Difficulty: Medium
OS: Linux (Ubuntu 24.04.4 LTS)
IP: 10.129.244.156
CVEs: CVE-2024-51482 · CVE-2025-60787

Overview

CCTV is a Linux-based HackTheBox machine built around a real-world CCTV management stack. The machine hosts a ZoneMinder instance on port 80 and an internally exposed motionEye service on localhost. The attack path chains two CVEs - a blind SQL injection to extract database credentials, followed by a command injection in a misconfigured motionEye instance running as root - resulting in a full system compromise.

Phase 1 - Reconnaissance & Enumeration

1.1 - Host Setup

Before scanning, the machine hostname was added to the local hosts file for clean resolution:

echo "10.129.244.156 cctv.htb" | sudo tee -a /etc/hosts

1.2 - Full Port Scan

A full TCP port scan was performed using Nmap with an aggressive rate to minimise scan time:

nmap -p- --min-rate 5000 -sS 10.129.244.156

Output:

Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-09 21:59 +0530
Nmap scan report for cctv.htb (10.129.244.156)
Host is up (1.1s latency).
Not shown: 52062 closed tcp ports (reset), 13471 filtered tcp ports (no-response)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 111.86 seconds

Only two ports were exposed externally - SSH (22) and HTTP (80). The attack surface is intentionally minimal, which points to a web-first approach.

1.3 - Service Version Detection

nmap -sV -sC -T4 10.129.244.156

Output:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.14 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|_  256 76:1d:73:98:fa:05:f7:0b:04:c2:3b:c4:7d:e6:db:4a (ECDSA)
80/tcp open  http    Apache httpd 2.4.58
|_http-title: SecureVision CCTV & Security Solutions
Service Info: Host: default; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Key findings:

  • Apache 2.4.58 hosting a site titled SecureVision CCTV & Security Solutions

  • OpenSSH 9.6p1 on Ubuntu 24.04

🔐 PREMIUM WRITEUP - MEMBERSHIP REQUIRED

This machine is still active in HTB, so the full walkthrough, exploitation path, and flags cannot be publicly released.

But you can access the entire premium writeup right now.

🌟 Get Instant Access

Unlock the complete step-by-step solution, techniques used, notes, and exclusive insights by becoming a member.

Membership

Why Go Premium?

  • Early access to full detailed writeups

  • Passwords for active CTF solutions

  • Advanced exploitation techniques

Upgrade once - unlock everything instantly.

Keep hacking, keep learning, keep winning. 🎯

Keep Reading

© 2026 Andrés.
Report abusePrivacy policyTerms of use
beehiivPowered by beehiiv