Skip to content

HTB CCTV ZoneMinder SQL Injection, tcpdump Credential Sniffi...#2497

Open
carlospolop wants to merge 1 commit into
masterfrom
update_HTB_CCTV_ZoneMinder_SQL_Injection_tcpdump_Creden_4b97938a42d320c9
Open

HTB CCTV ZoneMinder SQL Injection, tcpdump Credential Sniffi...#2497
carlospolop wants to merge 1 commit into
masterfrom
update_HTB_CCTV_ZoneMinder_SQL_Injection_tcpdump_Creden_4b97938a42d320c9

Conversation

@carlospolop

Copy link
Copy Markdown
Collaborator

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

  • Blog URL: https://0xdf.gitlab.io/2026/07/11/htb-cctv.html
  • Blog Title: HTB CCTV: ZoneMinder SQL Injection, tcpdump Credential Sniffing, and motionEye Root Command Injection
  • Suggested Section: Network Services Pentesting -> 80,443 - Pentesting Web Methodology: add/extend pages for ZoneMinder and motionEye/Motion; also cross-reference Pentesting Web -> SQL Injection / Command Injection and Linux Privilege Escalation -> Linux Capabilities for tcpdump cap_net_raw credential sniffing

🎯 Content Summary

Overview:
The post is a complete Hack The Box Linux exploitation chain against CCTV, a host running a public ZoneMinder surveillance application and a localhost-only motionEye/Motion stack. The attack path is: external recon → ZoneMinder default credentials → CVE-2024-51482 boolean/time-based blind SQL injection → dump ZoneMinder users → crack bcrypt hashes → SSH as mark → abuse tcpdump with Linux capability cap_net_raw=eip</co...

🔧 Technical Details

ZoneMinder CVE-2024-51482 boolean blind SQL injection: In vulnerable ZoneMinder versions v1.37.* <= 1.37.64, the tid parameter in /zm/index.php?view=request&request=event&action=removetag&tid=... reaches PHP code that sets $tagId = $_REQUEST['tid'] and later concatenates it into $sql = "SELECT * FROM Events_Tags WHERE TagId = $tagId". The same value may be used safely in a previous prepared statement, but the later concatenation is injectable. Prove exploitability with MySQL SLEEP(5), determine UNION column count, and then prefer a boolean oracle over time-based extraction. In the post, four columns were required, WHERE 1=1 returned normal/HTTP 200 behavior, and WHERE 1=2 returned HTTP 500. sqlmap was accelerated with --prefix="1 UNION SELECT 1,2,3,4 WHERE " --code 200 --technique=B to dump zm.Users quickly.
<br/...

🤖 Agent Actions

Done.

Updated:

  • src/network-services-pentesting/pentesting-web/zoneminder-motioneye-motion.md
  • src/network-services-pentesting/pentesting-web/README.md

Notes:

  • Added a new CCTV/NVR-specific web page for ZoneMinder, motionEye, and Motion
  • Covered the novel technical content from the blog:
    • ZoneMinder removetag blind SQLi and faster boolean/sqlmap workflow
    • turning app-user dumps into SSH footholds
    • abusing tcpdump capabilities for internal credential sniffing
    • motionEye signed-request + client-side validation bypass
    • Motion filename-based command injection / localhost webcontrol abuse
    • motionEye stored SHA1 hash reuse as login secret
  • Added references at the end of the new page
  • Linked the new page from the 80,443 - Pentesting Web Methodology tech list

Validation:

  • Verified file contents and link placement with sed, rg, and git diff
  • mdbook build could not be run because mdbook is not installed in the environment

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

@carlospolop

Copy link
Copy Markdown
Collaborator Author

🔗 Additional Context

Original Blog Post: https://0xdf.gitlab.io/2026/07/11/htb-cctv.html

Content Categories: Based on the analysis, this content was categorized under "Network Services Pentesting -> 80,443 - Pentesting Web Methodology: add/extend pages for ZoneMinder and motionEye/Motion; also cross-reference Pentesting Web -> SQL Injection / Command Injection and Linux Privilege Escalation -> Linux Capabilities for tcpdump cap_net_raw credential sniffing".

Repository Maintenance:

  • MD Files Formatting: 982 files processed

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant