Overview
CCTV is an Easy-difficulty Linux machine featuring ZoneMinder surveillance software exploitation and MotionEye privilege escalation. This machine teaches:
- CCTV/surveillance system security
- SQL injection in specialized applications
- Password hash cracking
- SSH key-based authentication
- MotionEye RCE exploitation
- Service-based privilege escalation
Enumeration
Port Scanning
Standard web and SSH ports are exposed.
Key Services:
- SSH (22/tcp)
- HTTP (80/tcp) - ZoneMinder application
Web Application
The target hosts ZoneMinder 1.37.63, an open-source video surveillance software management system.
Initial Foothold
CVE Chain Overview
CVE-2024-51482 (SQL Injection)chr(10) ↓chr(10)Database Credential Extractionchr(10) ↓chr(10)Bcrypt Hash Crackingchr(10) ↓chr(10)SSH AccessSQL Injection in ZoneMinder
ZoneMinder 1.37.63 contains an authenticated SQL injection vulnerability that can be exploited to extract sensitive information.
Exploitation Path:
- Identify vulnerable parameter
- Exploit SQL injection to dump database
- Extract user credentials (bcrypt hashes)
- Crack password hashes
- SSH access with recovered credentials
Privilege Escalation
MotionEye Discovery
Once on the system, discover:
- MotionEye service running as root
- Version vulnerable to CVE-2025-60787
- Web interface accessible on localhost
RCE via MotionEye
The privilege escalation involves:
- Port forwarding to access local MotionEye instance
- Exploiting CVE-2025-60787 for command injection
- Executing commands as root via vulnerable service
- Gaining root shell access
Key Concepts
- Understanding surveillance software architecture
- SQL injection exploitation techniques
- Bcrypt hash cracking strategies
- Port forwarding for internal service access
- Command injection in configuration interfaces
Root Flag Location: /root/root.txt
Key Takeaways
- Specialized applications often have unique vulnerabilities
- SQL injection remains a critical threat
- Bcrypt provides strong password protection but isn't unbreakable
- Internal services running as root are high-value targets
- Configuration interfaces need input validation
Tools Used
nmap- Port scanninggobuster- Web enumerationsqlmap- SQL injection automationjohn/hashcat- Password crackingssh- Remote accesschisel- Port forwarding- Custom exploit scripts
Ready for the complete attack chain? Get the PAID version on Buy Me a Coffee with SQL injection payloads, hash cracking wordlists, and MotionEye RCE exploitation details.
Complete writeup — members only
All commands, full syntax, step-by-step exploitation and every script used are available to members on Buy Me a Coffee.
Get full writeup on BMaC€5 one-off · or monthly membership