This is my first Capture the Flag exercise and covers a number of different techniques.
The back story: Scammers are taking advantage of people and various fake shopping websites have been setup, but people are finding their orders never arrive. We have identified one scam website which we believe is harvesting credit card details from victims. Your objective is to take down the scam website by gaining root access, and identify the 3 flags on their server. Our intelligence suggests the scammers are actively reviewing all orders to quickly make use of the credit card information.
The types of vulnerability used in this CTF can be seen below (they are intentionally hidden by default):
You can download the Capture the Flag here. This has been tested using VirtualBox but may work with other virtualisation platforms. DHCP is enabled, and it is recommended you run this in host-only network mode.
Please feel free to leave me feedback in the comments. I am keen to see what people thought about it and how easy/difficult they thought it was.
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEbBiicuM2ITDGGcOJPvHWS2kZ5UMFAl7NYsAACgkQPvHWS2kZ 5UNxQhAAk134aocO6KkEoe+f+DIQrTdFbG8CxQ/b4PWRrIWvFStPzyLwlFe2Vi/W oYfJ+i+pgrkh2NXVf5UbwnfvChUPIjnyxa6NhuVM9vfWsxkwvWLJ4DcKYMVhKuK1 bOEyXqL4MXp1TrEUZWUm7R3xxlgcaRAA2cpts0joDImmggcljC7n1oeBYHumasbn A9YPuBnjBJnST3ii2brhNV0c58YTJLpssN3XFIGSQmFsl9xwXeU/zClrX4WivP0U 9odK/gUvVXGBRzr/BrsxVK65s5/0IYuFkwGBKoDvqCQOr2sZQC6le/PioH8VeQ19 23jYte6fbMDggXzvbXNUx19tMg6tGKXipcXKD5+9Vdp6SL8nbxHo07DhkeuOPFmv GjAYj1jEYcgVUVNrb9lRmMkow9tkUq67DhPBN8ekwM/PR/1jxAQTG/P9JL+69/lS aag3U/IpNl334I4oO5TniutUJf06YsHeWqeKO7cq9elVVfC4YPI+VOESS6eiS0DB Zc7YO6oYomEcL7wA4Io5m+qaEy4SFHUEutw4aurcoXNf8a/95BL5jIAK71JA30Ut euB/KWB2IxxuafxD38coqjxmlDQPx7fztMHPGUhvvqZiqyjaQtFoPFzKu4BYDeIY y5INDm1oVetVt1VB5ZHYXT8dS2owGET8WC6DTZCf4g9isTbhlws= =NDWq -----END PGP SIGNATURE-----