In this post, I would like to share a walkthrough of the Surveillance Machine from Hack the Box


This room will be considered a medium machine on Hack the Box

What will you gain from the Surveillance machine?


For the user flag, you must encompass vulnerabilities characterized by detailed descriptions but lacking public proofs of concept (POCs) at the time of inception, presenting an intriguing puzzle. It commences with a Craft CMS instance. I plan to leverage an arbitrary object injection vulnerability to achieve remote code execution (RCE) and establish a shell. Additionally, I aim to uncover a password hash for a separate user within a database backup and subsequently decipher it. This user possesses the capability to log into a ZoneMinder instance hosted on localhost. Subsequently, I intend to exploit a vulnerability within ZoneMinder to attain access as a zoneminder user.


As for the root flag, you need to exploit the sudo privileges of the zoneminder user, specifically by leveraging command injection within one of their scripts.

For those who want to learan or improve CyberSecurity skills especially Red Teaming and Blue Team, You can use the link https://affiliate.hackthebox.com/gnfp67dzy7p0 to support me

Academy link can be found https://affiliate.hackthebox.com/wanmohdariffwanmohdrosdi6259vvv

Information Gathering on Surveillance Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

┌─[darknite@parrot]─[~/Documents/htb/Surveillance]
└──╼ $nmap -sC -sV 10.10.11.245 -oA intial 
Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-20 05:53 -02
Nmap scan report for 10.10.11.245
Host is up (0.045s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 96071cc6773e07a0cc6f2419744d570b (ECDSA)
|_  256 0ba4c0cfe23b95aef6f5df7d0c88d6ce (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://surveillance.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.24 seconds
┌─[darknite@parrot]─[~/Documents/htb/Surveillance]
└──╼ $

Let’s access the website interface


However, there is nothing that we abuse appears on the website interface


Therefore, let’s enumerate the website directory by using gobuster. Sadly, we didn’t find anything interesting in the directory


However, there’s one thing that stands out which is that it’s been powered by CraftCMS


When we clicked on the CraftCMS it was redirected to a GitHub here


Let’s do some research on the internet


I found the exploit script which we can use for this activity and let’s download the script into our machine


Let’s rename the Python script into anything easy to remember and execute


After that, let’s execute the Python script that we found earlier


Let’s download the bash file on the victim’s machine


It looks successful on the Python server


Therefore, let’s trigger the bash file


After a while, we retrieved the reverse shell connection back to us.


Moving forward, we found the zip file that looks something like a database file


Let’s download the zip file into our machine




Let’s read and analyze the SQL database file and we found a potential username and password


Therefore, let’s save the hash into a new file and try to crack the hash


We can crack the hash by using hashcat but it took a long time to complete the cracking.


As a result, let’s use the crackstation to obtain the password


Finally, we successfully access the machine as Matthew and we can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access


Sadly, we cannot obtain any binary to work for the next stage.


However, we found a potential port that we can use in the next stage


Let’s start our port-forwarding the port that we found earlier.


The website that we have executes the port forwarding as shown above


We should be able to obtain the password for the access




After we had carefully analyzed the database.php file, I noticed that there was a password stored as shown above


Let’s access the database using the credentials that we found earlier.





Sadly, we didn’t manage to find anything useful in the database and it seems like a rabbit hole way



We have noticed that the version for ZM will be 1.36.32

CVE-2023-26035 vulnerability


There are a lot of methods to exploit the vulnerability, especially using Metasploit but I decided to do it manually with BurpSuite


Let’s play around with the website that we use port-forwarding via BurpSuite


On our machine, we need to create a file that contains the reverse shell command


Let’s use the curl command to retrieve the file and execute it using bash


It looks like it is working like a charm


We have successfully retrieved a new reverse shell connection as zoneminder.


As usual, we should be looking for any binary that we can abuse for root escalation


There are a lot of files that are saved in Perl file format


We should be able to execute the command above to retrieve a root shell


As expected, we managed to obtain the root shell


We can read the root flag by typing the “cat root.txt” command

Extra Information on Surveillance