https://binreaper.pages.dev/tags/hmac/ Recent content in Hmac on binreaper Hugo en-us Mon, 09 Mar 2026 00:00:00 +0000 https://binreaper.pages.dev/posts/2026-03-09-htb-cctv/ Mon, 09 Mar 2026 00:00:00 +0000 https://binreaper.pages.dev/posts/2026-03-09-htb-cctv/ <h2 id="tldr">TL;DR</h2> <p>Log into ZoneMinder with default credentials (<code>admin:admin</code>), use CVE-2024-51482 (SQL injection) to extract the bcrypt password hash for user <code>mark</code>, crack it (<code>opensesame</code>), SSH in, then exploit motionEye (running as root on localhost:8765) by forging HMAC-signed API requests using the admin password hash from the config file to inject a command into the <code>on_event_start</code> hook, and trigger it via the motion HTTP control API.</p> <h2 id="enumeration">Enumeration</h2> <h3 id="port-scan">Port Scan</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>22/tcp — OpenSSH 9.6p1 Ubuntu </span></span><span style="display:flex;"><span>80/tcp — Apache 2.4.58 (Ubuntu) → redirects to http://cctv.htb/ </span></span></code></pre></div><p>Add <code>cctv.htb</code> to <code>/etc/hosts</code> and browse to port 80.</p>