 Howdy-de-de-de-do ladies and gentlemen, welcome back to another YouTube video. This is Booptum Root CTF 2019. This challenge is called Tony Stank. It's the second challenge in the Linux category. I saw the last one in the last video, if you want to go check that out, and this challenge continues off of that previous one. I want to give a special shout out, and I neglected to in the last video, to Raj, or R4J in the Discord, who was willing to take this on with me. He was pretty active in tackling the CTF with me in the Discord server. He found initially that, hey, that PSTACF would find that flag in the previous video, and I knew, oh, we can just check that out in the Ford slash Proc ID command line file. Then he actually found the breakthrough with this, which was very, very clever. I'm kicking myself. I wish I thought of it myself. Tony Stank, Professor Hulk requires a flag hidden in Tony's account to wield the Infinity Gauntlet, retrieved for him by any means necessary. This connect.sh is the exact same syntax as the last one. A lot of people were curious about that. They were checking the slack, asking around, like, is that actually supposed to be the right thing? Was that a mistake? It is, in fact, so I will go ahead and just copy and paste this here just to make sure we've got it working, and that way we can connect just again. I could have copied the older one, but whatever. All right, so we're Steve still. We know that Tony exists. We've checked out his home director. We've seen him in, et cetera, password. So we know that Tony exists. He's got that interesting file dot flag, and that's probably what we're looking for. We need to be able to become Tony somehow. So I banged my head against this for a while, and you could run Linenum to see if there's any vulnerabilities. You could check out what group he is in, or check out if there's a way you can change group, pseudo, et cetera, et cetera. I won't run through those commands right now, because initially I was like, dude, I don't know, man. I guess I wouldn't have a good idea. So Tony, I'm sorry, R4J Raj was poking around in here, and again, props to him. He realized and noticed that I can do interesting things. What the heck? Four? Did the challenges die? Whoa, yeah, challenge totally died. Let's go whine about that in the Slack channel. BTR, Linux, Tony Stank. It's broken, bro. It's broke. That's a positive video. Okay, challenge looks like it's back. Sorry for that delay. So in Tony's home directory, what you might find is that you can actually create files. You can write in Tony's home directory. So originally, maybe if you're not thinking or remembering everything that happened in the background, you might say, well, that's great. What does that have to do with anything? Why would that help me? SSH is still running. So let's do some clever thing, right? Where if we were to go ahead and create an SSH key and add it to Tony's authorized keys, we could then sign in authenticate as Tony because he's going to accept that key, right? So since we can control his home directory, we can control his SSH configuration. Let's make a .ssh directory and let's go ahead and create an authorized keys file. You might have done this in Pico CTF. If you've ran some of those keys challenges, you've added your SSH key on the server. I know I've done this in some Vulner Hub boxes. I think there might be something in Hack that Box. I've done this before and I was mad at myself like, man, why didn't I realize that? But R4J totally thought of it. It's awesome. It's clever. Very, very smart. So okay, what you want to do now is go ahead and write SSH key gen because it will go ahead and create it. We can put it in our configuration as the Steve user. That's fine. I don't need a passphrase, so we can go ahead and hit enter a few times. So now we've got in our home directory, in our SSH directory, configuration directory, we have IDRSA, which is our private key, our private key. We want to put our public key on the server, right? So .pub is our public key. So we can go ahead and redirect that to home Tony.ssh authorized keys. And now, if we were to move into there and show that it's actually there, correct. Now we can go ahead and SSH to ourself, right? So I tried this outside the box originally. I know they tell you to think outside the box a lot, and that's what I thought, oh, maybe that's what I'm doing. I'll add my John public key in there, but that didn't work. SSH wasn't accessible. So running it locally, though, does get you in. So that's an interesting thing. You should poke at and keep that in mind. Always try and do the loop back. Okay. So SSH tag I with now our SSH IDRSA, and we'll specify Tony as the user that we want and local host. Yes, we want to connect, and now we're Tony. So cool. We have done our privsk, right? And we left out some of our enumeration because I've been trying to showcase some of this stuff because we still can't cat our .flag. Now why is that LS Tech L? Even the user Tony cannot use this. That's annoying, right? That's peculiar and silly. But I did not do you justice in our enumeration. How do we actually check out the Got Milk? I've got their slack open. I was trying to see if people like, hey, everything broke. You can check that out there. Got Milk, basic privilege escalation. What we want to do is find set UID binaries, and we should have done this all along or sued binaries. We should have actually determined, okay, whatever. Other things will actually run as maybe an advanced elevated user. So this, again, probably should have happened in lin enum. Had we ran it, if you copy and pasted all the lin enum script, and if you don't know what I'm referring to when I say lin enum, that's lin enum.sh by reboot user. That's an automated way of checking a lot of this for basic enumeration, right? Linux enumeration. So let's get this line. Let's check out what actually has set UID binary. Maybe this will work for me. Fingers crossed. Okay. So bin said, bin mount, U mount to bin, G pasted, et cetera, et cetera. Interesting to note, had you had ran this as Steve, now we know bin said has a set UID binary on it. So we would have the privileges of the root user if we were to run this. However, it is not executable by everyone. So that's annoying and stupid. And we're like, well, we wouldn't have that privest even as Steve. So backtrack to the last video, sorry, justice that I, disjustice that I didn't explain that to you then. But now you know, and keep note that that is in the root user and root group. Now Tony, on the other hand, sorry, not if but ID, ID is in the root group. So very interesting. That means that he can run said. So if you were to check out the GTFO bins, so I don't know why I just open a file explorer. GTFO bins will tell you some cool things and cool stuff and how to do stuff with things, especially with the said binary. How can you get a shell? Yes, how can you command, run command, so I can write files, you can actually just said, we'll read files. If you do not replace said is supposed to do regular expressions, find and replace or in other very, very cool things. But if you don't give it the first argument to the file, like the regular expression processing that you want to do and just give it the second file, the file that you want to read, second argument, the file you want to read, it'll just go ahead and read it. So since we're root, we can go ahead and do said, empty string, it's that repassword. Everyone would be able to read that. It's that rachado, only root users will be able to read that. So we have a privisk. Go ahead and said that empty string with what we want here. Let's read our.flag, boot to root, I hope SSH is the only way. So that is our privisk, that is how we have read. Now even as root files, root can read files and that's it man, that's the flag. Boot to root, I hope SSH is the only way. I hope that made sense, I hope that was kind of cool, I hope that was neat. I know a lot of people kind of struggled with that and R4J props to him and found it, got his first blood on this and that was very, very cool. And I'm glad that like that made sense with me. I don't know why I did the crazy thing when I was saying that, but I knew it was like, oh, I could have done that too. Like I knew that, I knew, I know why that makes sense and I understand it. So I hope that's the same way for you. We can go ahead and submit that and we'll move in to the final challenge to the Linux category, hit up root in the next video. Thanks for watching everybody. If you like this video, please do like, comment and subscribe. Join our Discord server, link in the description and I will see you in the next video.