 What is going on everybody? My name is John Hammond and welcome back to another YouTube video. We're taking a look at the Boot to Root 2019 CTF. I've got it visible here in CTF time. It's Boot to Root with zeros for the O's inside Boot. So take note of that. The official link here is BootToRoot.Tech. That brings you to a cool flashy web page hacker elite cyber warrior ninja. And the register button is the only thing that will actually bring you to their real CTFD platform. Note here when you actually go to this page, this is no longer a domain name. It's just IP addresses. So classic hacker fashion here. I've got the challenges up and available. So let's take a look at some stuff in the Linux category because I think that had a very interesting and good curve for people that were going through. There were a lot of questions and a lot of struggles that were going through. So first challenge is called Steve Rogers in that category. Let's take a look here. Steve knows there's a flag somewhere in plain sight. Log in as Steve and find it for him. It has a connect.sh script. The author is DeadSec and if you need support you can go check out their Slack channel. The link for that is available in their miscellaneous category and the welcome challenge for 50 points. So you get a flag if you go to the Slack channel. It's good. It's good. Good CTF. Connect.sh is just a small one line script kind of like what I normally do when I'm making CTF challenges, which I think is kind of funny and kind of neat. I'll fire it up in the terminal here. I actually have it downloaded already. I do not anymore, never mind. So let's go ahead and create that. NanoConnect.sh. It put it into Google Drive stuff so I couldn't wget it and it's just messy. What this does and it's interesting is this executes SoCat and connects to this IP address at this port and turns the terminal into raw mode and turns off Echo. So you might be asking like why can't I just netcat to that IP address and that port, which you have a valid point here. Like you very well could totally do that. However, it does not put you in raw mode and it doesn't turn off Echo. So the commands that I run are still visible when I do them and show them and you don't have cool, neat things like an actual tab completer arrow keys working. So the SoCat method is better. If you actually run that script and you get an error SoCat is not found, that's okay. Don't worry about that. It just means SoCat's not installed. So on your home system, you simply run sudo apt install SoCat or whatever package manage you have, but you might be on Ubuntu or Debian based system like me. So okay, we connect and we are in their file system. We're the Steve user. Now what do we do? Well, probably want to privask probably want to get control of this machine probably want to find the flag. So we start to enumerate we start to look around we start to try and find stuff. LS doesn't seem to be anything in the current directory LS tack a nothing really interesting in these hidden files, you can take a look at them but they're just kind of the default bash configuration stuff bash profile bash RC, etc. So nothing particularly useful, you still got to keep hunting. This is where your enumeration is key I started to take a look at it's a password. I think that's the first thing you should check a lot of times or at least one of the first things that should definitely on the checklist. We have a root user. Obviously, that's good. A lot of system accounts, service accounts, dub dub dub data. I thought that was interesting because that means there might be a web server on this. I realized I was talking fast now I got to slow down. It has SSHD as a user which is interesting means SSH is likely installed. We can check out processes next and try and figure that out. Also, we've got Steve, our account and Tony Tony is another user account which is peculiar. So we can go check out his home directory home Tony doesn't seem to be anything there. But LS Tech LA gives us a dot flag file so we could try and cat that out. But the permissions tell us absolutely no one can really read write execute this it's chmod 0000 root would still be able to read this if we were root but we currently are not root. So maybe that's a fake flag maybe that's a red herring maybe that's a fly for another challenge we're just gonna have to table that and put it out of our mind for the moment. If you are unaware, there is a incredible awesome resource got milks, privisk guide. So GOT M1LK privisk and Linux. If you were to Google that you can check out this blog post. It is phenomenal and that's a lot. It's just a treasure trove of awesome commands and syntax you can run to try and find out information because they say, Yeah, this is all about privilege escalation. But that boils down to the core matter and that's enumeration. So enumerate enumerate enumerate figure stuff out and that gives you a lot of things that can take a look through this. So if you're just literally we're typing each of these commands one by one and trying to figure stuff out, you would find the flag. And I mentioned, let's take a look at the programs and the processes that are running. So I want to check out that applications and services here. If we were to PS ox, okay, you can see there is route running a bash script 1042.sh routes, blah, blah, blah, SSHD. So SSH is running that's peculiar to note. And Sue, Sue, Steve. So okay, maybe that command didn't give us all that much. However, that 1042.sh is very, very interesting. Let's see if we can view that file. If I were to cat that out. It tells me nothing because maybe I'm trapped inside of that or something I don't know. So whatever, let's keep moving on PS tack EF is interesting. If we run this, it says, in that same process in the command, it says bash 1042.sh and maybe another argument, that looks like a flag, right? That looks like the start of the flag, it's not finished there. But now we've got to lead as to okay, this process ID has something very interesting in it. And if you didn't know what that was doing, you can check out the man page for PS, but that's not going to have anything in that system. So let's man PS on our local box. You can check out four slash E. That is select all processes. So we did that the same thing with PS ox, I would think. But we also want tack f in there. And that's do full format listing. So that's going to give us that output that we saw there, and got practically as much as it could have that command line. So now you can see part of the flag is there. That's pretty valuable. And maybe you wouldn't have ran that if you weren't using this guide, or you didn't know that resource, you didn't know to enumerate in that way, etc. So experience exposure, that's what this is all about, right? Okay, now, we know that this is potentially in the command line of that process. So we can check that out in proc, we can go ahead and cat proc, because everything in Linux is a file, right? If you were checking out a process, you can specify its process ID, kind of like a directory in here. And we can check out some peculiar stuff. I've done this in a lot of different videos. Cannot read a proc one current working directory or root. That's fine, because it's not ours. But we could probably go ahead and read the command line file. So let's cat that out command line. And it's pretty messy, because it reads it kind of like a binary thing. If you pipe this to strings, if we actually have strings, no, we don't classic, you would be able to see this a little bit nicer. Anyway, you can see the flag there, boot to root command line flags are obvious. So boom, we've got it, right? We can go ahead and submit that. If I move back, go to the challenges here. The website has been really shaky. Sometimes the challenges straight up won't load. A lot of people were whining in the slack. It's fine. Alright, that's that though, that is the challenge. So take note now we had seen another flag file in Tony's home directory. And we also saw that SSH was running. So those are some valuable pieces of information that we'll tackle the next challenge with because the next challenge is a continuation of this one. But we've got the flag boot to root command line flags are obvious. So if you wanted to, let's just take note of that flag. For good practice here, like we always do right? Let's mark Steve Rogers as complete. And we continue on. Thanks for watching guys. If you like this video, please do like comment and subscribe. Okay, the challenges are finally back up. Let's go ahead and submit that ruin my outro boot to root. Come on, man. Tony stank. Next challenge. Professor Hulk requires a flag. We'll check this out in the next video. But if you did like this video, please do like comment subscribe. It's a lot of fun. This was a great CTF I enjoyed a lot. It was kind of side by side with Volga CTF sunshine CTF is going to start in a couple minutes here. So it's going to be a good weekend. Thank you guys for watching. See you in the next video.