 what's going on everybody welcome back it has been a hot minute since I posted a video so I'm pretty happy to showcase some of this stuff my roommates are gone which means I can actually record in peace and there's no one blaring like bad banjo music or panic at the disco in the background so that's pretty cool I'll ready to do this thing I want to showcase some miter stem CTF or steam CTF as one of the challenges makes fun of it I don't know if they're steam stem I don't I'm in a bathroom right now I just woke up I hope that's cool I don't really even know is that like something you're allowed to do on YouTube is this on the the so on CTF time you can link to it this is the page description and stuff for a miter stem CTF org if you aren't on CTF time constantly lurking and monitoring for upcoming competitions and challenges you absolutely should be register logging create an account if you haven't already this is about five and a half hours left in the game I don't want to take this time to start to record some of the challenges so that I can actually upload them and have them visible for your faces because people tell me at least whenever I meet them or talk to them like man as simple and as little as some of these are they are super duper helpful and I'm actually facing another competition so here we go let's showcase just let's start with the Linux section I want to be able to run through these a lot of people got this pretty quick I think I guess I don't know the the traffic flow of the challenge solutions right but the description is peculiar it doesn't really have anything to kind of do with the challenges little story thing Clyde is trapped in the dimensional transport module etc etc the only note they really hide to is as a precaution they will place Clyde in a clean room to remove any radiation clean room is the challenge title and we're given an SSH command to connect to it so just out of the goodness of our hearts let's go ahead and create a directory for us to work in let's call it YouTube miter because I already have a miter folder set up for it to make your directory for the Linux category because we like to be clean to make a directory for 50 clean room and the challenge points and the challenge name so I'm gonna have a just little connect script that I'm not actually gonna end up using all that much because at least once I kind of showcase what the what the challenge is to you but I just want it for the sake of stuff if it's the first time you're connecting to the service and the box you are gonna be prompted do you want to accept this like RSA token you just have to type in the word yes and hit enter but it doesn't have a password so you can just log in so you in LS but it will tell you whoa LS command not found you can't do anything that's super annoying it's super stupid you can check out who am I nope der nope ID nope nothing do I have echo do I like built ins oh I guess I okay that's cool notice that we are in our bash so restricted bash if you haven't heard of that it is a peculiar thing right maybe if you're in a blue team game or you're trying to act as a defender or you actively have people trying to log into machines and some sort of game or exercise our bash is a cool option for you because it does kind of limit what people can do I'm not allowed to change directories kind of can't set or unset variables or especially environment variables cannot use command names that contain slashes so you can't use like an absolute pass for things you want to run like I wouldn't be able to just say bin bash it won't let me same thing for redirecting I can't create to a file if I wanted to use any like walk-a-walk-os or less than grayland symbols a peculiar thing though is that this does not denote the actual less than symbol a lot of these said the grayland symbol in pipes but solely the left-facing less than symbol like we can do that that's peculiar thing so what I did to work with this is I actually used echo path to see the environment variable that I have to work with for like locations in my path and all I have was some of it's in my current directory supposedly but I don't know if it is there or not so I tried to tab autocomplete which that at least let me do that I can type out forward slash home forward slash ctf forward slash bin and I can see what is potentially inside that and T is an option that we have we can run T so T by default will just kind of take in a file or input maybe I'm misunderstanding or maybe I'm not explaining this well but T if you give it something it will display it on standard output and redirect it to a file or bring it to a file so an interesting thing with T is that actually let's pull this up in in GTF O bins so I show you what I'm talking about if you haven't heard of GTF O bins this is a cool utility because it is like lull bins if you haven't heard of that which is live off the land binaries for windows so GTF O bins is the Linux side but this will give you commands or programs that will already be pre-installed or available on a fresh vanilla flat window system and the same thing goes for GTF O bins this is a curated list of Unix binaries that can be kind of taken advantage of to do interesting things so we can just search can T or the T command do anything peculiar well it looks like we can use it to file write SU ID pseudo etc etc so I did some interesting things with this forward slash T tack a argument because that will let us write to a file and we didn't have pseudo or any ability availability to do that in this so that's peculiar but that helped me when I looked at this and it might help you if you haven't heard of this resource before that helped me realize oh the tack a argument will be super duper helpful in trying to find something else we can do with this so what I actually found was I can use T and then the less than redirection I tested a lot of redirection operators I tested to see what can I do with this command well how can I work with it I just kept banging my head against the wall for the longest time I recommend you do the same thing but I found that if I redirected a file name into it it will actually give me the output of that file so now I'm kind of scratching my head like what other things can I read or can I look at or can I do there's nothing there's no file that I could read on the file system that would help me kind of determine how I can run commands is there I don't know it's such a release issue okay peculiar things right but then I think I got kind of clever and maybe I'm going down the rabbit hole I'm here maybe I'm misremembering this but I did T bin bash and I got the entire bash command which is a clever thing okay that's the binary though right so I thought as a technique that I could do was actually using T reading in bin bash just as we've done but now using that same command with tack a to like write to the directory path that we have so if I were to put this in home CTF it was bin and then can I overwrite the T binary I don't know now I tried to just run T see if it would give me bash but it didn't nothing had worked so I wasn't able to use that technique I try to create a new binary in there let's just say like new and it would supposedly put stuff out on the screen but I can't run new as a command anymore so maybe that just wasn't doing what I thought it was doing and that didn't work I wanted to explain that to you though so you know that kind of thought process or what I was experimenting with and if you didn't know those resources you do now so the technique that I kind of mold around with and actually had a peculiar pointer to with void update so shout out to you on the discord server in the community we like to play these just for fun we'll hang out just just to learn really so he had noted that well we're just using SSH to connect to the service right so why can't we do something with the SSH connection you know how you can pass a command or an argument to SSH for it to run before it actually executes everything in like bash RC I think or it just it starts the shell so he figured can I run who am I or like ID or actually get command output that we wouldn't be able to run otherwise when we're inside of our bash so we kind of spat back and forth about this and I'm like oh my god dude why not just run straight up bash and we did it it gave us a shell we were able to just straight up run commands sorry who am I cool and we had command output so now I thought well okay let's just straight up find the flag right because we have a command how are we going to just get flag dot text right how are we going to be able to track down where the flag lives and I just ran find using the root directory and then I just use a name flag dot text which is kind of a shot in the dark but we needed to find out we need to learn so root flag dot text there it is okay cool so you can cat that out and there's the flag we could save that we could do that however that made me learn now that when we were connected we could just simply use t the way we were using before I just didn't know the path of the file like we didn't know the path of the flag if we did we could just t root flag dot text and there's that like because we can because we can read any file now that we know where the flag is just go ahead and spit it to t and we've got that so peculiar things a little bit of learning interesting that we didn't have any commands other like other than t I thought it was kind of neat using that auto complete feature to just determine what files do I actually have in my path like in that bin directory for ctf user so peculiar stuff let's actually save this flag and let's write a simple get flag script with this which is going to be a duplicate of the connect script just giving that cat command to it because as an argument we don't have to use that team method inside of r bash I talked for a long time I said a lot of words about that I hope I hope it didn't get lost in translation you know so let's just cat root flag dot text now that we would know where the flag actually is in the file system it looks like that is pretty consistent for the rest of the linux challenges in this this category of minor ctf so that's that we can go ahead and mark that challenge is complete and a lot of people asking about this syntax it's curly braces and then a comma and then underscore complete which will like take the previous file name and then just tack on like it's replacing in what the original thing would have been and then adding on complete so now we have that file name renamed which is very cool it's a very interesting technique I learned that from mono rail who hung out in the discord server for a bit so if you are not on the discord server I please absolutely recommend coming to hang out it's the team that we kind of played this competition with we're all really here to learn we're not here to win we just kind of wanted to have fun so if you check out jh discord that's us hanging out and having a good time just just trying to learn just trying to get better not not in to win it you know what I mean thanks for watching guys hope you enjoyed this I will see you in the next video where we tackle more MITRE CTF