Biohazard — TryHackMe — WriteUp

Hello. I’m Rahmos. Here is my Biohazard — TryHackMe — WriteUp. Check it out!


First, deploy the machine and nmap for opened ports:

nmap -A -T4 -p- -v <ip>


There’re 3 ports opened: 21(FTP), 22(SSH), 80(HTTP).

Let’s access the website:


So the team name will be “STARS alpha team”.


Next, access mansion at /mainsionmain


Hmm, view page source? (Ctrl + U)

page source mansion

Another hidden dir: /diningRoom/. Access it:


Access “YES”?

emblem flag

Now I’ve got the 1st emblem flag.

Refresh /diningRoom, paste the emblem flag above.

Then, page source:

page source diningRoom

It’s a base64 encoded string. Put it to this link to decode:


It’s another hidden dir. Access /teaRoom/:


Access ‘Lockpick’:

lockpick flag

It’s the 2nd Lock pick flag.

Next, access /artRoom/:




It’s a list of hidden room. Let’s visit each room to find the flags. First, /barRoom:


It can be open by a lockpick. So let’s paste the lock pick flag above and “submit”:

Hmmm I haven’t known the piano flag yet. So let’s “READ”:


Looks like it’s encoded with base32. Again, decode:

music sheet flag

Now I’ve got the music sheet flag.

Copy the flag and paste to “play the piano”:

It leads me to a SecretBarRoom. Click “YES”:

gold emblem flag

It’s the gold emblem flag. It told me to refresh the previous page, so let’s back and refresh:

Well paste the emblem flag into it and submit (the first emblem, not the gold emblem):

Looks like a name? What to do with this name? Look at the hint:


The “slot” reminds me of /diningRoom/:

Well back then, I’ve put the emblem flag into it, so this time let’s try to put the gold emblem flag:

Ah yes, it gave me another encoded string. It’s encoded with Vigenere. In order to decode, I need a key. Let’s try with the name “rebecca” I found above:


Well now I know where the shield key is. Let’s access it:



I’ve got the shield key flag.

Next, let’s access /diningRoom2F:


Page source?

page source diningRoom2F

Another Caesar Cipher encoded string. Decode it:

Caesar Cipher decode

Ok so the gem is in the diningRoom 1st floor. Access:


blue jewel flag

I’ve got the blue gem flag.

Next, access /tigerStatusRoom:


Paste the blue gem flag into and submit:

crest 1

I’ve got crest 1. It’s been encoded twice, so let’s decode it twice: from base64 and then base32:

crest 1 decoded

So my crest 1 will be: RlRQIHVzZXI6IG

Next, access /galleryRoom:



crest 2

Decode crest 2 from base32 and base58:

crest 2 decoded

So my crest 2 will be: h1bnRlciwgRlRQIHBh

Next, access /armorRoom:


Paste the shield key flag into and submit:


crest 3

Decode crest 3 from base64, from binary and from hex:

crest 3 decoded

So my crest 3 will be: c3M6IHlvdV9jYW50X2h

Next, access /studyRoom/:


Well I haven’t got the helmet flag, so let’s skip this room.

Next, access /attic:


Well, paste the shield key flag and submit:


crest 4

Decode crest 4 from base58 and from hex:

crest 4 decoded

So my crest 4 will be: pZGVfZm9yZXZlcg==

Combine 4 crests, I’ve got the complete a base64 encoded string:

RlRQIHVzZXI6IGh1bnRlciwgRlRQIHBhc3M6IHlvdV9jYW50X2h pZGVfZm9yZXZlcg==

Decode it:

FTP creds

I’ve got the FTP username and password.


As I’ve got the FTP credential, let’s login to FTP:

FTP login

See what files inside:


Get all the file by the cmd: “mget *

Let’s read the content of ‘important.txt’:


So, the hidden dir will be: /hidden_closet/. Access it:


Well again, I need the helmet flag. It will be in the “helmet_key.txt.gpg”, but in order to decrypt gpg file, I need the password. Look at the hint:


So the password to decrypt will be inside the 3 photos. I will use steghide to extract data inside the 1st photo:

steghide extract -sf 001-key.jpg


Looks like it’s the 1st part of another encoded string: cGxhbnQ0Ml9jYW

Next, I’ll use exiftool to see the metadata of 2nd photo:

exiftool 002-key.jpg


Another part: 5fYmVfZGVzdHJveV9

Next, use binwalk for the 3rd photo:

binwalk 003-key.jpg


Ok, so there’s key-003.txt compressed inside. Again, use binwalk to decompress:

binwalk -e 003-key.jpg

And here’s the content of key-003.txt: 3aXRoX3Zqb2x0


Combine 3 keys, I’ve got the string:


Decode this string from base64:


I’ve got the gpg password. Decrypt the helmet_key.txt.gpg with that password:

gpg — decrypt helmet_key.txt.gpg

helmet flag

I’ve got the helmet flag.


As I’ve got the helmet flag, I can access the /hidden_closet and /studyRoom.

First, let’s check /hidden_closet:


So the leader of STARTS will be: Enrico



I’ve got the SSH password: T_virus_rules



Another Vigenere encoded string. I haven’t known the key, so let’s skip it.

Next, access /studyRoom:


When you click “EXAMINE”, it will download a tar file. Extract the file and you’ll have the ssh user:

ssh user


As I’ve got the SSH credential, let’s login to SSH:

ssh umbrella_guest@<ip>

ssh login

Move around to view files:

ls -al

Ok so I found Chris at .jailcell

Read “chris.txt”:


So, the traitor is Weasker. Also, I’ve got the key to decrypt the Vigenere Cipher above: albert. Let’s decode it:


I’ve got the password for Weasker: stars_members_are_my_guinea_pig

Let’s su weasker and view files inside his home:

weasker’s home

Read weasker_note.txt:


The name of the ultimate form is: Tyrant

Now I’ll find a way to own root and get the final flag. First, sudo -l to see if weasker can run sudo:

sudo -l

Well, weasker can run any commands as sudo! Let’s get the final root flag:


The end.


I’m Groot