back to blog

April 7, 2026

HTB: CCTV — Blind SQLi to Dual RCE

HTB: CCTV

Overview

This box chains two separate CVEs to go from zero to root. The attack path is linear but teaches a solid workflow: enumerate, identify software versions, find known vulnerabilities, pivot to internal services, repeat.


Enumeration

Port Scan

Running nmap reveals two open ports:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu
80/tcp open  http    Apache httpd 2.4.58

The HTTP server redirects to http://cctv.htb/. Add it to /etc/hosts and visit.


Web Application

The site exposes a login panel for ZoneMinder, a popular open-source CCTV management platform. The source and page footer also leak the contact address info@cctv.htb.

ZoneMinder login page

Trying the default credentials admin / admin works immediately — no brute-force needed.

ZoneMinder dashboard after login

Once inside, the dashboard header reveals the running version: v1.37.63.


Foothold — CVE-2024-51482: ZoneMinder Blind SQL Injection

A quick search for this version leads straight to CVE-2024-51482, a blind SQL injection vulnerability in ZoneMinder's API endpoint. An authenticated user can extract data from the database without any output being reflected on the page — hence "blind".

A public exploit by BridgerAlderson automates the extraction.

CVE-2024-51482 exploit running

The exploit dumps the database and returns a hashed password alongside a username.

Extracted username and password hash

Cracking the Hash

The hash goes into john with a standard wordlist:

john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
John the Ripper cracking the hash

The password cracks quickly and gives us valid SSH credentials for the user mark.

SSH Access

ssh mark@cctv.htb

We're in.

mark@cctv:~$

Internal Enumeration

After landing on the box, checking active services and listening ports reveals something interesting:

Internal services and listening ports

Several internal ports are open that aren't exposed externally — including 7999, 1935, and 8765. Port 8765 is associated with motionEye, another camera management application, running only on localhost.


Pivoting — SSH Port Forwarding

To access the internal motionEye service from our attacker machine, we tunnel it over SSH:

ssh -L 8765:127.0.0.1:8765 mark@cctv.htb

This binds port 8765 locally and forwards all traffic through the SSH tunnel to the same port on the remote host. Now navigating to http://127.0.0.1:8765 in a browser reaches the internal motionEye panel.

motionEye login panel via port forwarding

Default or reused credentials get us in.

motionEye dashboard

The running version is motionEye 0.43.1b4.


Privilege Escalation — CVE-2025-60787: motionEye Authenticated RCE

This version is vulnerable to CVE-2025-60787, a critical remote code execution bug in the add_camera functionality. An admin-level authenticated user can inject arbitrary OS commands through the web interface.

A critical RCE vulnerability exists in motionEye 0.43.1b4 and earlier. An authenticated attacker with admin access can execute arbitrary OS commands via the add_camera feature.

Public exploit: gunzf0x/CVE-2025-60787

The key detail here: motionEye runs as root on this machine. Exploiting it skips privilege escalation entirely — we land directly as root.

CVE-2025-60787 exploit execution Root shell obtained

Root shell acquired.

Key Takeaways

Default credentials are a real problem. The entire chain starts because admin:admin worked on a public-facing service. Changing default credentials is table stakes.

Version disclosure matters. ZoneMinder showed its version openly after login. Combined with a known CVE, that's enough to chain to initial access.

Internal services can be just as dangerous. motionEye was never exposed externally, but once we had a foothold, SSH tunneling made it trivially accessible.

Service privilege matters. Running a web-facing service as root means any RCE in that service equals full system compromise, with no further exploitation needed.