THM Bebop Ctf Writeup

Introduction

This was a very simple albeit obsecure room, that whilst took little time - was enjoyable!

You can try it out yourself on the TryHackMe Platform!

I remember watching a DefCon video of a presentation regarding the various fun ways the presenter …And then I came across this same-styled room.

We are provided with a “codename” of “pilot”. Perhaps this is a login user name? Let’s enumerate and find out what’s what…

Enumeration

nmap -sV 10.10.102.82

Presents us with an SSH server on Port 22 as well as a Telnet server on Port 23.

I tried to login via SSH first using pilot as the username, and both bebop and pilot as the passwords to no avail.

Let’s give Telnet a whirl then!

Telnet

Ah-ha! We manage to login succcessfully, lets figure out where we are on the device.

Using a simple ls we can see user.txt, that’s the first flag!

Privilege Escalation for Root Flag

Very simple this one - although different! We need to see what permissions we do (or don’t) have…

sudo -l

We’re told we can run /usr/local/bin/busybox as root! Sweet. But what can we do with that?

Well actually…quite a lot. I’ve highlighted a few interesting ones. For example ls and cat. Sweet!

Let’s look for a root flag, perhaps /root/ would be a good place to start/

Bingo! There’s a file at the least, lets use cat and output what I hope to be the root flag!

Ta-dah!

Summary

It was a rather simple room, but creative nonetheless. It’s quite funny to think about the fact that Drones are flying root-boxes :)