Machine / Machines
MonitorsFour
Status: in progress. Completion state: <secret redacted>. The target exposes HTTP on 80/tcp and WinRM on 5985/tcp. The HTTP app is a custom PHP application at monitorsfour.htb. Baseline enumeration found exposed .env configuration and a token-backed user API...
Scenario
MonitorsFour attack path
Status: in progress. Completion state: . The target exposes HTTP on 80/tcp and WinRM on 5985/tcp. The HTTP app is a custom PHP application at monitorsfour.htb. Baseline enumeration found exposed .env configuration and a session material-backed user API...
Objective
Machine walkthrough focused on Machines evidence, validation, and reusable operator lessons.
Walkthrough flow
Scope and service discovery
Attack surface mapping
Initial foothold
Privilege escalation
Proof captured
Source coverage
High source coverage
Status: complete. This article is generated from 4 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.
100%
coverage
Evidence verdict
High confidence: the page is reconstructed from a primary walkthrough plus multiple supporting notes or evidence sources. Treat the chain as source-backed, while still checking the listed source files for sensitive values.
- <TARGET>-MonitorsFour/walkthrough.md
- HTB/<TARGET>-MonitorsFour/notes.md
- HTB/<TARGET>-MonitorsFour/memory-summary.md
- HTB/_knowledge/exports/ctf-lightrag-latest-203412/documents/machine__<TARGET>-MonitorsFour__notes.md.c347ec7c82.md
Technical Walkthrough
MonitorsFour Walkthrough
Status: in progress.
Current State
Completion state: <secret redacted>.
The target exposes HTTP on 80/tcp and WinRM on 5985/tcp. The HTTP app is a custom PHP application at monitorsfour.htb. Baseline enumeration found exposed .env configuration and a token-backed user API leak, but no foothold has been obtained yet.
Foothold Work So Far
- Added
monitorsfour.htbon the Pwnbox and confirmed HTTP routing. - Captured baseline routes:
/login,/forgot-password,/user,/contact,/api/v1/auth,/api/v1/reset. - Moved raw
.env, account leak responses, cookies, tokens, hashes, and raw credential-test output intoloot/. - Confirmed
/views/admin/.phptemplates are directly accessible, but controller routes under/admin/require a session and redirect to/login. - Tested leaked tokens against query/cookie/bearer/API-key/PHP session surfaces without admin access.
- Tested cracking and credential reuse against web login and WinRM without success.
Next Best Leads
- Continue searching for source disclosure around app PHP files, especially exact controller/router names and safe backup patterns.
- Revisit hash derivation only if a new salt or source-code hint appears.
- Look for an auth/session flaw that converts the read-only token leak into a real admin session.
Source-Backed Dossier
The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.
Notes
Scope
- Platform: HackTheBox machine
- Machine: MonitorsFour
- Difficulty: Easy
- OS: Windows
- Target IP:
<TARGET> - Hostname:
monitorsfour.htb - Pwnbox:
profex0r@<TARGET> - Pwnbox workspace:
/home/profex0r/HTB/<TARGET>-MonitorsFour - Local workspace:
<local workspace><TARGET>-MonitorsFour - Attacker VPN IP:
<TARGET> - Creator: TheCyberGeek
- Current completion state:
<secret redacted> - Boot guard: services can take up to 7 minutes to stabilize; avoid reset while service availability is still settling.
Evidence Ledger
| Time UTC | Action | Output | Finding | Confidence | Next |
|---|---|---|---|---|---|
| 2026-05-11T20:22Z | Readiness and TCP scans from Pwnbox | nmap/initial., nmap/allports., nmap/open-services.* | Only 80/tcp and 5985/tcp are open; HTTP redirects to monitorsfour.htb; WinRM is exposed. | High | Focus HTTP first, then validate creds against WinRM. |
| 2026-05-11T20:36Z | HTTP baseline | enum/http-login.txt, enum/<password redacted>, enum/http-contact.txt | Custom PHP app, PHP 8.3.27, login posts to /api/v1/auth, reset posts to /api/v1/reset, /contact leaks /var/www/app/Router.php. | High | Probe app routes and exposed files. |
| 2026-05-11T20:39Z | Targeted route/file probes | enum/http-targeted-paths-summary.txt, raw in loot/ | /.env is exposed and /user?token: <redacted> can expose account data. Raw config, hashes, tokens, and cookies moved under loot/. | High | Treat as info leak; avoid raw secrets in state files. |
| 2026-05-11T20:43Z | Hash cracking and credential reuse | enum/cracksummary.txt, enum/netexec-winrm-dbpass.redacted.txt | Raw MD5/NTLM, common alternate 32-hex modes, salted patterns, multiple wordlists, DB password reuse, token-as-password, and pass-the-hash all failed. | High | Stop spending time on simple cracking until a new hint appears. |
| 2026-05-11T20:50Z | Admin template discovery | enum/admin-view-probe-summary.txt, enum/ferox-views-admin-common-php.txt | /views/admin/.php templates are directly accessible and reveal admin routes/forms, but real /admin/ controller routes redirect to /login. | High | Look for source disclosure or session/auth bypass. |
| 2026-05-11T21:00Z | Token auth matrix | enum/token-auth-surface-summary.txt, enum/api-user-id-summary.txt, enum/token-access-behavior.tsv | Leaked tokens work for read-only /api/v1/user(s) access but do not authenticate admin pages, cookies, bearer headers, or API-key headers. | High | Keep token leak as evidence; find separate foothold. |
| 2026-05-11T21:03Z | Additional checks | enum/time-sqli-summary.txt, enum/nginx-alias-summary.txt, enum/file-read-probe-summary.txt | No time-based SQLi in auth/reset, no useful arbitrary file read, no PHP source disclosure from tested path patterns. | Medium | Consider a more focused source disclosure or app logic path. |
Current Facts
- The web app is the primary visible attack surface.
- WinRM is open but no valid OS credential has been found.
- Raw
.env, account hashes, tokens, cookies, generated test credentials, and raw HTTP responses are stored only underloot/. - A controlled unauthenticated POST to
/admin/users/createdid not create a user.
Working Hypotheses
| Rank | Hypothesis | Evidence | Status |
|---|---|---|---|
| 1 | A PHP source disclosure or backup artifact is still missing. | App leaks paths and exposes .env, but direct PHP executes blank. | Active |
| 2 | The /user token leak is intended to support a credential path, but the hash format or wordlist hint is missing. | Account hashes/tokens are exposed; cracking/reuse failed across common cases. | Active |
| 3 | Authenticated admin functionality is needed for foothold, likely via API key or user management, but current tokens do not grant admin session. | Admin templates reveal routes/forms; controller routes redirect to login. | Active |
Dead Ends
- DB password reuse against web login and WinRM failed.
- Stored hashes failed raw MD5, NTLM, MD4, md5-variants, salted username/email/token/company patterns, and multiple local password lists.
- Pass-the-hash against WinRM failed for exposed users.
- Leaked account tokens did not work as cookies, bearer tokens, API-key headers, PHP session IDs, or <password redacted>.
- Simple auth/reset SQLi and time-based SQLi probes were negative.
- Unauthenticated
/admin/users/createdid not insert a controlled user.
Loot Handling
No user or root flag has been captured. Do not move raw secrets out of loot/.
Memory Summary
- HTTP exposed a custom PHP app with
/.envreadable and/useror/api/v1/usersleaking account records when supplied a token-like parameter. - Treat token leaks as read-only unless validated against admin routes; query/cookie/bearer/API-key/<secret redacted> reuse all failed here.
- Directly accessible
views/admin/*.phpcan reveal route names and forms, but direct template access does not imply controller auth bypass. - For this app, DB password reuse, pass-the-hash, raw MD5/NTLM cracking, salted username/email/token/company MD5 patterns, and token-as-password checks all failed.
- Raw secrets, tokens, cookies, hashes, and generated controlled credentials must remain under
loot/; state files should reference only redacted summaries.
Notes
Scope
- Platform: HackTheBox machine
- Machine: MonitorsFour
- Difficulty: Easy
- OS: Windows
- Target IP:
<TARGET> - Hostname:
monitorsfour.htb - Pwnbox:
<<secret redacted>>@<TARGET> - Pwnbox workspace:
/home/<<secret redacted>>/HTB/<TARGET>-MonitorsFour - Local workspace:
<local workspace><TARGET>-MonitorsFour - Attacker VPN IP:
<TARGET> - Creator: TheCyberGeek
- Current completion state:
<secret redacted> - Boot guard: services can take up to 7 minutes to stabilize; avoid reset while service availability is still settling.
Evidence Ledger
| Time UTC | Action | Output | Finding | Confidence | Next |
|---|---|---|---|---|---|
| 2026-05-11T20:22Z | Readiness and TCP scans from Pwnbox | nmap/initial., nmap/allports., nmap/open-services.* | Only 80/tcp and 5985/tcp are open; HTTP redirects to monitorsfour.htb; WinRM is exposed. | High | Focus HTTP first, then validate creds against WinRM. |
2026-05-11T20: <REDACTED>, enum/<password redacted>, enum/http-contact.txt | Custom PHP app, PHP 8.3.27, login posts to /api/v1/auth, reset posts to /api/v1/reset, /contact leaks /var/www/app/Router.php. | High | Probe app routes and exposed files. | ||
2026-05-11T20: <REDACTED>, raw in loot/ | /.env is exposed and /user?token: <redacted> hashes, tokens, and cookies moved under loot/`. | High | Treat as info leak; avoid raw secrets in state files. | ||
2026-05-11T20: <REDACTED>, enum/netexec-winrm-dbpass.redacted.txt | Raw MD5/NTLM, common alternate 32-hex modes, salted patterns, multiple wordlists, DB password reuse, token-as-password, and pass-the-hash all failed. | High | Stop spending time on simple cracking until a new hint appears. | ||
| 2026-05-11T20:50Z | Admin template discovery | enum/admin-view-probe-summary.txt, enum/ferox-views-admin-common-php.txt | /views/admin/.php templates are directly accessible and reveal admin routes/forms, but real /admin/ controller routes redirect to /login. | High | Look for source disclosure or session/auth bypass. |
2026-05-11T21: <REDACTED>, enum/api-user-id-summary.txt, enum/token-access-behavior.tsv | Leaked tokens work for read-only /api/v1/user(s) access but do not authenticate admin pages, cookies, bearer headers, or API-key headers. | High | Keep token leak as evidence; find separate foothold. | ||
| 2026-05-11T21:03Z | Additional checks | enum/time-sqli-summary.txt, enum/nginx-alias-summary.txt, enum/file-read-probe-summary.txt | No time-based SQLi in auth/reset, no useful arbitrary file read, no PHP source disclosure from tested path patterns. | Medium | Consider a more focused source disclosure or app logic path. |
Current Facts
- The web app is the primary visible attack surface.
- WinRM is open but no valid OS credential has been found.
- Raw
.env, account hashes, tokens, cookies, generated test credentials, and raw HTTP responses are stored only underloot/. - A controlled unauthenticated POST to
/admin/users/createdid not create a user.
Working Hypotheses
| Rank | Hypothesis | Evidence | Status |
|---|---|---|---|
| 1 | A PHP source disclosure or backup artifact is still missing. | App leaks paths and exposes .env, but direct PHP executes blank. | Active |
| 2 | The /user token leak is intended to support a credential path, but the hash format or wordlist hint is missing. | Account hashes/tokens are exposed; cracking/reuse failed across common cases. | Active |
| 3 | Authenticated admin functionality is needed for foothold, likely via API key or user management, but current tokens do not grant admin session. | Admin templates reveal routes/forms; controller routes redirect to login. | Active |
Dead Ends
- DB password reuse against web login and WinRM failed.
- Stored hashes failed raw MD5, NTLM, MD4, md5-variants, salted username/email/token/company patterns, and multiple local password lists.
- Pass-the-hash against WinRM failed for exposed users.
- Leaked account tokens did not work as cookies, bearer tokens, API-key headers, PHP session IDs, or <password redacted>.
- Simple auth/reset SQLi and time-based SQLi probes were negative.
- Unauthenticated
/admin/users/createdid not insert a controlled user.
Loot Handling
No user or root flag has been captured. Do not move raw secrets out of loot/.