It’s been several months since your investigation of Hackme Corp uncovered some very useful data. The entire IT staff has been replaced since Sarge’s departure from Hackme Corp, but aren’t as skilled or as experienced as the last team. With none of the existing team to train the new folks, the ramping up period has been very slow, but they are already noticing some strange things occurring on the server: files disappearing and then reappearing, and even some telnet traffic according to a packet capture (although after a thorough nmap scan of the server this was quickly written off as an error). Command history of every user is monitored daily, and nothing is really standing out as potentially-malicious.
So, Hackme Corp, being so impressed by your previous work, is inviting you back in to make sense of this seemingly possessed web server. They are afraid to go live with the public website on this server since it’s been acting so strangely. The development staff has “locked down” the dev site, which had been identified previously as security liability, so although the new team thinks that someone is still getting into the server, they just can’t figure out how they’re doing it. That’s where you come in. Find out how someone could get into the web server, if possible and report back to the Hackme Corp execs.
Things you’ll need to be get familiar with in order to excel at this CTF:
Basic Linux skills (how to connect to a remote system, search for files, etc)
Linux file permissions, the SUID bit, and other file attributes.
BurpSuite Proxy and/or ZAP (Really… just the proxy portion will do)
Reading pcap files using Wireshark (or something else)
Knowing tcpdump might be helpful for troubleshooting
Nmap (a little more than just the basics)
Basic BASH or PYTHON scripting (We’re talking a very basic level here… think looping through linux commands on a single line)
Simple static analysis of binary files in Linux