Biohazard — TryHackMe — WriteUp

Hello. I’m Rahmos. Here is my Biohazard — TryHackMe — WriteUp. Check it out!

TASK 1

First, deploy the machine and nmap for opened ports:

nmap -A -T4 -p- -v <ip>

nmap

There’re 3 ports opened: 21(FTP), 22(SSH), 80(HTTP).

Let’s access the website:

website

So the team name will be “STARS alpha team”.

TASK 2

Next, access mansion at /mainsionmain

mansion

Hmm, view page source? (Ctrl + U)

page source mansion

Another hidden dir: /diningRoom/. Access it:

/diningRoom

Access “YES”?

emblem flag

Now I’ve got the 1st emblem flag.

Refresh /diningRoom, paste the emblem flag above.

Then, page source:

page source diningRoom

It’s a base64 encoded string. Put it to this link to decode:

decode

It’s another hidden dir. Access /teaRoom/:

/teaRoom/

Access ‘Lockpick’:

lockpick flag

It’s the 2nd Lock pick flag.

Next, access /artRoom/:

/artRoom/

“YES”:

MansionMap

It’s a list of hidden room. Let’s visit each room to find the flags. First, /barRoom:

/barRoom

It can be open by a lockpick. So let’s paste the lock pick flag above and “submit”:

Hmmm I haven’t known the piano flag yet. So let’s “READ”:

READ

Looks like it’s encoded with base32. Again, decode:

music sheet flag

Now I’ve got the music sheet flag.

Copy the flag and paste to “play the piano”:

It leads me to a SecretBarRoom. Click “YES”:

gold emblem flag

It’s the gold emblem flag. It told me to refresh the previous page, so let’s back and refresh:

Well paste the emblem flag into it and submit (the first emblem, not the gold emblem):

Looks like a name? What to do with this name? Look at the hint:

hint

The “slot” reminds me of /diningRoom/:

Well back then, I’ve put the emblem flag into it, so this time let’s try to put the gold emblem flag:

Ah yes, it gave me another encoded string. It’s encoded with Vigenere. In order to decode, I need a key. Let’s try with the name “rebecca” I found above:

decode

Well now I know where the shield key is. Let’s access it:

http://<ip>/diningRoom/the_great_shield_key.html

shield_key

I’ve got the shield key flag.

Next, let’s access /diningRoom2F:

/diningRoom2F

Page source?

page source diningRoom2F

Another Caesar Cipher encoded string. Decode it:

Caesar Cipher decode

Ok so the gem is in the diningRoom 1st floor. Access:

http://<ip>/diningRoom/sapphire.html

blue jewel flag

I’ve got the blue gem flag.

Next, access /tigerStatusRoom:

/tigerStatusRoom

Paste the blue gem flag into and submit:

crest 1

I’ve got crest 1. It’s been encoded twice, so let’s decode it twice: from base64 and then base32:

crest 1 decoded

So my crest 1 will be: RlRQIHVzZXI6IG

Next, access /galleryRoom:

/galleryRoom

“EXAMINE”:

crest 2

Decode crest 2 from base32 and base58:

crest 2 decoded

So my crest 2 will be: h1bnRlciwgRlRQIHBh

Next, access /armorRoom:

/armorRoom

Paste the shield key flag into and submit:

“READ”?

crest 3

Decode crest 3 from base64, from binary and from hex:

crest 3 decoded

So my crest 3 will be: c3M6IHlvdV9jYW50X2h

Next, access /studyRoom/:

/studyRoom

Well I haven’t got the helmet flag, so let’s skip this room.

Next, access /attic:

/attic

Well, paste the shield key flag and submit:

“READ”:

crest 4

Decode crest 4 from base58 and from hex:

crest 4 decoded

So my crest 4 will be: pZGVfZm9yZXZlcg==

Combine 4 crests, I’ve got the complete a base64 encoded string:

RlRQIHVzZXI6IGh1bnRlciwgRlRQIHBhc3M6IHlvdV9jYW50X2h pZGVfZm9yZXZlcg==

Decode it:

FTP creds

I’ve got the FTP username and password.

TASK 3

As I’ve got the FTP credential, let’s login to FTP:

FTP login

See what files inside:

ls

Get all the file by the cmd: “mget *”

Let’s read the content of ‘important.txt’:

important.txt

So, the hidden dir will be: /hidden_closet/. Access it:

/hidden_closet

Well again, I need the helmet flag. It will be in the “helmet_key.txt.gpg”, but in order to decrypt gpg file, I need the password. Look at the hint:

hint

So the password to decrypt will be inside the 3 photos. I will use steghide to extract data inside the 1st photo:

steghide extract -sf 001-key.jpg

steghide

key-001.txt

Looks like it’s the 1st part of another encoded string: cGxhbnQ0Ml9jYW

Next, I’ll use exiftool to see the metadata of 2nd photo:

exiftool 002-key.jpg

002-key

Another part: 5fYmVfZGVzdHJveV9

Next, use binwalk for the 3rd photo:

binwalk 003-key.jpg

binwalk

Ok, so there’s key-003.txt compressed inside. Again, use binwalk to decompress:

binwalk -e 003-key.jpg

And here’s the content of key-003.txt: 3aXRoX3Zqb2x0

key-003.txt

Combine 3 keys, I’ve got the string:

cGxhbnQ0Ml9jYW5fYmVfZGVzdHJveV93aXRoX3Zqb2x0

Decode this string from base64:

decode

I’ve got the gpg password. Decrypt the helmet_key.txt.gpg with that password:

gpg — decrypt helmet_key.txt.gpg

helmet flag

I’ve got the helmet flag.

TASK 4

As I’ve got the helmet flag, I can access the /hidden_closet and /studyRoom.

First, let’s check /hidden_closet:

/hidden_closet

So the leader of STARTS will be: Enrico

“EXAMINE”:

EXAMINE

I’ve got the SSH password: T_virus_rules

“READ”:

READ

Another Vigenere encoded string. I haven’t known the key, so let’s skip it.

Next, access /studyRoom:

/studyRoom

When you click “EXAMINE”, it will download a tar file. Extract the file and you’ll have the ssh user:

ssh user

TASK 5

As I’ve got the SSH credential, let’s login to SSH:

ssh umbrella_guest@<ip>

ssh login

Move around to view files:

ls -al

Ok so I found Chris at .jailcell

Read “chris.txt”:

chris.txt

So, the traitor is Weasker. Also, I’ve got the key to decrypt the Vigenere Cipher above: albert. Let’s decode it:

decode

I’ve got the password for Weasker: stars_members_are_my_guinea_pig

Let’s su weasker and view files inside his home:

weasker’s home

Read weasker_note.txt:

weasker_note.txt

The name of the ultimate form is: Tyrant

Now I’ll find a way to own root and get the final flag. First, sudo -l to see if weasker can run sudo:

sudo -l

Well, weasker can run any commands as sudo! Let’s get the final root flag:

root.txt

The end.

HAPPY HACKING