TryHackMe CTF
Hello guys,
"Who thought making a flying shell was a good idea??"
Ok, lets get jump right in.
Based on the information given in the room, the codename that is assigned to us is "pilot".
As always, I ran a NMAP scan on the target IP, and results indicated that there is 2 ports open, port 22 and 23.
Because the Telnet (port 23) is available I decided to try to poke at it first before trying SSH at port 22. And, I was able to login and get a user shell via Telnet with the username "pilot" and without a password.
I was able to get the user flag. To escalate privileges to get a root shell I decided to enumerate a little more.
sudo -l
Above command revealed that the pilot user can run busybox binary located at /user/local/bin with sudo with root privileges.
But this binary was nto editable or replaceable by the pilot user. So, I turned to Google for some insight, and I found this in
Wikipedia.
"BusyBox is a software suite that provides several Unix utilities in a single executable file. It runs in a variety of POSIX environments
such as Linux, Android, and FreeBSD, although many of the tools it provides are designed to work with interfaces provided by the Linux kernel.
It was specifically created for embedded operating systems with very limited resources. The authors dubbed it "The Swiss Army knife of Embedded
Linux", as the single executable replaces basic functions of more than 300 common commands."
So with that explanation, I decided to run the binary which displayed a list of commands that I can run using the "busybox".
Among the commands available in busybox, I can see "sh" which can be used to spawn a shell. Because we are running busybox with root privileges, the shell should
spawn with root privileges.
This was I was able to get root access and get the root flag.
I hope you liked the writeup and enjoyed the room. BIG thanks to TryHackMe and the creators of the
"Bebop (Who thought making a flying shell was a good idea?)" challenge. Let's meet through another writeup in the future.
Happy Hacking..! :)