Official Carpediem Discussion

Official discussion thread for Carpediem. Please do not post any spoilers or big hints.

Hey all

I’m having trouble finding a foothold on this box. Anyone have any advice or a nudge?

Fantastic box! I love the path to user. Still getting to root though.


I have the admin panel, looking for going deeper

Finally rooted! 9/10 box!

dont know how to get to user from *****r, do i need to get r*** here?

I’m hitting against a wall trying to upload the webshell, the app says file uploaded, but I think the webapp is trolling me…

**webshell uploaded!!!

Best box ever !!! You really did a good job @ctrlzero and @TheCyberGeek, I’m having a lot of fun !

Got user pretty fast, everything is made in a nice and logical way, well done!

Root is also pretty fun :wink:

oh nooo VPN’s are down!!! (maybe will extend the release arena time)

I think I’m at the last step before the root flag and I think I found the last exploit to use but some stuff is missing so please DM me if you can help :smiley:

nooo the time is almos gone and I have no user flag yet… I’m soooo close

in b***d***, how can i make an account? or should i find one?

you’ll find one if you listen

1 Like

good one! :wink:

Hello can someone help me please? I found the new domain with a S** inj****** which leads me to an uncrackable hash and a kind of lo*** fi** in******* which is leading nowhere and for now I am stuck

Are you sure you posted in the correct thread?

yes, mind DM me?

Hello there,
Found a SQ* In******* which led to nowhere…
I’m now trying to get something from VP. According to @ctrlzero comment, I was thinking about Eav******ng but at least two machines are needed for that, right?

this is a very messy box

User flag

  • find a subdomain where you can create a user
  • examine the requests when updating the profile to promote yourself
  • you an update how you look like, and there doesn’t seem to be enough check
  • make yourself look like a reverse shell
  • there are many storages on this machine and one of them is very fruity
  • look through all the info in this db, you will find another subdomain and a bunch of users
  • don’t try to crack the users, replace them instead
  • you should now be able to access the support system
  • look for messages between people and identify a newbie to join
  • instead of the newbie, you can get the newbie’s password, all you need is to listen to the voice mail
  • now login as the newbie and get the user flag

Root flag

  • local enum will show you that you have special power to sniff
  • there is a very important file on the host that can reveal what you have sniffed
  • understand the content that you sniffed and you will be someone else
  • of course, you need to pivot the traffic to login as someone else
  • you are at the back of this, now it’s time to drop a new module to your favour. search for the subdomain name + rce
  • gain access to the back container as a user, then look for what’s running behind the scene
  • this part of PE is not difficult, just need to replace a script
  • when you are the root of this container, enum again
  • you’ll be able to exploit a CVE to escape the container to become the real root.
1 Like

finally rooted :face_holding_back_tears:

one of my favorite boxes!