In this walk through, we will be going through the Biohazard room from Tryhackme. This room is rated as Medium on the platform and is based on the old-time survival horror game, Resident Evil. This was one of the most fun room i have ever played as it involves puzzles, enumeration, exploitation, stegnography, privilege escalation and much more. So, let’s get started without any delay.
Table of Contents
Machine Info:
Title | Biohazard |
IPaddress | 10.10.51.4 |
Difficulty | Medium |
Objective | A CTF room based on the old-time survival horror game, Resident Evil. Can you survive until the end? |
Task 1 – Introduction
Welcome to Biohazard room, a puzzle-style CTF. Collecting the item, solving the puzzle and escaping the nightmare is your top priority. Can you survive until the end?
Question 1 – Deploy the machine and start the nightmare
Done
Question 2 – How many open ports?
- Start off with a regular nmap scan specifying the “-Pn” flag to skip the host discovery via ICMP, “-sS” for the SYN Scan and “-sV” for version detection. Found 3 ports open.
sudo nmap -Pn -sS -sV 10.10.178.120
3
Question 3 – What is the team name in operation
- Navigate to – http://10.10.178.120/
STARS alpha team
Task 2 – The Mansion
Collect all necessary items and advanced to the next level. The format of the Item flag:
Item_name{32 character}
Some of the doors are locked. Use the item flag to unlock the door.
- Check the page source. There is a hint, the room is – /diningRoom.
- Navigate to – http://10.10.178.120/diningRoom/
- Take the emblem and keep it safe with you as it will be used later.
- I tried to put the previously found emblem however no luck.
- There is a string in the page source code which might be a valuable hint. It looks like a base64 encoded string.
- Upon decoding it with Cyberchef, we got a hint for the /teaRoom/ directory.
- Navigate to – http://10.10.178.120/teaRoom/
- Capture the lock pick and keep it safe for later.
- Navigate to – http://10.10.178.120/artRoom/
- The paper stick on the wall has a map of the mansion. This will come handy while navigating around.
- Navigate to – http://10.10.178.120/barRoom/ and use the lockpick.
- http://10.10.178.120/barRoom357162e3db904857963e6e0b64b96ba7/
- Capture the musical note and decode it using Cyberchef. It is a base32 string.
- Next, navigate to – http://10.10.178.120/barRoom357162e3db904857963e6e0b64b96ba7/barRoomHidden.php
- We entered a Secret bar room.
- Let’s take the gold emblem and keep it safe for later.
- I tried the emblem again but nothing happened.
- Moving on, navigate to – http://10.10.178.120/diningRoom2F/
- As per the hint from the above decoded text, go to – http://10.10.178.120/diningRoom/sapphire.html which gives us our blue jewel flag,
- Examine the gallery – http://10.10.178.120/galleryRoom/
- There are hints provided about the two crest we need in order to move forward.
- Let’s start by decoding the encoded string in crest2 using Cyberchef. This gives us our crest 2 value.
- crest 2 – h1bnRlciwgRlRQIHBh
- I visited “Study room” but it is locked and requires a “helmet symbol” is embedded on the door. Moving on, tried my luck on “Armor room entrance” and “Attic” entrance but it is also locked and a shield symbol has been embedded on the door.
- I have already visited the “Tiger status room” however while using the blue jewel flag on it, i didn’t notice a space behind it which in result did not work at that time. I tried again this time removing the space and voila! i got something.
http://10.10.178.120/tigerStatusRoom/
- crest 1 – RlRQIHVzZXI6IG
- I went back to the “Secret bar room” as it was asking for an emblem to put it in the slot on the wall. I tried the first emblem flag and got a name – rebecca. Don’t know what to do with this.
- Go to – http://10.10.178.120/barRoom357162e3db904857963e6e0b64b96ba7/barRoomHidden.php
- emblem{fec832623ea498e20bf4fe1821d58727}
- After brainstorming with the older rooms, i went back to the “Dining room”, it also require an emblem to fill the slot. I used the gold emblem we found in the “Secret Bar room” and to my surprise it worked. Now, i have a series of strings to decode. Actually, it is encoded with Vigenere Algorithm. Used a decoder online to decode the string by using a key. The key i tried was rebecca and it worked.
- Go to – http://10.10.178.120/diningRoom/
- gold_emblem{58a8c41a9d08b8a4e38d02a4d7ff4843}
- Vigenere Decoder – https://www.boxentriq.com/code-breaking/vigenere-cipher
- Get the shield key – http://10.10.178.120/diningRoom/the_great_shield_key.html
- Got into the Armor room entrance by navigating to http://10.10.178.120/armorRoom/ and use the shield key.
- Decode the encoded string corresponding to crest 3 and get its value.
- crest 3 – c3M6IHlvdV9jYW50X2h
- Got into the Attic entrance by navigating to http://10.10.178.120/attic/
- Decode the encoded string corresponding to crest 4 and get its value.
- crest 4 – pZGVfZm9yZXZlcg==
- Now we have all four required crest parts. Let’s combine it to form the final string and then decode it to get the username and password for the FTP user, which will help us to get to the next stage.
- Final – RlRQIHVzZXI6IGh1bnRlciwgRlRQIHBhc3M6IHlvdV9jYW50X2hpZGVfZm9yZXZlcg==
FTP username: hunter
FTP pasword: you_cant_hide_forever
Question 1 – What is the emblem flag
emblem{fec832623ea498e20bf4fe1821d58727}
Question 2 – What is the lock pick flag
lock_pick{037b35e2ff90916a9abf99129c8e1837}
Question 3 – What is the music sheet flag
music_sheet{362d72deaf65f5bdc63daece6a1f676e}
Question 4 – What is the gold emblem flag
gold_emblem{58a8c41a9d08b8a4e38d02a4d7ff4843}
Question 5 – What is the shield key flag
shield_key{48a7a9227cd7eb89f0a062590798cbac}
Question 6 – What is the blue gem flag
blue_jewel{e1d457e96cac640f863ec7bc475d48aa}
Question 7 – What is the FTP username
hunter
Question 8 – What is the FTP password
you_cant_hide_forever
Task 3 – The guard house
After gaining access to the FTP server, you need to solve another puzzle.
- Log into the FTP server with the credentials we got in the previous task and download all the files that exist on the server onto our local machine.
wh1terose@fsociety:~/CTF/TryHackme/Biohazard$ cat important.txt Jill, I think the helmet key is inside the text file, but I have no clue on decrypting stuff. Also, I come across a /hidden_closet/ door but it was locked. From, Barry
- Used steghide to extract any hidden content within the image files. Got a hit with 001-key.jpg. It extracts a text file which contains a string.
wh1terose@fsociety:~/CTF/TryHackme/Biohazard$ steghide --extract -sf 00 001-key.jpg 002-key.jpg 003-key.jpg wh1terose@fsociety:~/CTF/TryHackme/Biohazard$ steghide --extract -sf 001-key.jpg Enter passphrase: wrote extracted data to "key-001.txt". wh1terose@fsociety:~/CTF/TryHackme/Biohazard$ steghide --extract -sf 002-key.jpg Enter passphrase: steghide: could not extract any data with that passphrase! wh1terose@fsociety:~/CTF/TryHackme/Biohazard$ steghide --extract -sf 003-key.jpg Enter passphrase: steghide: could not extract any data with that passphrase! wh1terose@fsociety:~/CTF/TryHackme/Biohazard$ ls 001-key.jpg 002-key.jpg 003-key.jpg helmet_key.txt.gpg important.txt key-001.txt wh1terose@fsociety:~/CTF/TryHackme/Biohazard$ cat key-001.txt cGxhbnQ0Ml9jYW
- Next, used exiftool to find any juicy information hidden within the image metadata and got another string in the comment section.
exiftool 002-key.jpg
- This time used strings with the third image file and but got no luck.
strings 003-key.jpg
- So tried binwalk and extracted the text file. The file contains our third string.
wh1terose@fsociety:~/CTF/TryHackme/Biohazard$ binwalk -e 003-key.jpg DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 JPEG image data, JFIF standard 1.01 1930 0x78A Zip archive data, at least v2.0 to extract, uncompressed size: 14, name: key-003.txt 2124 0x84C End of Zip archive, footer length: 22 wh1terose@fsociety:~/CTF/TryHackme/Biohazard$ ls 001-key.jpg 002-key.jpg 003-key.jpg _003-key.jpg.extracted helmet_key.txt.gpg important.txt key-001.txt wh1terose@fsociety:~/CTF/TryHackme/Biohazard$ cd _003-key.jpg.extracted/ wh1terose@fsociety:~/CTF/TryHackme/Biohazard/_003-key.jpg.extracted$ ls 78A.zip key-003.txt wh1terose@fsociety:~/CTF/TryHackme/Biohazard/_003-key.jpg.extracted$ cat key-003.txt 3aXRoX3Zqb2x0
- Key 1 + Key 2 + Key 3= cGxhbnQ0Ml9jYW5fYmVfZGVzdHJveV93aXRoX3Zqb2x0
- Used gpg to decrypt the helmet_key.txt file with the above decoded password and got our flag.
gpg -d helmet_key.txt.gpg
Question 1 – Where is the hidden directory mentioned by Barry
/hidden_closet/
Question 2 – Password for the encrypted file
plant42_can_be_destroy_with_vjolt
Question 3 – What is the helmet key flag
helmet_key{458493193501d2b94bbab2e727f8db4b}
Task 4 – The Revisit
Done with the puzzle? There are places you have explored before but yet to access.
- Navigate to – http://10.10.178.120/hidden_closet/
- http://10.10.178.120/studyRoom/
wh1terose@fsociety:~/CTF/TryHackme/Biohazard$ tar -xvzf doom.tar.gz eagle_medal.txt wh1terose@fsociety:~/CTF/TryHackme/Biohazard$ cat eagle_medal.txt SSH user: umbrella_guest
Question 1 – What is the SSH login username
umbrella_guest
Question 2 – What is the SSH login password
T_virus_rules
Question 3 – Who the STARS bravo team leader
Enrico
Task 5 – Underground laboratory
Time for the final showdown. Can you escape the nightmare?
umbrella_guest@umbrella_corp:/$ locate chris /home/umbrella_guest/.jailcell/chris.txt /usr/share/calendar/calendar.christian umbrella_guest@umbrella_corp:/$ cat /home/umbrella_guest/.jailcell/chris.txt Jill: Chris, is that you? Chris: Jill, you finally come. I was locked in the Jail cell for a while. It seem that weasker is behind all this. Jil, What? Weasker? He is the traitor? Chris: Yes, Jill. Unfortunately, he play us like a damn fiddle. Jill: Let's get out of here first, I have contact brad for helicopter support. Chris: Thanks Jill, here, take this MO Disk 2 with you. It look like the key to decipher something. Jill: Alright, I will deal with him later. Chris: see ya. MO disk 2: albert
umbrella_guest@umbrella_corp:/$ su weasker Password: weasker@umbrella_corp:/$ cd /root bash: cd: /root: Permission denied weasker@umbrella_corp:/$ sudo -l [sudo] password for weasker: Matching Defaults entries for weasker on umbrella_corp: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User weasker may run the following commands on umbrella_corp: (ALL : ALL) ALL weasker@umbrella_corp:/$ sudo su root@umbrella_corp:/# cd /root root@umbrella_corp:~# ls root.txt root@umbrella_corp:~# cat root.txt In the state of emergency, Jill, Barry and Chris are reaching the helipad and awaiting for the helicopter support. Suddenly, the Tyrant jump out from nowhere. After a tough fight, brad, throw a rocket launcher on the helipad. Without thinking twice, Jill pick up the launcher and fire at the Tyrant. The Tyrant shredded into pieces and the Mansion was blowed. The survivor able to escape with the helicopter and prepare for their next fight. The End flag: 3c5794a00dc56c35f2bf096571edf3bf
Question 1 – Where you found Chris
Jailcell
Question 2 – Who is the traitor
Weasker
Question 3 – The login password for the traitor
stars_members_are_my_guinea_pig
Question 4 – The name of the ultimate form
Tyrant
Question 5 – The root flag
3c5794a00dc56c35f2bf096571edf3bf
Also Read: Tryhackme – Anthem
Conclusion:
So that was “Biohazard” for you. We started off with a regular nmap scan and found three ports opened – 21 (FTP), 22 (SSH) and 80 (HTTP). By navigating to the web server at port 80, we found a hint of a directory called mansion. Getting there, we got a hint in the page source code for /diningRoom directory. Moving on , got an emblem, lockpick, music sheet flag, gold emblem, shield key, blue gem and at last the FTP username and password. Logged into the FTP server and download all the files to our local machine. Next, used steghide, exiftool and binwalk to extract hidden keys from the images. Combining the three keys and decoding it gives us a password. Used the password to decrypt to gpg file and got the helmet key flag. Moving on, we got a SSH password by posting the helmet symbol. At last, we escalated our privileges by exploiting sudo misconfiguration and got the root flag and the ammunition for my AR15 to kill these half-dead bitches. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.