Planet DesKel

DesKel's official page for CTF write-up, Electronic tutorial, review and etc.

11 August 2020

THM write-up: Bebop

2 minutes to read



Greeting there, it has been a while since my last update. Today, we are going for a simple and yet interesting tryhackme room, Bebop. This room is inspired by the recollection of DEFCON talk 23. Be sure to check the video up, it is informative on drone hacking. Without further ado, let’s fire up our drone and capture the flag.


Task 2: Capture the flags

We are going straight to task 2 and remember the codename for the room as you need it for the following task.

Task 2-1: User flag

As usual, fire up your Nmap scanning tool with the following command.

nmap -A -v <MACHINE IP>


Look like we have Port 22 (SSH) and Port 23 (Telnet) opened. A FreeBSD telnet on the machine? Intriguing. Since we do not have the login credential for the SSH, telnet might be the only way in.

telnet <Machine IP> 23


Well, look like we need a magic word to access the Freebsd shell. Still, remember our codename?


Viola, accessing the shell is much easier than I expected. Just like the description said, a flying shell. Let’s capture the user’s flag.

user flag

Piece of cake.

Task 2-2: Root flag

Time to capture the root flag. Let see what can user pilot do with sudo.


After doing some research, I come across with this article. Basically, it is a ‘swiss knife’ of embedded Linux that contains more than 300 commands. This is due to embedded OS always come with limited resources. Since we have sudo privilege on busybox, we can literally do everything as a root user which includes cat command.

root flag

That’s it, you just root the box.


That’s all for the bebop challenge. If you are good at privesc, you should be able to complete the challenge within 1 minute. Until next time ;)

tags: tryhackme - CTF - busybox

Thanks for reading. Follow my twitter for latest update

If you like this post, consider a small donation. Much appreciated. :)


© 2020 DesKel