 What's going on, YouTube? My name is John Hammond, and we're back with the MITRESTEM CTF, looking at the next 100-point challenge in the Linux category. The challenge title is January 8th, 2014. It says, all you need to do is read the flag, and we're giving an SSH connection. So, all right, let's fire this up, get a terminal open, and let's make a directory 100, Jan 8th, 2014, Jan. Let's make a connect script just for good practice. Literally, just pasting it in here. Why not? I like to do it. I don't know why. So, once we are connected, again, you might need to hit yes for the first time you're trying to get through. There's nothing in this current directory, which is odd. Looks like we want to read root flag dot text, I'm assuming, from all the other previous challenges. We are unable to do so, however. If we check out the permissions on that, it is probably owned by root and only readable by root. Looks like it won't even check that. Cool. That makes sense. So, what have we got here to work with? We can echo path. Looks like we have been again to work with, but if we were to create new binaries, it would just be working with our privileges, so that didn't help us. That would just create commands for us. I like to use set to see all the variables in case there's anything else interesting in here. So, you basically want to do the regular enumeration that you would do in the first time you got in a box. In the hack the box EU mentality and mindset, you can totally use linenum, linenum.sh. If you haven't seen that before, RebitUser, that's a pretty great script. I like it a lot. I would absolutely recommend using that if we could get something in there, but kind of the takeaway that you'd want to just pull from it is that you immediately want to know what can you run as root. That's at least in my mind the first priority that I have when I get on a box. What can I do as sudo? Is sudo on the system? Can I even run stuff as root? So, sudo tack L will list the things you can run with the super user. Super user do. And it says user CTF may run the following commands on this machine. Without a password, you can run as root VIM with whatever file name here. That's fine. That just means we can sudo VIM. It means that we can't sudo VIM that command, like simply sudo VIM, but you can sudo user bin VIM, home CTF, blah, blah, blah, hack me too. That is kind of just a little bit of a distraction in that, oh, you'll be like, oh, this file doesn't exist, but that command solely is what we can run with sudo. So, I wouldn't be able to run sudo that without a password just like I'm doing, or sudo that anything because it needs to be strictly that command that we've seen in sudo attack L. So, don't let that confuse you, but sure, when we open this up, it'll be like, hey, that file doesn't exist. That doesn't matter. We're still inside VIM right now, so we can do a lot of cool things because VIM has got some neat tricks to break out of VIM or run commands or run shell commands within VIM. With VIM VIM, looks like it has some exclamation point stuff. That will run last command from history or all into the current buffer. You can run commands like that. You can just like run bash even, and I've shown this before and I think some other videos, but run bash, bash shell. I'm trying to see if it'll get the current, the syntax that I'm looking for just so you can find it online, but oh, looks like they've got it. I don't want it. If you run just shell or sh while you're in the editor, you'll be placing an interactive shell, and if that doesn't happen, like if you just type .sh or .shell, it doesn't give it to you, you can set shell like a variable, like if for some reason that's not set, you can set shell equal bin bash, and then you can just straight up run shell and it'll get you back to that root shell that we were just in. So, now we're root, right? Because we've escalated our privilege. We were running vim as root, so now that we've executed bash through that, we are now root. So, let's check out the root flag, and we're done. That's it. That was the challenge. Not too difficult, but it needed the narrow point of pseudotackl. What can I run as root? That's literally all you needed here. So, let's go ahead and grab this flag. If you wanted to take note of that, I'm gonna have to quit out of vim. So, if you need to quit out of vim, it's colon lowercase q exclamation point, so that force quits without saving. Like w would be to write. I don't care. You guys don't need to know that. You already know. You're already all smart. So, if you wanted to just jot down a solution, pseudotackl run vim shell and then cat reflag.txt. As the given command from pseudotackl. That's also important thing to note is that it needs to be strictly what pseudotackl tells you. Even if that file doesn't exist, that's totally fine because you just need to be able to run vim without a password, because we wouldn't know the password for root otherwise. All right. That's that. That's that challenge. Not too hard, but good to know. So, let's mark that as complete. I'm not gonna write a get flag script for that because it needs to automate some ssh stuff and big vim buffers that I don't care to control. So, that's fine. Just know the mentality. Just know that methodology and you have gotten the moral of that CTF challenge. So, hey, thanks for watching, guys. If you like this video, please do like, comment, and subscribe. We have a small discord server. That's what I played the CTF with, and we always do for lots of other cap competitions, right? We hand in the voice chat, just have a great time, laugh and make stupid jokes. And there's a highlight reel coming up pretty soon, hopefully. I don't know. We've done that before for Xmas CTF, and I recorded while we were playing this. So, it's a lot of fun if you want to come join the community. I highly encourage that, and I'd love to see you there. I do have a Patreon if you'd like to support me, as well as a PayPal. I am super duper grateful for each and every one of you that does. Thank you so much. But that's enough of me talking. Hope you guys enjoyed this. See you later.