# Description

Our team has gained limited access to an important system, can you help us escalate our privilege and find the flag?

`ssh [email protected]`

# Solution

In the server, you will find the file `HackMe`. It is an executable with SUID, which means it is executed with root privileges. Our objectif is to print the content of `/root/flag.txt`.

If you run the program, you get the output `Yadayadayada`. What is that? Better check its source. There is probably a better way to do it, but a good old `strings HackMe` will do the work. Without all the gibberish, you can find `head /var/log/auth.log`.

And indeed, if you execute this command, you get `Yadayadayada`. All we need to do is divert `head` so the program will run what it thinks is `head` with root privilege.

First, create a fake `head` with `echo bash > head`. But `HackMe` won't execute this file unless it finds it in the PATH variable. So let's modify the PATH variable with `PATH=/home/ctf:$PATH`. Finally, our script must be executable: `chmod +x head`.

That's it. When you run `HackMe`, it will execute our `head` and launch bash with root privilege.

`cat /root/flag.txt` yields `MCA{ON5cahqu4ooguaw}`.

Original writeup (https://github.com/swag-wafu/mitre-2019/blob/master/Getting%20A%20Head.md).