HackTheBox: Carpediem Machine Walkthrough – Hard Difficulty

Written by darknite -
on July 11, 2022

In this post, I would like to share a walkthrough of the Carpediem Machine from Hack the Box

This room will be considered an Hard machine on Hack The box

Testing

What will you gain from the Carpediem machine?

For the user flag, you will need to obtain admin access on the website by using the upload function for webshell but it will direct you into a container.  Once we are inside the container, we need to enumerate more on the machine where we will find an instance of trudesk.  Need to get the SSH password from the voice call from Zoiper.

As for the root flag, you need to abuse CVE-2022-0492

Information Gathering on Carpediem Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

There are two port open on the machine.

Let’s access the website interface

The same interface is been shown even after we access using the domain “carpediem.htb

We didn’t managed to find any interesting directory that we can make use for further escalate.

Finally, we managed to see one subdomain that been configured inside the machine

Sadly, we don’t have any valid credentials with us right now. As a result, let’s create a new account by registering

By default, we can register with any username and password for this purpose.

Once we completed registering, we will be directed to the main page such as above.

We can try to inspect the update request by using burpsuite.

As show in the screenshot above, we notice that login_type is number 2 which keeps me thinking that admin might be number 1.

Let’s try modifying the login_type

We have successfully accessed the admin dashboard.

Let’s add some comments on the picture that has been legit on the internet (this idea is been advised by my friends)

At last, we have a command injection on the website itself.

As a result, let’s inject the website with our reverse shell command.

Finally, we have a reverse shell connection back to us as shown above.

However, we are inside a docker environment.

Let’s do a port-forwarding on the machine by using chisel

Enumeration on mongodb database

Let’s enumerate further inside the mongodb database by using mongosh tool

Therefore, we managed to see 4 databases that have been saved on mongodb database.

The screenshot above shows the users that have been configured on the mongodb database.

Let’s enumerate it further with the command db.tickets.find()

From the information that we found inside the mongodb database, there’s a few crucial information on the voice call message.

Gain information from the Zoiper tool

Firstly, we need to download and install the zoiper over here

The details that we need to enter on the zoiper would be something such as

  • User id: 9650
  • Pin: 2022
  • Domain: Carpediem.htb

We can know that we have successfully configured the Zoiper when you see the interface as shown above.

From the video above, we managed to find the password for the user

We can read the user flag by running typing the command “cat user.txt

Escalate to Root Privileges Access

We cannot see any binary that we can abuse when running the sudo -l command

Let’s transfer the linpeas binary into the victim’s machine

Let’s run the linpeas.sh for further enumeration

I notice there’s a file that look weird to me

It looks like an ssh private key but sadly it’s a different type of key

Let’s dump some traffic on the victim’s machine

We can use the key under TLS to decrypt the traffic of the machine

At last, we have obtained the username and password for backdrop.carpediem.htb

Therefore, let’s do a port-forwarding again with port 8002 as shown on the screenshot above

Finally, we have a backdrop interface and let’s login using the credentials that we found earlier.

We can see the backdrop dashboard

We can upload the reference.tar as module

Finally, we have a command injection working on the website interface.

Let’s start our nc listener

Let’s put our reverse shell command which has been base64 encoded and we can decode it again on the browser so that we can retrieve the reverse shell connection back to us.

As a result, we have successfully obtain the connection back

There are some source codes that show some cron job

We are required to create a basic PHP reverse shell connection on my own attacker’s machine just like above

Let’s start our python proxy server

Aside of that, we also need to start our nc listener too

In order to obtain the reverse shell connection back, we need to use the command shown in the screenshot above.

Finally, we have successfully obtained a root on docker but we still cannot read the root flag yet.

Docker Escape

I got this script with the help of my friends in the internet

We should execute the same command above so that we can received a root shell

As a result, we have successfully got the root shell

We can read the root flag by typing the command “cat root.txt

Extra Information on Carpediem Machine

Categories:

Hard Machine

Tags:

BurpSuiteChallengeschiselcontainercve-2022-0492exiftoolgobusterHackTheBoxlinpeasLinuxmongodbmongoshPenetration Testingport forwardingpython3SecuritysshSSH keytcpdumptrudeskVulnerabilitiesWiresharkZoiper

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *