2> <p>CCTV is a Linux HackTheBox machine exposing SSH and a ZoneMinder web application on HTTP. The key foothold is an authenticated SQL injection in ZoneMinder 1.37.63, specifically the <code>removetag</code> action affected by <strong>CVE-2024-51482</strong>. After authenticating to the panel, the SQLi can be exploited with <code>sqlmap</code> to dump <code>zm.Users</code>, recover password hashes, and crack the <code>mark</code> account password.</p> <p>Once on the box as <code>mark</code>, privilege escalation comes from a second service: <strong>motionEye</strong>. A world-readable <code>/etc/motioneye/motion.conf</code> exposes the motionEye admin credential hash. That hash is sufficient to compute valid request signatures for the localhost-only motionEye API on <code>127.0.0.1:8765</code>. By updating camera configuration and setting <code>command_storage_exec</code>, it is possible to trigger root command execution through the snapshot action.</p>