Tryhackme - Biohazard

Tryhackme – Biohazard

In this walk through, we will be going through the Biohazard room from Tryhackme. This room is rated as Medium on the platform and is based on the old-time survival horror game, Resident Evil. This was one of the most fun room i have ever played as it involves puzzles, enumeration, exploitation, stegnography, privilege escalation and much more. So, let’s get started without any delay.

Biohazard

Machine Info:

TitleBiohazard
IPaddress10.10.51.4
DifficultyMedium
ObjectiveA CTF room based on the old-time survival horror game, Resident Evil. Can you survive until the end?

Task 1 – Introduction

Welcome to Biohazard room, a puzzle-style CTF. Collecting the item, solving the puzzle and escaping the nightmare is your top priority. Can you survive until the end?

Question 1 – Deploy the machine and start the nightmare

Done

Pinging the target

Question 2 – How many open ports?

  • Start off with a regular nmap scan specifying the “-Pn” flag to skip the host discovery via ICMP, “-sS” for the SYN Scan and “-sV” for version detection. Found 3 ports open.

sudo nmap -Pn -sS -sV 10.10.178.120 

nmap scan

3

Question 3 – What is the team name in operation

  • Navigate to – http://10.10.178.120/

mansion

STARS alpha team

Task 1 - Introduction

Task 2 – The Mansion

Collect all necessary items and advanced to the next level. The format of the Item flag:

Item_name{32 character}

Some of the doors are locked. Use the item flag to unlock the door.

Where is the room

  • Check the page source. There is a hint, the room is – /diningRoom.

dining room

  • Navigate to – http://10.10.178.120/diningRoom/

dining room

  • Take the emblem and keep it safe with you as it will be used later.

emblem value

  • I tried to put the previously found emblem however no luck.

embem slot

Nothing happen

  • There is a string in the page source code which might be a valuable hint. It looks like a base64 encoded string.

base 64 string

  • Upon decoding it with Cyberchef, we got a hint for the /teaRoom/ directory.

teaRoom

  • Navigate to – http://10.10.178.120/teaRoom/

teaRoom

  • Capture the lock pick and keep it safe for later.

lock pick

  • Navigate to – http://10.10.178.120/artRoom/

artRoom

  • The paper stick on the wall has a map of the mansion. This will come handy while navigating around.

Mansion map

  • Navigate to – http://10.10.178.120/barRoom/ and use the lockpick.

lockpick

  • http://10.10.178.120/barRoom357162e3db904857963e6e0b64b96ba7/

moonlight somata

  • Capture the musical note and decode it using Cyberchef. It is a base32 string.

music note

music note decode

moonlight somata

  • Next, navigate to – http://10.10.178.120/barRoom357162e3db904857963e6e0b64b96ba7/barRoomHidden.php

  • We entered a Secret bar room.

gold emblem

  • Let’s take the gold emblem and keep it safe for later.

gold emblem

  • I tried the emblem again but nothing happened.

emblem slot

Nothing happen

  • Moving on, navigate to – http://10.10.178.120/diningRoom2F/

blue gem

ROT 13 decode

  • As per the hint from the above decoded text, go to – http://10.10.178.120/diningRoom/sapphire.html which gives us our blue jewel flag,

blue jewel

  • Examine the gallery – http://10.10.178.120/galleryRoom/

examine the note

  • There are hints provided about the two crest we need in order to move forward.

crest 2  encoded

  • Let’s start by decoding the encoded string in crest2 using Cyberchef. This gives us our crest 2 value.

crest 2

  • crest 2 – h1bnRlciwgRlRQIHBh

  • I visited “Study room” but it is locked and requires a “helmet symbol” is embedded on the door. Moving on, tried my luck on “Armor room entrance” and “Attic” entrance but it is also locked and a shield symbol has been embedded on the door.

helmet symbol

shield symbol

  • I have already visited the “Tiger status room” however while using the blue jewel flag on it, i didn’t notice a space behind it which in result did not work at that time. I tried again this time removing the space and voila! i got something.

http://10.10.178.120/tigerStatusRoom/

tiger status room

crest 1 encoded

crest 1

  • crest 1 – RlRQIHVzZXI6IG

  • I went back to the “Secret bar room” as it was asking for an emblem to put it in the slot on the wall. I tried the first emblem flag and got a name – rebecca. Don’t know what to do with this.

  • Go to – http://10.10.178.120/barRoom357162e3db904857963e6e0b64b96ba7/barRoomHidden.php

  • emblem{fec832623ea498e20bf4fe1821d58727}

emblem slot

rebecca

  • After brainstorming with the older rooms, i went back to the “Dining room”, it also require an emblem to fill the slot. I used the gold emblem we found in the “Secret Bar room” and to my surprise it worked. Now, i have a series of strings to decode. Actually, it is encoded with Vigenere Algorithm. Used a decoder online to decode the string by using a key. The key i tried was rebecca and it worked.

  • Go to – http://10.10.178.120/diningRoom/

  • gold_emblem{58a8c41a9d08b8a4e38d02a4d7ff4843}

emblem slot

emblem slot

Vigenere Decoder

  • Get the shield key – http://10.10.178.120/diningRoom/the_great_shield_key.html

shield key

  • Got into the Armor room entrance by navigating to http://10.10.178.120/armorRoom/ and use the shield key.

shield symbol

Read the note

  • Decode the encoded string corresponding to crest 3 and get its value.

crest 3  encoded

crest 3

  • crest 3 – c3M6IHlvdV9jYW50X2h

  • Got into the Attic entrance by navigating to http://10.10.178.120/attic/

  • Decode the encoded string corresponding to crest 4 and get its value.

crest 4 encoded

crest 4

  • crest 4 – pZGVfZm9yZXZlcg==

  • Now we have all four required crest parts. Let’s combine it to form the final string and then decode it to get the username and password for the FTP user, which will help us to get to the next stage.

  • Final – RlRQIHVzZXI6IGh1bnRlciwgRlRQIHBhc3M6IHlvdV9jYW50X2hpZGVfZm9yZXZlcg==

FTP creds

FTP username: hunter

FTP pasword: you_cant_hide_forever

Question 1 – What is the emblem flag

emblem{fec832623ea498e20bf4fe1821d58727}

Question 2 – What is the lock pick flag

lock_pick{037b35e2ff90916a9abf99129c8e1837}

Question 3 – What is the music sheet flag

music_sheet{362d72deaf65f5bdc63daece6a1f676e}

Question 4 – What is the gold emblem flag

gold_emblem{58a8c41a9d08b8a4e38d02a4d7ff4843}

Question 5 – What is the shield key flag

shield_key{48a7a9227cd7eb89f0a062590798cbac}

Question 6 – What is the blue gem flag

blue_jewel{e1d457e96cac640f863ec7bc475d48aa}

Question 7 – What is the FTP username

hunter

Question 8 – What is the FTP password

you_cant_hide_forever

Task 2 - The Mansion

Task 3 – The guard house

After gaining access to the FTP server, you need to solve another puzzle.

  • Log into the FTP server with the credentials we got in the previous task and download all the files that exist on the server onto our local machine.

ftp login

ftp file download

wh1terose@fsociety:~/CTF/TryHackme/Biohazard$ cat important.txt 
Jill,

I think the helmet key is inside the text file, but I have no clue on decrypting stuff. Also, I come across a /hidden_closet/ door but it was locked.

From,
Barry

cat important.txt

  • Used steghide to extract any hidden content within the image files. Got a hit with 001-key.jpg. It extracts a text file which contains a string.

wh1terose@fsociety:~/CTF/TryHackme/Biohazard$ steghide --extract -sf 00
001-key.jpg  002-key.jpg  003-key.jpg  
wh1terose@fsociety:~/CTF/TryHackme/Biohazard$ steghide --extract -sf 001-key.jpg 
Enter passphrase: 
wrote extracted data to "key-001.txt".
wh1terose@fsociety:~/CTF/TryHackme/Biohazard$ steghide --extract -sf 002-key.jpg 
Enter passphrase: 
steghide: could not extract any data with that passphrase!
wh1terose@fsociety:~/CTF/TryHackme/Biohazard$ steghide --extract -sf 003-key.jpg 
Enter passphrase: 
steghide: could not extract any data with that passphrase!
wh1terose@fsociety:~/CTF/TryHackme/Biohazard$ ls
001-key.jpg  002-key.jpg  003-key.jpg  helmet_key.txt.gpg  important.txt  key-001.txt
wh1terose@fsociety:~/CTF/TryHackme/Biohazard$ cat key-001.txt 
cGxhbnQ0Ml9jYW

  • Next, used exiftool to find any juicy information hidden within the image metadata and got another string in the comment section.

cat key-001.txxt

exiftool 002-key.jpg

exiftool 002-key.jpg

  • This time used strings with the third image file and but got no luck.

strings 003-key.jpg 

strings 003-key.jpg

  • So tried binwalk and extracted the text file. The file contains our third string.

wh1terose@fsociety:~/CTF/TryHackme/Biohazard$ binwalk -e 003-key.jpg 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01
1930          0x78A           Zip archive data, at least v2.0 to extract, uncompressed size: 14, name: key-003.txt
2124          0x84C           End of Zip archive, footer length: 22

wh1terose@fsociety:~/CTF/TryHackme/Biohazard$ ls
001-key.jpg  002-key.jpg  003-key.jpg  _003-key.jpg.extracted  helmet_key.txt.gpg  important.txt  key-001.txt

wh1terose@fsociety:~/CTF/TryHackme/Biohazard$ cd _003-key.jpg.extracted/
wh1terose@fsociety:~/CTF/TryHackme/Biohazard/_003-key.jpg.extracted$ ls
78A.zip  key-003.txt
wh1terose@fsociety:~/CTF/TryHackme/Biohazard/_003-key.jpg.extracted$ cat key-003.txt 
3aXRoX3Zqb2x0

binwalk

cat key-003.txt

  • Key 1 + Key 2 + Key 3= cGxhbnQ0Ml9jYW5fYmVfZGVzdHJveV93aXRoX3Zqb2x0

Cyberchef final key decode

  • Used gpg to decrypt the helmet_key.txt file with the above decoded password and got our flag.

gpg -d helmet_key.txt.gpg 

gpg helmet_key.txt.gpg

Question 1 – Where is the hidden directory mentioned by Barry

/hidden_closet/

Question 2 – Password for the encrypted file

plant42_can_be_destroy_with_vjolt

Question 3 – What is the helmet key flag

helmet_key{458493193501d2b94bbab2e727f8db4b}

Task 3 - The guard house

Task 4 – The Revisit

Done with the puzzle? There are places you have explored before but yet to access.

  • Navigate to – http://10.10.178.120/hidden_closet/

helmet symbol

Read MO Disk1

MO_DISK1.txt

wolf_medal.txt

  • http://10.10.178.120/studyRoom/

helmet symbol

Examine the book

wh1terose@fsociety:~/CTF/TryHackme/Biohazard$ tar -xvzf doom.tar.gz 
eagle_medal.txt
wh1terose@fsociety:~/CTF/TryHackme/Biohazard$ cat eagle_medal.txt 
SSH user: umbrella_guest

eagle_medal.txt

Question 1 – What is the SSH login username

umbrella_guest

Question 2 – What is the SSH login password

T_virus_rules

Question 3 – Who the STARS bravo team leader

Enrico

Task 4 - The Revisit

Task 5 – Underground laboratory

Time for the final showdown. Can you escape the nightmare?

Vigenere Tool

Solve results

weasker_note.txt

umbrella_guest@umbrella_corp:/$ locate chris
/home/umbrella_guest/.jailcell/chris.txt
/usr/share/calendar/calendar.christian
umbrella_guest@umbrella_corp:/$ cat /home/umbrella_guest/.jailcell/chris.txt
Jill: Chris, is that you?
Chris: Jill, you finally come. I was locked in the Jail cell for a while. It seem that weasker is behind all this.
Jil, What? Weasker? He is the traitor?
Chris: Yes, Jill. Unfortunately, he play us like a damn fiddle.
Jill: Let's get out of here first, I have contact brad for helicopter support.
Chris: Thanks Jill, here, take this MO Disk 2 with you. It look like the key to decipher something.
Jill: Alright, I will deal with him later.
Chris: see ya.

MO disk 2: albert 

chris.txt

umbrella_guest@umbrella_corp:/$ su weasker
Password: 
weasker@umbrella_corp:/$ cd /root
bash: cd: /root: Permission denied
weasker@umbrella_corp:/$ sudo -l
[sudo] password for weasker: 
Matching Defaults entries for weasker on umbrella_corp:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User weasker may run the following commands on umbrella_corp:
    (ALL : ALL) ALL
weasker@umbrella_corp:/$ sudo su
root@umbrella_corp:/# cd /root
root@umbrella_corp:~# ls
root.txt
root@umbrella_corp:~# cat root.txt 
In the state of emergency, Jill, Barry and Chris are reaching the helipad and awaiting for the helicopter support.

Suddenly, the Tyrant jump out from nowhere. After a tough fight, brad, throw a rocket launcher on the helipad. Without thinking twice, Jill pick up the launcher and fire at the Tyrant.

The Tyrant shredded into pieces and the Mansion was blowed. The survivor able to escape with the helicopter and prepare for their next fight.

The End

flag: 3c5794a00dc56c35f2bf096571edf3bf

root flag

Question 1 – Where you found Chris

Jailcell

Question 2 – Who is the traitor

Weasker

Question 3 – The login password for the traitor

stars_members_are_my_guinea_pig

Question 4 – The name of the ultimate form

Tyrant

Question 5 – The root flag

3c5794a00dc56c35f2bf096571edf3bf

Task 5 - Underground laboratory

Also Read: Tryhackme – Anthem

Conclusion:

Conclusion

So that was “Biohazard” for you. We started off with a regular nmap scan and found three ports opened – 21 (FTP), 22 (SSH) and 80 (HTTP). By navigating to the web server at port 80, we found a hint of a directory called mansion. Getting there, we got a hint in the page source code for /diningRoom directory. Moving on , got an emblem, lockpick, music sheet flag, gold emblem, shield key, blue gem and at last the FTP username and password. Logged into the FTP server and download all the files to our local machine. Next, used steghide, exiftool and binwalk to extract hidden keys from the images. Combining the three keys and decoding it gives us a password. Used the password to decrypt to gpg file and got the helmet key flag. Moving on, we got a SSH password by posting the helmet symbol. At last, we escalated our privileges by exploiting sudo misconfiguration and got the root flag and the ammunition for my AR15 to kill these half-dead bitches. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top