The Teide Volcanic Research Station (EIVT) is a fictional scientific facility that monitors volcanic activity in the Canary Islands. Recently, Dr. Mencey Guanche, the lead researcher, has mysteriously disappeared along with crucial data about a possible imminent volcanic eruption.

The latest system logs show suspicious activity. Your mission is to infiltrate the station's systems, follow the clues left by Dr. Guanche, and discover what really happened.

Was he kidnapped? Did he flee with valuable information? Or is there something more sinister at play?

Ultimate objective: Gain root access and find Dr. Guanche's hidden "treasure."

Level 1: Reconnaissance

Techniques: Service enumeration, Fuzzing.

The user must enumerate the active services. To do this, they can use tools like "nmap" to discover the system's active ports. After enumeration, they will find the following active services: ftp, ssh, and two web servers.

The user is granted SSH access to the system. With this access, they won't be able to obtain much, but they will be able to list the system's users.

Of the web servers, the one located on port 8081 simply contains a non-functional login page, solely intended to mislead the user. Accessing the web server located on port 80 will reveal a website with various pages containing information about the Teide Volcanic Research Station, but nothing relevant to its operation. The user will have to list the pages of the website to find relevant information.

Typically, websites include a page called “robots.txt” that contains instructions for search engine robots, such as Google's, regarding which parts of the site they can and cannot crawl.

By accessing this file, the user will find the first flag, as well as two folders (/admin and /mencey_private) that were not accessible through the links displayed on the main page. The /admin folder and its files could also be found by enumerating or fuzzing websites.

Level 2: Web Exploitation
Techniques: SQL Injection.

The previously found /mencey_private folder contains a file that is protected and inaccessible. However, the /admin folder contains the login.php file, which is accessible.

On the admin/login.php page, you can attempt to compromise the login form in several ways, for example, by performing a brute-force attack, although this will not be successful.

To succeed, the user must perform an SQL Injection attack. SQL injection is a type of attack that involves inserting malicious code into SQL queries, exploiting vulnerabilities in web applications to access or manipulate databases.

The form does not correctly process user input, so if an SQL query is entered, it can modify the login validation process, allowing the attacker to bypass it and access the dashboard. For this case, a basic input like “‘ OR 1=1– -” will suffice.

Once you gain access to the dashboard, you will find a link that redirects to the previously inaccessible file. Inside, you will find the second flag and some credentials.

Level 3: Cryptography
Techniques: Decoding, hidden files.

Since the user knows the different system users, they should try the credentials they found earlier until they can log in with one of them via SSH. These credentials will work for the user mencey.

In the user's directory, you will find a file whose contents are encrypted. There is also a folder with various subfolders and files, which will not contain any relevant information. Inside one of the subfolders is a hidden file named “.secreto” that contains the decryption key and clues about the type of encryption used.

The encryption used is Vigenère. Using a web platform like "Cyberchef," the file's contents can be decrypted, and doing so will yield new credentials.

Level 4: Steganography
Techniques: Metadata Analysis.

With the credentials obtained in the previous level, the user can access the system as the investigator user.
In the user's directory, they will find a text file with a history and clues. The clue prompts the user to review ALL the details of some images. Since the FTP service is active, the user could try to access this service with the credentials. The FTP service allows access to its directory with this user, so the user will be able to transfer the images to their computer.

To obtain relevant information, the user must review the image metadata with a tool like "exiftool" to find flag number 4.

Level 5: Privilege Escalation
Techniques: SUID Permission Abuse.

- Discover SUID binaries using the command: `find / -perm -4000 2>/dev/null`
- `-perm -4000`: Find files with SUID permissions
- Among the listed binaries is `/usr/bin/time`
- Obtain permissions for the binary using: `ls -l /usr/bin/time`
- The binary belongs to the researchers group, to which the current researcher user belongs, so they can execute the binary with superuser privileges.
- Abuse the binary to obtain a superuser shell using the command: `/usr/bin/time /bin/bash -p`
- Gain access to the system as a privileged user
- Access the `/root` directory where the final resolution file is located