In this post, I would like to share a walkthrough of the Carpediem Machine from Hack the Box


This room will be considered an Hard machine on Hack The box

What will you gain from the Carpediem machine?


For the user flag, you will need to obtain admin access on the website by using the upload function for webshell but it will direct you into a container.  Once we are inside the container, we need to enumerate more on the machine where we will find an instance of trudesk.  Need to get the SSH password from the voice call from Zoiper.


As for the root flag, you need to abuse CVE-2022-0492

Information Gathering on Carpediem Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN


There are two port open on the machine.


Let’s access the website interface


The same interface is been shown even after we access using the domain “carpediem.htb


We didn’t managed to find any interesting directory that we can make use for further escalate.


Finally, we managed to see one subdomain that been configured inside the machine


Sadly, we don’t have any valid credentials with us right now. As a result, let’s create a new account by registering


By default, we can register with any username and password for this purpose.


Once we completed registering, we will be directed to the main page such as above.


We can try to inspect the update request by using burpsuite.


As show in the screenshot above, we notice that login_type is number 2 which keeps me thinking that admin might be number 1.


Let’s try modifying the login_type


We have successfully accessed the admin dashboard.


Let’s add some comments on the picture that has been legit on the internet (this idea is been advised by my friends)


At last, we have a command injection on the website itself.


As a result, let’s inject the website with our reverse shell command.


Finally, we have a reverse shell connection back to us as shown above.


However, we are inside a docker environment.


Let’s do a port-forwarding on the machine by using chisel

Enumeration on mongodb database


Let’s enumerate further inside the mongodb database by using mongosh tool


Therefore, we managed to see 4 databases that have been saved on mongodb database.


The screenshot above shows the users that have been configured on the mongodb database.


Let’s enumerate it further with the command db.tickets.find()


From the information that we found inside the mongodb database, there’s a few crucial information on the voice call message.

Gain information from the Zoiper tool


Firstly, we need to download and install the zoiper over here


The details that we need to enter on the zoiper would be something such as

  • User id: 9650
  • Pin: 2022
  • Domain: Carpediem.htb

We can know that we have successfully configured the Zoiper when you see the interface as shown above.


From the video above, we managed to find the password for the user


We can read the user flag by running typing the command “cat user.txt

Escalate to Root Privileges Access


We cannot see any binary that we can abuse when running the sudo -l command


Let’s transfer the linpeas binary into the victim’s machine


Let’s run the linpeas.sh for further enumeration


I notice there’s a file that look weird to me


It looks like an ssh private key but sadly it’s a different type of key


Let’s dump some traffic on the victim’s machine


We can use the key under TLS to decrypt the traffic of the machine


At last, we have obtained the username and password for backdrop.carpediem.htb


Therefore, let’s do a port-forwarding again with port 8002 as shown on the screenshot above


Finally, we have a backdrop interface and let’s login using the credentials that we found earlier.


We can see the backdrop dashboard


We can upload the reference.tar as module


Finally, we have a command injection working on the website interface.


Let’s start our nc listener


Let’s put our reverse shell command which has been base64 encoded and we can decode it again on the browser so that we can retrieve the reverse shell connection back to us.


As a result, we have successfully obtain the connection back


There are some source codes that show some cron job


We are required to create a basic PHP reverse shell connection on my own attacker’s machine just like above


Let’s start our python proxy server


Aside of that, we also need to start our nc listener too


In order to obtain the reverse shell connection back, we need to use the command shown in the screenshot above.


Finally, we have successfully obtained a root on docker but we still cannot read the root flag yet.

Docker Escape


I got this script with the help of my friends in the internet


We should execute the same command above so that we can received a root shell


As a result, we have successfully got the root shell


We can read the root flag by typing the command “cat root.txt

Extra Information on Carpediem Machine