Mission
This challenge contains a binary with a file attribute that lets it bypass standard read permission checks. An unprivileged user can use it to read files normally restricted to root. To solve the challenge, exfiltrate the contents of three files and concatenate them into the flag. The three files are /etc/shadow, /root/.ssh/id_rsa, and /root/.kube/config — the flag is hidden somewhere in the combined text.
Starting toolkit (you may need more)
getcapWhy this matters in 2026
The ability to read arbitrary files is often worth more than a root shell. Real operators use this kind of capability for lateral movement — SSH key harvesting, kubeconfig theft, and credential exfiltration are all one attribute away from trivial.
Mitigation era: 2026-04 · rotation policy: levels may be refreshed as CVEs are patched out of distro defaults.
How to reach this level
Use the password for phantom7 that you captured on the previous level, then:
ssh phantom7@phantom.breachlab.org -p 2223
SSH endpoint is being provisioned. Follow @BreachLab for launch announcement.
Log in to submit flags and track progress.