This was a very simple albeit obsecure room, that whilst took little time - was enjoyable!
I remember watching a DefCon video of a presentation regarding the various fun ways the presenter …And then I came across this same-styled room.
We are provided with a “codename” of “pilot”. Perhaps this is a login user name? Let’s enumerate and find out what’s what…
nmap -sV 10.10.102.82
Presents us with an SSH server on Port 22 as well as a Telnet server on Port 23.
I tried to login via SSH first using pilot as the username, and both bebop and pilot as the passwords to no avail.
Let’s give Telnet a whirl then!
Ah-ha! We manage to login succcessfully, lets figure out where we are on the device.
Using a simple
ls we can see user.txt, that’s the first flag!
Privilege Escalation for Root Flag
Very simple this one - although different! We need to see what permissions we do (or don’t) have…
We’re told we can run /usr/local/bin/busybox as root! Sweet. But what can we do with that?
Well actually…quite a lot. I’ve highlighted a few interesting ones. For example
Let’s look for a root flag, perhaps /root/ would be a good place to start/
Bingo! There’s a file at the least, lets use
cat and output what I hope to be the root flag!
It was a rather simple room, but creative nonetheless. It’s quite funny to think about the fact that Drones are flying root-boxes :)