[Hacking walkthrough] THM: Bebop

[Hacking walkthrough] THM: Bebop

Greeting there, it has been a while since my last update. Today, we are going for a simple and yet interesting tryhackme room, Bebop. This room is inspired by the recollection of DEFCON talk 23. Be sure to check the video up, it is informative on drone hacking. Without further ado, let’s fire up our drone and capture the flag.

Task 2: Capture the flags

We are going straight to task 2 and remember the codename for the room as you need it for the following task.

Task 2-1: User flag

As usual, fire up your Nmap scanning tool with the following command.

nmap -A -v <MACHINE IP>

Look like we have Port 22 (SSH) and Port 23 (Telnet) opened. A FreeBSD telnet on the machine? Intriguing. Since we do not have the login credential for the SSH, telnet might be the only way in.

telnet <Machine IP> 23

Well, look like we need a magic word to access the Freebsd shell. Still, remember our codename?

Viola, accessing the shell is much easier than I expected. Just like the description said, a flying shell. Let’s capture the user’s flag.

Piece of cake.

Answer: THM{r3m0v3_b3f0r3_fl16h7}

Task 2-2: Root flag

Time to capture the root flag. Let see what can user pilot do with sudo.

After doing some research, I come across with this article. Basically, it is a ‘swiss knife’ of embedded Linux that contains more than 300 commands. This is due to embedded OS always come with limited resources. Since we have sudo privilege on busybox, we can literally do everything as a root user which includes cat command.

That’s it, you just root the box.

Answer: THM{h16hw4y_70_7h3_d4n63r_z0n3}

Task 3: Quiz

Just a small quiz here and I guess you can finish it up within few seconds.

Answer(Task_3-1): pilot
Answer(Task_3-2): busybox
Answer(Task_3-3): telnet
Answer(Task_3-4): FreeBSD

Conclusion

That’s all for the bebop challenge. If you are good at privesc, you should be able to complete the challenge within 1 minute. Until next time 😉

Share the knowledge

Leave a Reply