 Hello everybody, my name is John Hammond and welcome back to some more MITRESTEM CTF. This is the 200 point challenge in the Linux category and I need to put up a full frontal disclaimer that real props to another individual in the Discord server R4J that was really kind of helping me understand this and kind of guide me through it so I cannot claim any credit for this. This is absolutely his baby but it's very clever and very cool and it actually ties into the smasher machine on Hack the Box if anyone wants to go do some extracurricular and take a look at that and read up a bit on that. So the challenge is called RaceU for 200 points. It says let's find out who's faster and we have the SSH connection again here so let's move into a directory where we can work with this. Let's call it 200 RaceU, cd into that and create a little connect script just for Fonzie's good. Hmm, mark that executable. Alright, cool. So yes, if you haven't connected before LS let's see what we've got here and we have this file again in red so we can assume that that has a setUID bit set and it does. It's owned by root but when we run it we become the privilege of root so we can use this file to do things that root could do but otherwise we could not. So filechecker.c we can read and that is assumingly, presumably, the source code to this so let's actually check out what that is and says. That's the binary, cool. Let's check out the C source code. So it includes some stuff and then it sets these macros. It defines UID equal 1000 and GID equal 1000. That correlates to our account, our UID and GID is 1000. If I run the ID command you can see that and that that goes for the files that we own. When we create new files, if you lstackn you can actually see these columns here like if I were to touch anything. Let's do lstackn again, bring it to the top here. You can see that because this is owned by me it has 1000 and 1000 as it's UID and GID, user ID and group ID. So this is zero because it's owned by root and we need to be able to determine something that will fit this criteria. When we open up a file given as an argument, argv1, so we need to have it supply as an argument to this filechecker program, it determines if the UID on that file and the group ID on that file XORed with 1000 and did together those two is equal to zero. So let's just do some math on that, right? Let's do if we owned a file that was 1000 and we XORed it with 1000 we would get zero. And if we ended that with something else, we would get zero. As you can see when we actually do this on a file that we would own, this would evaluate to true. It would say you win, it would read the contents of that file for us. So we essentially can only read things that we own, right? If we were trying to access something that root had owned, so zero XORed with 1000 and did with zero XORed with 1000, that's going to return false. So it'll just say access denied. So if I were to my nice little anything file, if I were to say, please sub, redirect it to anything, cool. Now if I ran filechecker on anything, it says you win, please sub, okay? Now we have an interesting dilemma because we want to be able to read this root flag dot text file, presumably, but we don't own that file and we couldn't give that to the file checker. It just would not be able to play nice with it and give us access denied. So what do we do? That is where the guidance and hint from kind of this challenge title and this challenge description is, is race you, let's find out who's faster. This is a race condition. We need to be able to create a file that we own and then do some sleight of hand with it, like say, I actually want you to go be the root flag dot text. So then if we use filechecker in that same instant or very, very quickly, it will say, cool, this is owned by CTF or this is owned by John or whoever you are and then suddenly, whoa, let's read it, but instead it's the output of the root flag dot text file. So this is peculiar and done an interesting way. We're going to have to script this and automate it, right? Because we're going to have to probably hammer it and try and get this race condition to work. Again, props to R4J on kind of nudging me in the right direction with this and actually holding my hand until I figured it out. So thanks. My phone's going off. Let's try and create a script, but we don't have nano. What about VI? What about Vim? Okay, God dang it. What about Ed? We didn't even have that. Do we have said no, I guess we have said good luck everybody. So the cool tactic that again is an option for us and more props to R4J on helping me determine this is that we could go ahead and cat anything that we wanted to redirected to a script file. And then if we wanted to, we could just write a script like that bin bash. Let's say echo please sub cool. And then let's check that out. Now we have it created as a script that we can run CHmod plus X script. We can run that and it would do it. So neat. Let's on in a same text editor now. Let's go ahead and create a script that we can work with. Let's do MITRE. Actually, I'm in YouTube MITRE now, aren't I? Sorry. Once I like show like my home directory, like part of me just freezes. I'm like, oh God, what could people see? What could they know? You know? But you guys aren't, you guys aren't weird like that, right? So bin bash, right? Let's do this in bash. Let's create a file. Let's just touch a file that we own. So let's call like my file really doesn't matter. And then let's immediately remove it so that potentially if we had the file checker run and work with it, it could read it if it got it at the right time. RM, my file. Goodness gracious. And then let's go ahead and just LNTACS to get a new symbolic link or a kind of redirected target or a shortcut to root dot text root dot flag dot text to my file. Since we had to remove it. So LNTACS would be able to actually create the file because otherwise it would say, oh, this file already exists. I should make this bigger for you. And I should probably bring it down so you can see it. My bad. So now this is not running the file checker. What you could do is you could try and have it like run the file checker just as you, let's get it there. Just as you create the file and then hopefully remove it. But that is a little bit too procedural. That doesn't work the right way. We're going to have to kind of separate these two create file massage file and actually run the file checker in different different scripts or in different loops and different different durations and things so that it's not a procedural thing. Yeah, I created the file. I want to check it, but I want to remove it. That does that doesn't work as well because the timing just doesn't work out. The procedural thing will get in the way. So if you have each of them running in their own different loops, have file checker repeatedly trying to grab at this file that we're kind of creating and then removing and then replacing, that might work, right? So I'll show you how that's done. And actually R4J has explained to me and showed me how that's done. So we're spreading the knowledge here. So what this is all about. That's why we do capture the flag and cyber security stuff. So we've created the file. We've removed it. And now we want to create a sim link. We're going to do that over and over and over again. So let's create a while loop for that. A whole loop, a whole while loop. Do and do this. Now take note that because I'm trying to LNTACS and then recruiting a new one at the same time, I actually need to remove my file one more time at the very top. So we don't iterate through this and then go back to the top of iteration and try to touch a file that already exists. We have to remove it again. So interesting thing, whatever. Now we've got this repeatedly working and going and trying hard. So let's go ahead and put that into a script on the system. There. Good. And so now if we were to check that out, we've got it. Let's mark it as executable. And let's run it. So it's going. It's doing its thing. But right now we don't have our bash prompt back. So we can't do anything with that. So let's go ahead and background this. So now it's running in the background. We've got our shell back. So you can see my file is being created and et cetera, et cetera. Like if I watch TACN0, maybe I can see this LSTACL. Yeah, you can see my file is going crazy. There it is. Every now and again, it's something that we own. Every now and again, it's redirected. Yep, you can see just barely what it redirects to its sim links to root dot text, root dot flag dot text. So this is cool. So we've got that script running. And now we want to be able to run file checker. Again, in its own loop, a separate thing. So it's trying to pull it and reach it just at the right time. Let's do well one dot slash file checker with my file. And this is going to be a little crazy and sporadic. But let's do it. I need to do never mind. That was anticlimactic. Go. So it's doing it. It's doing its thing. A lot of times we get an access denied. We get a couple of segmentation faults. We occasionally see you in in there. The random garbage bytes that it's trying to see are actually when it's an empty file. So the timing is just a little bit off. What I've had to do repeatedly is kind of a actually bad. It creates a new session for you every time you connect. So that's kind of very annoying. And you'll have to recreate your script every time. So script out of sage control C sage my plus like script, run script in the background. Good. And let's do while one do dot slash file checker. My file done and let it go. So hopefully at some point we'll get lucky and see a little curly brace at one point. I don't know how well grep will work with this. Sometimes I have not seen it actually work that well from my testing. So this is what we supposed to do. This is what we should do, but it's going to take a little bit of perfecting. And I know that sucks. So what I've had to do when I've actually just got a lot of pretty constant access denies. I've actually just ran the script again. What is going on now? What is going on? Let go. All right, let's let's let's disconnect from that. Let's do that. I don't know why I background it CH mod. I hope this showcase is just how finicky this is. Oh, it was. I saw it. It happened. Maybe you guys might have better luck with grep than I did. But I thought like, let's just let it go. Let's watch it. Let's see it happen. And let's try and catch it when we got it because I know I saw it. It's probably not in my buffer. Probably just out of reach. There it is. Just just the very top of my buffer. All right, so that is the flag. And that is how to do it. Oh my goodness. I hope that's cool. I hope that was interesting. I hope it wasn't agonizing. Just kind of waiting it out trying to see if you can get it. Maybe maybe we have better luck with grep. I guess I'll try it. Why not? We got time. Okay, I think I've waited long enough and we haven't gotten any results yet. So again, I just have not I had not gotten into work with grep. I don't know why it's just a matter of like watching it and seeing it happen, which you got to be quick on the trigger, quick on the draw. So hey, that's that. Thank you guys for watching. Hope you enjoyed this one. I know it was kind of weird. I know it was kind of finicky, but maybe a really cool technique, some race conditions that you're just cranking through in bash. So if you did like this video, please do like, comment, and subscribe. Join the Discord server or come hang out with us. It's a really cool community full of CTF players, programmers, and hackers. We do a lot of competitions like this as often as we can. I try and jump in there. We'll hang out and party in the voice chat. It's a blast. So please do come join the community. If you'd like to support me, I have a Patreon account and a PayPal and I am super duper grateful for you. So thank you. Can't say that enough. See you in the next video guys. So I literally like stopped recording and then it got it. So hey, grep will work eventually. It's just super finicky. Actually hit control C and then it let it go. So take it for what it's worth, I guess. I don't know. Get out of here. Stop watching this video.