diff --git a/HackTheBox/Monitor.md b/HackTheBox/Monitor.md
new file mode 100644
index 0000000..0dbfc9e
--- /dev/null
+++ b/HackTheBox/Monitor.md
@@ -0,0 +1,186 @@
+# HackTheBox-Monitor
+
+## Rustscan
+
+```bash
+
+PORT STATE SERVICE REASON VERSION
+22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
+| ssh-hostkey:
+| 256 69:43:37:6a:18:09:f5:e7:7a:67:b8:18:11:ea:d7:65 (ECDSA)
+| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKHKAgNKkq5XDcAfsuuxZFMPf+iEHjoq9DUmOmg0cCDgpE90GNOZeoaI24IlwlrSdTWTRA9HNJ
+7DFyIkcHr37Dk=
+| 256 5d:5e:3f:67:ef:7d:76:23:15:11:4b:53:f8:41:3a:94 (ED25519)
+|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBi/L9gWCzbJ6GzFB1PsHZJco24eJW3wmC+a4Ul6fEe6
+80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
+|_http-title: Site doesn't have a title (text/html; charset=iso-8859-1).
+Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
+OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
+Aggressive OS guesses: Linux 2.6.32 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP
+(Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.39 - 3.2 (92%), Linux 3.1 - 3.2 (92%), Linux 3.2 - 4.9 (92%), Linux 3.7 - 3.10 (92%)
+No exact OS matches for host (test conditions non-ideal).
+```
+
+## PORT 80 (HTTP)
+
+
+
+We can see a domain name `monitors.htb` so let's add it to our `/etc/hosts` file
+
+
+
+
+
+We can see at the bottom that this is a wordpress site
+
+
+Using `wpscan` to enumerate for user we find a usernamed `admin` as we saw on the blog post
+
+
+
+
+
+When I tried doing a brute force attack on wordpress login it wasn't allowing me to do because of WAF
+
+
+
+So then I tried to look for plugins on wordpress
+
+
+
+
+
+On googling we can see that there's an exploit for `WP with Spritz` plugin which is an RFI vulnerability
+
+
+Let's try to test it by reading the `/etc/passwd` file
+
+`http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//etc/passwd`
+
+
+
+Great it worked but we won't get a shell with it as RFI does not execute the file it will only read it and we can't put our reverse shell on the machine so what we can do is try to read local files and since wordpress is being used on the machine we can try to read `wp-config.php` since it has credentials for database
+
+
+
+We found the creds another thing we can do is to read apache virtual host configuration file `etc/apache2/sites-available/000-default.conf`
+
+
+
+We can see a subdomain here so let's add this again to our `/etc/hosts` file
+
+
+
+On visiting the subdomain we will be introducted with `Cacti` which is an open-source, web-based network monitoring and graphing tool
+
+
+
+
+Now we already have found the credentials we know that admin@mointors.htb was seen on the home page so we can try logging in as user `admin` with the password we found
+
+
+
+
+And we are in, notice the version number is `1.2.12` so we can look for an exploit
+
+
+
+On running the exploit we will get a shell as `www-data`
+
+
+
+Stabilize the shell you got
+
+
+
+Now going into `/home` folder we can see that we have access to `marcus's` directory so going into his home folder we can a folder named `.backup` which has executabale permissions only means we cannot read it and it was interesting to see this directory here
+
+
+
+So I search for `marcus` recursivley in `/etc/` folder and we see a service which was running that script
+
+
+
+On reading that script file we can a passow
+
+
+
+Let's try to swtiching to marcus with that password
+
+
+
+It worked now let's read `note.txt`
+
+
+
+It says about updating a docker image so a container is running on the machine let's see the local ports on the machine
+
+
+
+We can see port 8443 but we are not sure if it's for docker so let's see the processes on the machine by running `ps aux --forest`
+
+
+
+Hmm it does show docker but we are not getting the whole output so let's set rows and columns on the terminal with `stty rows 30 columns 148`
+
+
+
+Yup that's definatley the container running on port 8443 so let's do a little ssh port forwading in order to interact with it
+
+
+
+
+
+This tells us that apache tomcat is running and we can see the version as well so let's try to find an exploit for it
+
+
+
+It looks like we do have an exploit , now here I tried to run the manaul exploits for github and none of them worked some of them would show me that status that reverse shell is uploaded but I really didn't get a shell so I searched the exploit for metasploit and found one
+
+
+
+
+
+It fails when we run it without enabling force exploit
+
+
+
+Even enabling force exploit it goes crazy
+
+
+
+
+
+We get a session but it isn't really helpful , doesn't do anything so here we need to change our target
+
+
+
+
+
+
+
+Now we have a unstabilized shell so let's first stabilize it so we can interact with it better
+
+
+
+Checking for container capabilites we have cap_sys_module capability which means this docker conatiner can insert kernel modules so there's an article on how we can abuse it in order to gain root on host machine
+
+
+
+So according to the article we have to make c language kernel module program having a bash reverse shell
+
+
+
+Then we need to make a Makefile which will compile kernel module
+
+
+
+Now run the `make` command
+
+
+
+Start you netcat listener on what ever port you specifed in the reverse shell and run the module
+
+
+
+
\ No newline at end of file