 Hello ladies and gentlemen, my name is John Hammond and welcome back from the YouTube video. We're talking about the Boot to Root CTF for the 2019 edition and we're in the Linux category and this is the last challenge in that category called Groot. We know Groot's no more but we can still hear him in the environment. Can you? And we have our Kinect.sh script, we have to solve Tony Stank first as in we need to become the Tony user because that gives us our privileges. And this is again the exact same Kinect.sh script. So this challenge has been growing and it has been kind of continuing off itself, building off itself. So here I am still logged in as Tony and that user, I minimized that on accident, okay. So what we know now is that we have said as a potential privilege escalation avenue, right, because it is running as a set UID binary been said. So we have roots privileges when we use said, we can check out GTFO bins and we could get a root shell potentially, we also can write files as root, etc, etc, we could, we can use this to do a lot of damage potentially. All we've done so far is just read a file with it. So knowing that challenge prompts, I'll showcase just reading that file again, it was .flag because that does not have any LS Tech LA, it does not have any user privileges only root can read that. So very important that we know that. In this case, now, what we can do is something very, very special pretending to this challenge prompt. It's a hint here. We know groups no more, but we can still hear them in the environment. So environment, right, you think of environment variables, you can check out ENV. You can see we've got a lot of environment variables that are set. None of them extremely useful right now. But remember, we want to know groups environments and groups, not a user. So it must be referring to root, the Linux user root. And remember when we checked out the running processes, we have root doing this thing that had the original flag and that's process ID one root has a lot of other processes running. So if you wanted to, why don't we check out the environment variables for every process that's running as root, right? Maybe we've got some some good avenue there. You can check through one of these one by one, you can do a loop. Remember what I'm just going to end up determining for you is you go ahead and cat out. Like we had done before with the proc folder in the Linux file system, you can check out all the different thing information you can get about our process, what the command line is the executable move in that current working directory, et cetera. If you had that privileges, we could check out proc one command line. And that's what we did to solve the first challenge. Or we could check out some other information, like the environment variables and vi run is what it's called. Sorry. Read it as Tony, remember, because it's it's roots environment variables, you have to read it as root. Said gives us that capability. So we can run said nothing regular expression to replace or work with. We just read that file and there we go. Again, if you were to pipe this into strings and in a machine that you had strings on, you could see that in a little bit more readable fashion. However, we've got flag equals boot to root, I am root. And that is the last challenge in the Linux category. Go ahead and submit that for that many points. And now you're on the list. Now you're in that portion. I know that we did get first blood on that, at least I'm more than certain we got first blood on that. Maybe we didn't. I don't know. I thought we had. Obviously, we hadn't. But I know we were very excited about it and Raj and I when we ran through that. Again, props to Raj. Special thank you to you for participating with me in the Discord server. If you aren't in the Discord server, you absolutely should be. Link in the description. Come hang out. If you like this video, please do like, comment, and subscribe. I'll see you in the next video. Take it easy, everybody.