Mission
This challenge contains a sudo rule that preserves a specific environment variable across privilege elevation. An unprivileged user can use it to execute attacker-controlled code as root. To solve the challenge, read /flag. You do not need to exploit the kernel.
Starting toolkit (you may need more)
sudogccccWhy this matters in 2026
The dynamic linker reacts to environment variables in ways most operators forget. This is one of the cleanest demonstrations of why environment variables are a capability, not a convenience.
Mitigation era: 2026-04 · rotation policy: levels may be refreshed as CVEs are patched out of distro defaults.
How to reach this level
Use the password for phantom2 that you captured on the previous level, then:
ssh phantom2@phantom.breachlab.org -p 2223
SSH endpoint is being provisioned. Follow @BreachLab for launch announcement.
Log in to submit flags and track progress.