Monitorr 1.7.6m Exploitation β†’ User Access β†’ hping3 Privilege Escalation

🧭 Step 1: Initial Enumeration

Started with aggressive Nmap scanning:

nmap -sCV -A β€” min-rate 1000 192.168.xx.xx

Explanation:

  • -sC β†’ Default scripts
  • -sV β†’ Version detection
  • -A β†’ OS detection + traceroute
  • β€” min-rate 1000 β†’ Faster scanning
None

Discovered:

  • Web server running on port 80

🌐 Step 2: Web Enumeration

Accessed the target in browser:

http://192.168.xx.xx

None

Identified the application:

Monitorr | 1.7.6m

After researching on Exploit-DB, found a public exploit targeting this version.

None

πŸ’₯ Step 3: Exploiting Monitorr

Downloaded the exploit and copied it into working directory.

None

Started listener:

nc -lnvp 1234

None

Here we get a directory fox under home directory now we get a file named local.txt the first Flag we get from here

None

Now we try ls -la command to see all hidden directories and other directories , then we find a file named reminder and directory devel

None

Now we use command cat reminder to show the contents of file, it shows crypt the file by crypt.php, now change directory devel and open the file crypt,php to get password

None

Now we try to change user fox

Executed exploit script to trigger reverse shell.

Successfully received shell access.

πŸ“ Step 4: User Enumeration

Navigated to:

cd /home ls

Found user directory:

fox

None

⚑ Step 7: Privilege Escalation

Checked sudo permissions:

sudo -l

None

Checking GTFobins , seems there is a way for privilege escalation

None

Now I opened a ssh terminals with fox

None

Now I started a data transfer for the root 's proof.txt in another terminal

None

In another ssh terminals within the target machine. In the second terminal , I created a listener

None

πŸ” Alternative Technique

Another possible escalation path:

  • Dump root SSH key
  • Copy id_rsa file
  • Use SSH for root login
None

This shows how multiple escalation paths can exist within the same machine.

Within interactive mode, leveraged command execution to spawn a root shell.

Root access successfully obtained.

Dump ssh key

None

Copy id_rsa file

Got root shell: -

None

🏁 Final Outcome

βœ”οΈ Web Exploitation (Monitorr 1.7.6m) βœ”οΈ Reverse Shell βœ”οΈ User Enumeration βœ”οΈ Credential Discovery βœ”οΈ Sudo Misconfiguration Abuse βœ”οΈ Root Privilege Escalation

πŸŽ₯ Full Practical Demonstration For a complete step-by-step video walkthrough, watch here: