Mission
Copy /etc/shadow to /tmp/shadow_copy without the auditd LOUD-tool heuristic flagging a read of /root/shadow_flag. Fresh ephemeral per session — port 2225.
Why this matters in 2026
Operating under auditd + a pre-seeded LOUD regex (cat/less/vi/cp/mv/dd/install/rsync/pv/split/hexdump and friends). Pick the one tool that is not in the signature.
Mitigation era: 2026-04-24 · rotation policy: levels may be refreshed as CVEs are patched out of distro defaults.
Connection Terminal
Use the password forphantom14 that you captured on the previous level, then:ssh [email protected] -p 2225SSH command copied to clipboard!
This level runs on its own ephemeral container — each SSH connect spawns a fresh box that disappears on disconnect.
Flag Submission
Log in to submit flags and track progress.
🩸
ACTIVE RECORDFirst Blood captured by