Summer Breach: StartupCorp
A fast-growing startup launched its “Summer Productivity Portal” for employees working remotely during the summer internship season.
Due to rushed deployment deadlines, several internal services, backup files, and scripts were exposed publicly.
Your objective is to simulate a red-team assessment and determine how far an attacker can penetrate the infrastructure.
Can you move from an external visitor to full root compromise?
1
Summer Cleanup Gone Wrong
Q1.
A forgotten backup file was accidentally exposed during the summer infrastructure cleanup. Enumerate the web server and identify the first flag hidden inside the leaked archive.
+100 pts
Developers sometimes leave compressed memories behind.
2
Heatwave Injection
Q1.
The summer diagnostics utility was deployed without proper input sanitization. Exploit the vulnerable functionality to achieve remote code execution and retrieve the second flag.
Not every ping request is harmless.
3
Vacation Password Policy
Q1.
After obtaining shell access, enumerate the system for sensitive files and weak operational practices. Pivot into a valid user account and capture the third flag.
+99 pts
People rarely change passwords they can still remember.
4
Summer Intern Automation
Q1.
An automated backup mechanism created during the busy summer release cycle contains a dangerous misconfiguration. Escalate your privileges to root and retrieve the final flag.
+100 pts
If root executes it, root trusts it
Submit Flag