April 7, 2026
HTB: CCTV — Blind SQLi to Dual RCE
HTB: CCTV
Overview
This box chains two separate CVEs to go from zero to root. The attack path is linear but teaches a solid workflow: enumerate, identify software versions, find known vulnerabilities, pivot to internal services, repeat.
Enumeration
Port Scan
Running nmap reveals two open ports:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.6p1 Ubuntu
80/tcp open http Apache httpd 2.4.58
The HTTP server redirects to http://cctv.htb/. Add it to /etc/hosts and visit.
Web Application
The site exposes a login panel for ZoneMinder, a popular open-source CCTV management platform. The source and page footer also leak the contact address info@cctv.htb.
Trying the default credentials admin / admin works immediately — no brute-force needed.
Once inside, the dashboard header reveals the running version: v1.37.63.
Foothold — CVE-2024-51482: ZoneMinder Blind SQL Injection
A quick search for this version leads straight to CVE-2024-51482, a blind SQL injection vulnerability in ZoneMinder's API endpoint. An authenticated user can extract data from the database without any output being reflected on the page — hence "blind".
A public exploit by BridgerAlderson automates the extraction.
The exploit dumps the database and returns a hashed password alongside a username.
Cracking the Hash
The hash goes into john with a standard wordlist:
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
The password cracks quickly and gives us valid SSH credentials for the user mark.
SSH Access
ssh mark@cctv.htb
We're in.
mark@cctv:~$
Internal Enumeration
After landing on the box, checking active services and listening ports reveals something interesting:
Several internal ports are open that aren't exposed externally — including 7999, 1935, and 8765. Port 8765 is associated with motionEye, another camera management application, running only on localhost.
Pivoting — SSH Port Forwarding
To access the internal motionEye service from our attacker machine, we tunnel it over SSH:
ssh -L 8765:127.0.0.1:8765 mark@cctv.htb
This binds port 8765 locally and forwards all traffic through the SSH tunnel to the same port on the remote host. Now navigating to http://127.0.0.1:8765 in a browser reaches the internal motionEye panel.
Default or reused credentials get us in.
The running version is motionEye 0.43.1b4.
Privilege Escalation — CVE-2025-60787: motionEye Authenticated RCE
This version is vulnerable to CVE-2025-60787, a critical remote code execution bug in the add_camera functionality. An admin-level authenticated user can inject arbitrary OS commands through the web interface.
A critical RCE vulnerability exists in motionEye 0.43.1b4 and earlier. An authenticated attacker with admin access can execute arbitrary OS commands via the
add_camerafeature.
Public exploit: gunzf0x/CVE-2025-60787
The key detail here: motionEye runs as root on this machine. Exploiting it skips privilege escalation entirely — we land directly as root.
Root shell acquired.
Key Takeaways
Default credentials are a real problem. The entire chain starts because admin:admin worked on a public-facing service. Changing default credentials is table stakes.
Version disclosure matters. ZoneMinder showed its version openly after login. Combined with a known CVE, that's enough to chain to initial access.
Internal services can be just as dangerous. motionEye was never exposed externally, but once we had a foothold, SSH tunneling made it trivially accessible.
Service privilege matters. Running a web-facing service as root means any RCE in that service equals full system compromise, with no further exploitation needed.