Hello. I’m Rahmos. Here is my Biohazard — TryHackMe — WriteUp. Check it out!
First, deploy the machine and nmap for opened ports:
nmap -A -T4 -p- -v <ip>
There’re 3 ports opened: 21(FTP), 22(SSH), 80(HTTP).
Let’s access the website:
So the team name will be “STARS alpha team”.
Next, access mansion at /mainsionmain
Hmm, view page source? (Ctrl + U)
Another hidden dir: /diningRoom/. Access it:
Now I’ve got the 1st emblem flag.
Refresh /diningRoom, paste the emblem flag above.
Then, page source:
It’s a base64 encoded string. Put it to this link to decode:
It’s another hidden dir. Access /teaRoom/:
It’s the 2nd Lock pick flag.
Next, access /artRoom/:
It’s a list of hidden room. Let’s visit each room to find the flags. First, /barRoom:
It can be open by a lockpick. So let’s paste the lock pick flag above and “submit”:
Hmmm I haven’t known the piano flag yet. So let’s “READ”:
Looks like it’s encoded with base32. Again, decode:
Now I’ve got the music sheet flag.
Copy the flag and paste to “play the piano”:
It leads me to a SecretBarRoom. Click “YES”:
It’s the gold emblem flag. It told me to refresh the previous page, so let’s back and refresh:
Well paste the emblem flag into it and submit (the first emblem, not the gold emblem):
Looks like a name? What to do with this name? Look at the hint:
The “slot” reminds me of /diningRoom/:
Well back then, I’ve put the emblem flag into it, so this time let’s try to put the gold emblem flag:
Ah yes, it gave me another encoded string. It’s encoded with Vigenere. In order to decode, I need a key. Let’s try with the name “rebecca” I found above:
Well now I know where the shield key is. Let’s access it:
I’ve got the shield key flag.
Next, let’s access /diningRoom2F:
Another Caesar Cipher encoded string. Decode it:
Ok so the gem is in the diningRoom 1st floor. Access:
I’ve got the blue gem flag.
Next, access /tigerStatusRoom:
Paste the blue gem flag into and submit:
I’ve got crest 1. It’s been encoded twice, so let’s decode it twice: from base64 and then base32:
So my crest 1 will be: RlRQIHVzZXI6IG
Next, access /galleryRoom:
Decode crest 2 from base32 and base58:
So my crest 2 will be: h1bnRlciwgRlRQIHBh
Next, access /armorRoom:
Paste the shield key flag into and submit:
Decode crest 3 from base64, from binary and from hex:
So my crest 3 will be: c3M6IHlvdV9jYW50X2h
Next, access /studyRoom/:
Well I haven’t got the helmet flag, so let’s skip this room.
Next, access /attic:
Well, paste the shield key flag and submit:
Decode crest 4 from base58 and from hex:
So my crest 4 will be: pZGVfZm9yZXZlcg==
Combine 4 crests, I’ve got the complete a base64 encoded string:
I’ve got the FTP username and password.
As I’ve got the FTP credential, let’s login to FTP:
See what files inside:
Get all the file by the cmd: “mget *”
Let’s read the content of ‘important.txt’:
So, the hidden dir will be: /hidden_closet/. Access it:
Well again, I need the helmet flag. It will be in the “helmet_key.txt.gpg”, but in order to decrypt gpg file, I need the password. Look at the hint:
So the password to decrypt will be inside the 3 photos. I will use steghide to extract data inside the 1st photo:
steghide extract -sf 001-key.jpg
Looks like it’s the 1st part of another encoded string: cGxhbnQ0Ml9jYW
Next, I’ll use exiftool to see the metadata of 2nd photo:
Another part: 5fYmVfZGVzdHJveV9
Next, use binwalk for the 3rd photo:
Ok, so there’s key-003.txt compressed inside. Again, use binwalk to decompress:
binwalk -e 003-key.jpg
And here’s the content of key-003.txt: 3aXRoX3Zqb2x0
Combine 3 keys, I’ve got the string:
Decode this string from base64:
I’ve got the gpg password. Decrypt the helmet_key.txt.gpg with that password:
gpg — decrypt helmet_key.txt.gpg
I’ve got the helmet flag.
As I’ve got the helmet flag, I can access the /hidden_closet and /studyRoom.
First, let’s check /hidden_closet:
So the leader of STARTS will be: Enrico
I’ve got the SSH password: T_virus_rules
Another Vigenere encoded string. I haven’t known the key, so let’s skip it.
Next, access /studyRoom:
When you click “EXAMINE”, it will download a tar file. Extract the file and you’ll have the ssh user:
As I’ve got the SSH credential, let’s login to SSH:
Move around to view files:
Ok so I found Chris at .jailcell
So, the traitor is Weasker. Also, I’ve got the key to decrypt the Vigenere Cipher above: albert. Let’s decode it:
I’ve got the password for Weasker: stars_members_are_my_guinea_pig
Let’s su weasker and view files inside his home:
The name of the ultimate form is: Tyrant
Now I’ll find a way to own root and get the final flag. First, sudo -l to see if weasker can run sudo:
Well, weasker can run any commands as sudo! Let’s get the final root flag: