 What's going on, everybody? Hey, YouTube! What's up? I don't know. What's going on, everybody? Uh, I got the link up here. Wow. Hello, YouTube! What's up? Let's- What? God. Wow. I try to do this intro like four different times now, so we're just gonna do the video. Alright. We're looking at Linux 100 in Mitre CTF. Um, description is, our team has gained access, limited access to an important system. Can you help us escalate our privilege and find the flag? Challenge is called Getting Ahead, and we're giving another SSH connection here, so let's jump in. Got a terminal open, let's make a directory 100 points, Getting Ahead. I don't know how much I like saying those words. You know what I'm saying? Um, let's get a little connect script going. Just some bin bash, shebang line. When- when your shebang line is the same- When your script is essentially the same length as the shebang line, as in it's only one line. Is it really a script? Uh, so we've got this file here, HackMe, it's in red, so we know that there's a set UID binary set on it. It's owned by root, and owned by root, both user and group. So, looks like we're gonna be getting, uh, to use this binary to escalate our privileges, right? I'm assuming we need to read the flag, again, in root.flag, as we kind of discovered for the last challenge. Um, we'd use find name, like flag.txt, and that let us determine, okay, the file with a name flag.txt is in this directory, maybe not. I might- I might have closed that up a bit too- or maybe it's just not letting us look into force such a root. You know what? Whatever. Let's do the thing. We've got this binary that we can run with a forward slash, and it says yada, yada, yada, and that's it. So, let's do some basic, like, low-hanging fruit file reconnaissance on it. Let's just run strings, which thankfully we've- thankfully we've got. Uh, I'll scroll through some of this stuff, and that's about all that we have here. Same random binary information that we get. I see the system command in here, though. The system function, so I'm assuming it's running a command, and it looks like head var log auth.log is also in here. So, that's kind of peculiar. Is yada, yada, yada in here at all? No. Is var- oh, created a new terminal, my bad. Is var log auth log just simply yada, yada, yada? Okay, that's fine. So, we can assume right now that it's running the system function to call a command, or run a command. It's assuming it's running head. So, where is head? It's in user bin head. Well, let's check out our path. We have user bin, like, included in our path, you can see it over there, but we also have home CTF bin, or our current home directory, like a folder in our current home directory that we could just make, and that's in the very, very front of the path, so it'll execute that first, because it'll find the binaries that it's looking for, or the commands in that location first. So, why not try and copy bin bash to this new bin directory that we made in our home directory, and let's call it head. So, we've essentially overwritten, we didn't overwrite the original file, but we put a temporary replica, super duper air cool replica, because it's not really the head command, it's just bash. It'll give us a shell when it tries to run this. So, let's try and run hack me, and it's funny, okay, we get an error, line one, yada, yada, yada, command not found. So, it looks like it's trying to run yada, yada, yada as well now, which is odd, because I'm assuming bin bash, and then the actual output of whatever that file is, so let's, you know what, okay, let's play along, let's copy bin bash to also in our bin directory, yada, yada, yada, because at this point, like, I don't care, shut up about your errors, just give me a shell. Run hack me, and now, you can check it out, we are root at this container with our pound tag symbol, so run ID, who am I, we're root, we got it, cool. Let's move into the root directory, and there is the flag that for some reason, I mean, obviously, because we couldn't read the root's home directory, but now we can, because we are the root user, so let's cat that out, and we've got the flag. Sweet! So, let's save this, create a little flag.txt file, a little bit of, like, notion to work in that, so not really the best thing to create a get flag script for, but we might as well jot down the solution, copy bin bash to, or let's make a directory for ourselves, write first home, make directory bin, copy bin bash, bin, head, it was the command that we wanted, right, and then yada, yada, yada, and then we can run hack me, I think it had, yep, and then we can go ahead and cat root flag.txt, and that's the process that we ran through, so super quick, super small write up that we just used to kind of remind us of the solution in case we ever have to go back to this again, I think that's super important, save all the work that you do in a capture the flag, in a get repo, just like a data dump, it doesn't matter what you do, hey look, the other video just finished, oh you can't see it, because my face is in the way, dude, it's so much fun, YouTube is so much fun, oh my gosh, I'm having so much fun. Hey, if you liked this video, please do like, comment, and subscribe, join the Discord server to co-community full of CTF players and programmers and hackers alike. Thanks everybody, see you later!