TryHackMe – Biohazard

~ Phil

A CTF room based on the old-time survival horror game, Resident Evil. Can you survive until the end?

Tags: cipher, base, stego, root

TryHackMe Difficulty: Medium

Link: https://tryhackme.com/room/biohazard

We’re breaking away from the normal boot-to-root style this time, as this room looked very interesting from the description. I loved the classic Resident Evil games, and I still do. I also love CTF’s and the ‘out of the box’ thinking style usually required. I’ll be redacting a portion of the flag for ease of editing on myself, and verification for you. URLs may not be fully redacted, so try and use these as a point of reference and not false advancement. We have 5 sets of tasks to tackle. Let’s see what this is all about.

Task 1: Introduction – Welcome to Biohazard room, a puzzle-style CTF. Collecting the item, solving the puzzle and escaping the nightmare is your top priority. Can you survive until the end? If you have any question, do not hesitate to DM me on the discord channel.

Items:

  1. Deploy the machine and start the nightmare.
  2. How many open ports?
  3. What is the team name in operation?

We’ll start with an Nmap scan. If we need to, we’ll run a Gobuster scan if there are any URL’s we can’t seem to find.

Nmap:

┌─[loki@parrot]─[~/OpenVPN]
└──╼ $nmap -A -p- 10.10.129.37
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-12 00:13 EST
Nmap scan report for 10.10.129.37
Host is up (0.088s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c9:03:aa:aa:ea:a9:f1:f4:09:79:c0:47:41:16:f1:9b (RSA)
| 256 2e:1d:83:11:65:03:b4:78:e9:6d:94:d1:3b:db:f4:d6 (ECDSA)
|_ 256 91:3d:e4:4f:ab:aa:e2:9e:44:af:d3:57:86:70:bc:39 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Beginning of the end
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 81.52 seconds

We’ve got 3 ports available to us. I expect that we’ll utilize FTP and SSH later, but we’ll manually enumerate the web server.

We start off with a nice picture on the landing page of a derelict looking Mansion.. seems familiar.

July 1998, Evening

The STARS alpha team, Chris, Jill, Barry, Weasker and Joseph is in the operation on searching the STARS bravo team in the nortwest of Racoon city.

Unfortunately, the team was attacked by a horde of infected zombie dog. Sadly, Joseph was eaten alive.

The team decided to run for the nearby mansion and the nightmare begin……….

Task 1 items should now be complete.

Task 2: The Mansion – Collect all necessary items and advanced to the next level. The format of the Item flag: Item_name{32 character}. Some of the doors are locked. Use the item flag to unlock the door. Tips: It is better to record down all the information inside a notepad.

Items:

  1. What is the emblem flag?
  2. What is the lock pick flag?
  3. What is the music sheet flag?
  4. What is the gold emblem flag?
  5. What is the shield key flag?
  6. What is the blue gem flag?
  7. What is the FTP username?
  8. What is the FTP password?

Alrighty, looks like we’ve got a lot of items to find. I’m going to also assume based on the game and knowledge of CTF’s that we’re going to unlock some of these URLs based on those flags, and judging by the first one that Gobuster might not serve us well here.

/mansionmain/ brings us to the Main Hall.

The team reach the mansion safe and sound. However, it appear that Chris is missing

Jill try to open the door but stopped by Weasker

Suddenly, a gunshot can be heard in the nearby room. Weaker order Jill to make an investigate on the gunshot. Where is the room?

We don’t have a link to go anywhere. Unless you’ve played the game, it could be anywhere. Knowing the answer up front, we could brute force the URL potentially. But, let’s consult CTF 101 – check the source.

<!– It is in the /diningRoom/ –>

/diningRoom/ brings us to…well, the Dining Room.

After reaching the room, Jill and Barry started their investigation

Blood stein can be found near the fireplace. Hope it is not belong to Chris.

After a short investigation with barry, Jill can’t find any empty shell. Maybe another room?

There is an emblem on the wall, will you take it? YES

/diningRoom/emblem.php gives us our emblem flag, and further instruction.

emblem{*****2623ea498e20bf4fe1821d58727}

Look like you can put something on the emblem slot, refresh /diningRoom/

Refreshing /diningRoom/, we have a change to our text and field to input a flag along with a submission button.

After reaching the room, Jill and Barry started their investigation

Blood stein can be found near the fireplace. Hope it is not belong to Chris.

After a short investigation with barry, Jill can’t find any empty shell. Maybe another room?

There is an emblem slot on the wall, put the emblem?

We just took the emblem (Wood Emblem), so that doesn’t go back here. Again, we find ourselves with no forward path. Source?

<!– ******Fib3V0IHRoZSAvdGVhUm9vbS8= –>

From the look of it, it appears to be base64. We can do this 2 ways:

  • echo (base64 string) | base64 -d
  • Online decoder

Since I feel like we’ll be dealing a lot with these sorts of things, I recommend pulling up a resource like CyberChef. Let’s move on.

Our base64 decode gives us:

How about the /teaRoom/

Visiting /teaRoom/:

What the freak is this! This doesn’t look like a human.

The undead walk toward Jill. Without wasting much time, Jill fire at least 6 shots to kill that thing

In addition, there is a body without a head laying down the floor

After the investigation, the body belong to kenneth from Bravo team. What happened here?

After a jiff, Barry broke into the room and found out the truth. In addition, Barry give Jill a Lockpick.

Barry also suggested that Jill should visit the /artRoom/

Examining /teaRoom/master_of_unlock.html

lock_pick{*****5e2ff90916a9abf99129c8e1837}

Great. Let’s go check out the /artRoom/.

A number of painting and a sculpture can be found inside the room

There is a paper stick on the wall, Investigate it? YES

Examining /artRoom/MansionMap.html

Look like a map

Location:
/diningRoom/
/teaRoom/
/artRoom/
/barRoom/
/diningRoom2F/
/tigerStatusRoom/
/galleryRoom/
/studyRoom/
/armorRoom/
/attic/

Oof. We’ve got a lot to unpack now. Spoilers ahead, but I made small edits to the list to keep everything in order and in what order I visited them.

/diningRoom/ (Reference to /tearoom/) Room 2/Revisit after Room 5
/teaRoom/ (Lockpick, /tearoom/) Room 3
/artRoom/ (Map) Room 4
/barRoom/ (requires lock_pick) Room 5
/diningRoom2F/ (Blue Gem) Room 6
/tigerStatusRoom/ (use Blue Gem flag, crest 1) Room 7
/galleryRoom/ (crest 2) Room 8
/studyRoom/ (locked by helmet key)
/armorRoom/ (locked by shield key, crest 3)
/attic/ (shield key, crest 4)

/barRoom/ lands us at a door.

Look like the door has been locked

It can be open by a lockpick

[Enter Flag] {Submit}

We can use our obtained lockpick flag to enter, which takes us over to /barRoom*****2e3db904857963e6e0b64b96ba7/ (I enjoy the ability to not fully brute force the URLs, by the way).

what a messy bar room

A piano can be found in the bar room

Play the piano?

[Enter Flag] {Submit}

Also, you found a note that written as “moonlight somata”, read it? READ

We don’t have a flag for this room, yet.

Examining /barRoom*****2e3db904857963e6e0b64b96ba7/musicNote.html

Look like a music note
NV2XG2LDL5ZWQZLFOR5TGNRSMQ3TEZDFMFTDMNLGGVRGIYZWGNSGCZLDMU3GCMLGGY3TMZL5

We can base32 decode this out to “music_sheet{*****2deaf65f5bdc63daece6a1f676e}”.

We should now be able to go back to the bar room, and play the piano.

Examining /barRoom*****2e3db904857963e6e0b64b96ba7/barRoomHidden.php:

There is a gold emblem embedded on the wall

Will you take it? YES

/barRoom*****2e3db904857963e6e0b64b96ba7/gold_emblem.php

gold_emblem{*****41a9d08b8a4e38d02a4d7ff4843}

Look like you can put something on the emblem slot, refresh the previous page

Let’s refresh, and use our Wooden Emblem flag from before to see what happens.

There is a gold emblem embedded on the wall

[Input Flag] {Submit}

/barRoom*****2e3db904857963e6e0b64b96ba7/emblem_slot.php gives us another clue

r*****a

If we head back to /diningRoom/, we can utilize our gold emblem to uncover /diningRoom/emblem_slot.php. From here, we receive another cipher.

***vg ks r wimgnd biz m***ui ulg fiemok tqod. Xii jvmc tbkg ks t**pgf tyi_hvgct_j***nf_kvc

With our previous /emblem_slot.php clue, I’m going to guess this is a Vigenère. If we utilize an online decoder and use the clue ‘r*****a’, we’ll uncover another important message.

there is a shield key inside the dining room. The html page is called the_great_shield_key

/diningRoom/the_great_shield_key.html

shield_key{*****9227cd7eb89f0a062590798cbac}

At this point, we’ve reached the end of the available routes on these rooms we’ve explored. Let’s revisit our map for the remaining rooms.

/diningRoom2F/ (Blue Gem) Room 6
/tigerStatusRoom/ (use Blue Gem flag, crest 1) Room 7
/galleryRoom/ (crest 2) Room 8
/studyRoom/ (locked by helmet key)
/armorRoom/ (locked by shield key, crest 3)
/attic/ (shield key, crest 4)

We’ll go /diningRoom2F/ next. And /diningRoom2F/ presents us with the following:

Once Jill reach the room, she saw a tall status with a shiining blue gem on top of it. However, she can’t reach it

No links, no input fields. Source?

<!– Lbh trg gur oyhr trz ol chfuvat gur fgnghf gb gur ybjre sybbe. Gur trz vf ba gur qvavatEbbz svefg sybbe. Ivfvg fnccuver.ugzy –>

Alright, this looks like another ROT, or a Vigenère. There’s also a way to do ROT13 with command line, but just use an online decoder.

You get the blue gem by pushing the status to the lower floor. The gem is on the diningRoom first floor. Visit sapphire.html

Back to the dining room we go, again. /diningRoom/sapphire.html will provide us with another flag.

blue_jewel{*****7e96cac640f863ec7bc475d48aa}

We’ll examine the remaining map once again

/tigerStatusRoom/ (use Blue Gem flag, crest 1) Room 7
/galleryRoom/ (crest 2) Room 8
/studyRoom/ (locked by helmet key)
/armorRoom/ (locked by shield key, crest 3)
/attic/ (shield key, crest 4)

The game would dictate that since we have our jewel, we can now utilize the tiger statue. Let’s go there next.

/tigerStatusRoom/ provides some text, and another input box.

You reached a small room with a tiger status

Look like you can put a gem on the tiger’s eye

[Enter Flag] {Submit}

Entering our flag for the blue jewel brings us to /tigerStatusRoom/gem.php, which contains a big step to the overall puzzle.

crest 1:
*****kVVS0pKQkxIVVdTWUpFM0VTUlk9
Hint 1: Crest 1 has been encoded twice
Hint 2: Crest 1 contanis 14 letters
Note: You need to collect all 4 crests, combine and decode to reavel another path
The combination should be crest 1 + crest 2 + crest 3 + crest 4. Also, the combination is a type of encoded base and you need to decode it

We’ll save that for later once we have all the parts.

/galleryRoom/ (crest 2) Room 8
/studyRoom/ (locked by helmet key)
/armorRoom/ (locked by shield key, crest 3)
/attic/ (shield key, crest 4)

Lets hit /galleryRoom/ next. We receive a message, and a link.

Upon Jill walk into the room, she saw a bunch of gallery and zombie crow in the room

Nothing is interesting, expect the note on the wall

Examine the note? EXAMINE

Examining the note brings us to /galleryRoom/note.txt, which provides us with another crest.

crest 2:
*****5KHK5WTGTCILE4DKY3DNN4GQQRTM5AVCTKE
Hint 1: Crest 2 has been encoded twice
Hint 2: Crest 2 contanis 18 letters
Note: You need to collect all 4 crests, combine and decode to reavel another path
The combination should be crest 1 + crest 2 + crest 3 + crest 4. Also, the combination is a type of encoded base and you need to decode it

3 rooms on our map remain, with 2 utilizing the shield key.

/studyRoom/ (locked by helmet key)
/armorRoom/ (locked by shield key, crest 3)
/attic/ (shield key, crest 4)

Using the shield key flag on /armorRoom/ brings us to /armorRoom*****5982c18936a25a9b37096b21fc1/, and another selection of text.

Jill saw a total 8 armor stands on the right and left of the room

Jill examine the armor one by one and found a note hidden inside one of it

Read the note? READ

/armorRoom*****5982c18936a25a9b37096b21fc1/note.txt gives us our 3rd of 4 crests.

crest 3:
********MTAgMDAxMTAwMTEgMDAxMDAwMDAgMDAxMTAwMTEgMDAxMTAwMTEgMDAxMDAwMDAgMDAxMTAxMDAgMDExMDAxMDAgMDAxMDAwMDAgMDAxMTAwMTEgMDAxMTAxMTAgMDAxMDAwMDAgMDAxMTAxMDAgMDAxMTEwMDEgMDAxMDAwMDAgMDAxMTAxMDAgMDAxMTEwMDAgMDAxMDAwMDAgMDAxMTAxMTAgMDExMDAwMTEgMDAxM********DAxMTAxMTEgMDAxMTAxMTAgMDAxMDAwMDAgMDAxMTAxMTAgMDAxMTAxMDAgMDAxMDAwMDAgMDAxMTAxMDEgMDAxMTAxMTAgMDAxMDAwMDAgMDAxMTAwMTEgMDAxMTEwMDEgMDAxMDAwMDAgMDAxMTAxMTAgMDExMDAwMDEgMDAxMDAwMDAgMDAxMTAxMDEgMDAxMTEwMDEgMDAxMDAwMDAgMDAxMTAxMDEgMDAxMTAxMTEgMDAxMDAwMDAgMDAxMTAwMTEgMDAxMTAxMDEgMDAxMDAwMDAgMDAxMTAwMTEgMDAxMTAwMDAgMDAxMDAwMDAgMDAxMTAxMDEgMDAxMTEwMDAgMDAxMDAwMDAgMDAxMTAwMTEgMDAxMTAwMTAgMDAxMDAwMDAgMDAxMTAxMTAgMDAx********
Hint 1: Crest 3 has been encoded three times
Hint 2: Crest 3 contanis 19 letters
Note: You need to collect all 4 crests, combine and decode to reavel another path
The combination should be crest 1 + crest 2 + crest 3 + crest 4. Also, the combination is a type of encoded base and you need to decode it

And finally, /attic/. Another shield key flag check, which takes us to /attic*****7f184afdfb352af8b8a25ffff1d/.

After Jill reached the attic, she was instanly attacked by a giant snake

Jill fired at least 10 shotgun shell before the snake retreat

She found another body lying on the ground which belongs to Richard, another STARS bravo member.

In additional, there is a note inside the pocket of the body

Read the note? READ

/attic*****7f184afdfb352af8b8a25ffff1d/note.txt gives us our 4th and final crest.

crest 4:
*****auVpvKzRpyPpuYz66JDmRTbJubaoArM6CAQsnVwte6zF9J4GGYyun3k5qM9ma4s
Hint 1: Crest 2 has been encoded twice
Hint 2: Crest 2 contanis 17 characters
Note: You need to collect all 4 crests, combine and decode to reavel another path
The combination should be crest 1 + crest 2 + crest 3 + crest 4. Also, the combination is a type of encoded base and you need to decode it

Now, we have our 4 crests, and we’ve noted that each crest has been encoded more than one time. A fantastic feature we can utilize is going to be “Magic” in CyberChef. This should help us easily break down the encoded messages very quickly. If you want to meddle with these manually, be my guest.

Crest 1: From Base64 + From Base32 = *****HVzZXI6IG

Crest 2: From Base32 + From Base58 = *****lciwgRlRQIHBh

Crest 3: From Base64 + From Binary + From Hex = *****HlvdV9jYW50X2h

Crest 4: From Base58 + From Hex = *****Zm9yZXZlcg==

All parts together should now form a base64 string, which provides us with some FTP credentials. Our task 2 items are now complete.

Let’s give those FTP credentials a try.

┌─[loki@parrot]─[~]
└──╼ $ftp 10.10.129.37
Connected to 10.10.129.37.
220 (vsFTPd 3.0.3)
Name (10.10.129.37:loki): *****
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

We’re in. Let’s see what we can find of use.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r–r– 1 0 0 7994 Sep 19 2019 001-key.jpg
-rw-r–r– 1 0 0 2210 Sep 19 2019 002-key.jpg
-rw-r–r– 1 0 0 2146 Sep 19 2019 003-key.jpg
-rw-r–r– 1 0 0 121 Sep 19 2019 helmet_key.txt.gpg
-rw-r–r– 1 0 0 170 Sep 20 2019 important.txt
226 Directory send OK.

Interesting. Let’s grab the files.

ftp> get 001-key.jpg
local: 001-key.jpg remote: 001-key.jpg
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for 001-key.jpg (7994 bytes).
226 Transfer complete.
7994 bytes received in 0.00 secs (5.0994 MB/s)
ftp> get 002-key.jpg
local: 002-key.jpg remote: 002-key.jpg
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for 002-key.jpg (2210 bytes).
226 Transfer complete.
2210 bytes received in 0.00 secs (24.2255 MB/s)
ftp> get 003-key.jpg
local: 003-key.jpg remote: 003-key.jpg
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for 003-key.jpg (2146 bytes).
226 Transfer complete.
2146 bytes received in 0.00 secs (33.5506 MB/s)
ftp> get helmet_key.txt.gpg
local: helmet_key.txt.gpg remote: helmet_key.txt.gpg
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for helmet_key.txt.gpg (121 bytes).
226 Transfer complete.
121 bytes received in 0.06 secs (1.9716 kB/s)
ftp> get important.txt
local: important.txt remote: important.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for important.txt (170 bytes).
226 Transfer complete.
170 bytes received in 0.00 secs (1.9533 MB/s)
ftp> exit
221 Goodbye.

We now have 5 new files – 3 jpg’s, 1 PGP’d text file, and a regular text file. We also have a new set of tasks for this area.

Task 3: The guard house – After gaining access to the FTP server, you need to solve another puzzle.

Items:

  1. Where is the hidden directory mentioned by Barry?
  2. Password for the encrypted file?
  3. What is the helmet key flag?

Let’s examine the text file first:

┌─[loki@parrot]─[~]
└──╼ $cat important.txt
Jill,

I think the helmet key is inside the text file, but I have no clue on decrypting stuff. Also, I come across a /hidden_closet/ door but it was locked.

From,
Barry

I’m upset at the lack of Jill Sandwich references at this point, but nonetheless. We’ve got 3 pictures to figure out, which I assume will give us pieces of the PGP key (I’ve seen a few CTFs so far). A physical examination doesn’t seem to show any hints. If we strings the 001-key.jpg, we don’t see much of use. Since there doesn’t appear to be anything readable and we don’t have a password, is there anything hidden inside?

┌─[loki@parrot]─[~]
└──╼ $steghide extract -sf 001-key.jpg -xf 001-key.data
Enter passphrase:
wrote extracted data to “001-key.data”.
┌─[loki@parrot]─[~]
└──╼ $cat 001-key.data
*****nQ0Ml9jYW

Success. What about 002-key.jpg? Trying the previous method of strings, we see a small chunk of data after the header. Can we confirm this might be our key? Let’s look at the exifdata.

┌─[loki@parrot]─[~]
└──╼ $exiftool 002-key.jpg
ExifTool Version Number : 12.08
File Name : 002-key.jpg
Directory : .
File Size : 2.2 kB
File Modification Date/Time : 2020:11:12 01:10:54-05:00
File Access Date/Time : 2020:11:12 01:10:54-05:00
File Inode Change Date/Time : 2020:11:12 01:10:54-05:00
File Permissions : rw-r–r–
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : None
X Resolution : 1
Y Resolution : 1
Comment : *****fZGVzdHJveV9
Image Width : 100
Image Height : 80
Encoding Process : Progressive DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 100×80
Megapixels : 0.008

Another success. Let’s hope 003-key.jpg is this easy. We’ll yet again run strings on the file, and see a mention of ‘key-003.txt’ within the data. Seems we need to carve this out.

┌─[loki@parrot]─[~]
└──╼ $binwalk -e 003-key.jpg

DECIMAL HEXADECIMAL DESCRIPTION
——————————————————————————–
0 0x0 JPEG image data, JFIF standard 1.01
1930 0x78A Zip archive data, at least v2.0 to extract, uncompressed size: 14, name: key-003.txt
2124 0x84C End of Zip archive, footer length: 22

┌─[loki@parrot]─[~]
└──╼ $cd _003-key.jpg.extracted/
┌─[loki@parrot]─[~/_003-key.jpg.extracted]
└──╼ $ls -lah
total 8.0K
drwxr-xr-x 1 loki loki 36 Nov 12 01:24 .
drwxr-xr-x 1 loki loki 1.7K Nov 12 01:24 ..
-rw-r–r– 1 loki loki 216 Nov 12 01:24 78A.zip
-rw-r–r– 1 loki loki 14 Sep 19 2019 key-003.txt
┌─[loki@parrot]─[~/_003-key.jpg.extracted]
└──╼ $cat key-003.txt
*****X3Zqb2x0

Now that we have all the pieces, let’s get our key…flag…something useful. If we combine the 3 pieces, we end up with a base64 encoded string. By decoding it, we can now unlock the PGP file from earlier.

┌─[loki@parrot]─[~]
└──╼ $gpg helmet_key.txt.gpg
gpg: WARNING: no command supplied. Trying to guess what you mean …
gpg: AES256 encrypted data

At this point, you’ll be prompted for the passphrase.

gpg: encrypted with 1 passphrase

┌─[loki@parrot]─[~]
└──╼ $cat helmet_key.txt
helmet_key{*****3193501d2b94bbab2e727f8db4b}

Now our Task 3 set is complete, we have the helmet key. Time for, The Revisit.

Task 4: The Revisit – Done with the puzzle? There are places you have explored before but yet to access.

Items:

  1. What is the SSH login username?
  2. What is the SSH login password?
  3. Who is the STARS bravo team leader?

As mentioned in our map notes, we still have /studyRoom/ which is behind the helmet key, and now we’ve got a hidden room/directory. Let’s put the key to good use.

/studyRoom/ takes us to /studyRoom*****c5e98c93b89258a6389fd608a3c/ with the following text:

Jill saw a messy table upon enter the room

After a short search, Jill managed to find a sealed book

Examine the book? EXAMINE

Our link has us download a file named ‘doom.tar.gz’.

loki@parrot]─[~/Downloads]
└──╼ $tar -xf doom.tar.gz

We’re given eagle_medal.txt

┌─[loki@parrot]─[~/Downloads]
└──╼ $cat eagle_medal.txt
SSH user: **************

One room remains, /hidden_closet/. /hidden_closet/ is also unlocked with the helmet key. Is this where I insert a “discard after using” joke?

/hiddenCloset*****740cb7f5cece994381b9477ec38/ provides us with 2 more vital pieces.

The closet room lead to an underground cave

In the cave, Jill met injured Enrico, the leader of the STARS Bravo team. He mentioned there is a traitor among the STARTS Alpha team.

When he was about to tell the traitor name, suddenly, a gun shot can be heard and Enrico was shot dead.

Jill somehow cannot figure out who did that. Also, Jill found a MO disk 1 and a wolf Medal

Read the MO disk 1? READ

Examine the wolf medal? EXAMINE

If we read the wolf medal text, we’re given the SSH password. The MO Disk 1 provides us with another cipher.

wpbwbxr ***zg pltwnhro, t***s_xfqsxrd_bvv_fy_r***xa_ajk

Now you can either bruteforce this by knowledge of the game and a small wordlist (I think that took 4 or 5 guesses when I did it), or hold onto this and we’ll revisit in the correct order.

Task set 4 is complete. With our SSH username and password, let’s look at our final tasks and sign into the box.

Task 5: Underground laboratory – Time for the final showdown. Can you escape the nightmare?

Items:

  1. Where you found Chris?
  2. Who is the traitor?
  3. The login password for the traitor?
  4. The name of the ultimate form?
  5. The root flag?

Items 1, 2, and 4 can be guessed based on knowledge of the game. But we’ll do this and the rest, correctly. Also, we’ll be revealing the SSH username now, so if you haven’t figured that part out yet, go back and work on it.

┌─[loki@parrot]─[~]
└──╼ $ssh umbrella_guest@10.10.129.37
The authenticity of host ‘10.10.129.37 (10.10.129.37)’ can’t be established.
ECDSA key fingerprint is SHA256:/+Vwt3kin76N1Lgp0hOKWQ9P39u+Z9P3Q9lMXC8bgDo.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added ‘10.10.129.37’ (ECDSA) to the list of known hosts.
umbrella_guest@10.10.129.37’s password:
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

* Canonical Livepatch is available for installation.
– Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch

320 packages can be updated.
58 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Fri Sep 20 03:25:46 2019 from 127.0.0.1
umbrella_guest@umbrella_corp:~$

Let’s look for items of interest

umbrella_guest@umbrella_corp:~$ ls -lah
total 64K
drwxr-xr-x 8 umbrella_guest umbrella 4.0K Sep 20 2019 .
drwxr-xr-x 5 root root 4.0K Sep 20 2019 ..
-rw-r–r– 1 umbrella_guest umbrella 220 Sep 19 2019 .bash_logout
-rw-r–r– 1 umbrella_guest umbrella 3.7K Sep 19 2019 .bashrc
drwxrwxr-x 6 umbrella_guest umbrella 4.0K Sep 20 2019 .cache
drwxr-xr-x 11 umbrella_guest umbrella 4.0K Sep 19 2019 .config
-rw-r–r– 1 umbrella_guest umbrella 26 Sep 19 2019 .dmrc
drwx—— 3 umbrella_guest umbrella 4.0K Sep 19 2019 .gnupg
-rw——- 1 umbrella_guest umbrella 346 Sep 19 2019 .ICEauthority
drwxr-xr-x 2 umbrella_guest umbrella 4.0K Sep 20 2019 .jailcell
drwxr-xr-x 3 umbrella_guest umbrella 4.0K Sep 19 2019 .local
-rw-r–r– 1 umbrella_guest umbrella 807 Sep 19 2019 .profile
drwx—— 2 umbrella_guest umbrella 4.0K Sep 20 2019 .ssh
-rw——- 1 umbrella_guest umbrella 109 Sep 19 2019 .Xauthority
-rw——- 1 umbrella_guest umbrella 7.4K Sep 19 2019 .xsession-errors

The .jailcell directory looks promising.

umbrella_guest@umbrella_corp:~$ cd .jailcell
umbrella_guest@umbrella_corp:~/.jailcell$ ls -lah
total 12K
drwxr-xr-x 2 umbrella_guest umbrella 4.0K Sep 20 2019 .
drwxr-xr-x 8 umbrella_guest umbrella 4.0K Sep 20 2019 ..
-rw-r–r– 1 umbrella_guest umbrella 501 Sep 20 2019 chris.txt
umbrella_guest@umbrella_corp:~/.jailcell$ cat chris.txt
Jill: Chris, is that you?
Chris: Jill, you finally come. I was locked in the Jail cell for a while. It seem that weasker is behind all this.
Jil, What? Weasker? He is the traitor?
Chris: Yes, Jill. Unfortunately, he play us like a damn fiddle.
Jill: Let’s get out of here first, I have contact brad for helicopter support.
Chris: Thanks Jill, here, take this MO Disk 2 with you. It look like the key to decipher something.
Jill: Alright, I will deal with him later.
Chris: see ya.

MO disk 2: ******

“Weasker” is the traitor?

So now with our MO Disk 1 Vigenere and our MO Disk 2 key, we have the next set of login information. Let’s switch users.

umbrella_guest@umbrella_corp:~/.jailcell$ su weasker
Password:

We’re in. Let’s see if there’s anything interesting in our home directory.

weasker@umbrella_corp:/home/umbrella_guest/.jailcell$ cd ~
weasker@umbrella_corp:~$ ls -lah
total 80K
drwxr-xr-x 9 weasker weasker 4.0K Sep 20 2019 .
drwxr-xr-x 5 root root 4.0K Sep 20 2019 ..
-rw——- 1 weasker weasker 18 Sep 20 2019 .bash_history
-rw-r–r– 1 weasker weasker 220 Sep 18 2019 .bash_logout
-rw-r–r– 1 weasker weasker 3.7K Sep 18 2019 .bashrc
drwxrwxr-x 10 weasker weasker 4.0K Sep 20 2019 .cache
drwxr-xr-x 11 weasker weasker 4.0K Sep 20 2019 .config
drwxr-xr-x 2 weasker weasker 4.0K Sep 19 2019 Desktop
drwx—— 3 weasker weasker 4.0K Sep 19 2019 .gnupg
-rw——- 1 weasker weasker 346 Sep 20 2019 .ICEauthority
drwxr-xr-x 3 weasker weasker 4.0K Sep 19 2019 .local
drwx—— 5 weasker weasker 4.0K Sep 19 2019 .mozilla
-rw-r–r– 1 weasker weasker 807 Sep 18 2019 .profile
drwx—— 2 weasker weasker 4.0K Sep 19 2019 .ssh
-rw-r–r– 1 weasker weasker 0 Sep 20 2019 .sudo_as_admin_successful
-rw-r–r– 1 root root 534 Sep 20 2019 weasker_note.txt
-rw——- 1 weasker weasker 109 Sep 20 2019 .Xauthority
-rw——- 1 weasker weasker 5.5K Sep 20 2019 .xsession-errors
-rw——- 1 weasker weasker 6.6K Sep 20 2019 .xsession-errors.old
weasker@umbrella_corp:~$ cat weasker_note.txt
Weaker: Finally, you are here, Jill.
Jill: Weasker! stop it, You are destroying the mankind.
Weasker: Destroying the mankind? How about creating a ‘new’ mankind. A world, only the strong can survive.
Jill: This is insane.
Weasker: Let me show you the ultimate lifeform, the Tyrant.

(Tyrant jump out and kill Weasker instantly)
(Jill able to stun the tyrant will a few powerful magnum round)

Alarm: Warning! warning! Self-detruct sequence has been activated. All personal, please evacuate immediately. (Repeat)
Jill: Poor bastard

All that’s left is the root flag. Let’s see what our boy Wesker can do.

weasker@umbrella_corp:~$ id
uid=1000(weasker) gid=1000(weasker) groups=1000(weasker),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),118(lpadmin),126(sambashare)

weasker@umbrella_corp:~$ sudo -l
[sudo] password for weasker:
Matching Defaults entries for weasker on umbrella_corp:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User weasker may run the following commands on umbrella_corp:
(ALL : ALL) ALL

weasker@umbrella_corp:~$ sudo su
root@umbrella_corp:/home/weasker#

We’re in as root. Yes!

weasker@umbrella_corp:~$ sudo su
root@umbrella_corp:/home/weasker# cat /root/root.txt
In the state of emergency, Jill, Barry and Chris are reaching the helipad and awaiting for the helicopter support.

Suddenly, the Tyrant jump out from nowhere. After a tough fight, brad, throw a rocket launcher on the helipad. Without thinking twice, Jill pick up the launcher and fire at the Tyrant.

The Tyrant shredded into pieces and the Mansion was blowed. The survivor able to escape with the helicopter and prepare for their next fight.

The End

flag: *****4a00dc56c35f2bf096571edf3bf

Final thoughts:

I really did like this CTF style box. It paid pretty decent homage to the Resident Evil game, and had a slight curve for folks unfamiliar with the ‘stego’ or ‘crypto’. I would have liked to have seen something towards the end with the Wesker login to ultimately consider this a ‘medium’, but I do guess that those unfamilar with the format could have struggled a bit.

I hope the author creates up one with a Resident Evil 2 theme (if they haven’t already), and pays the same respects as they did with this one.

Unknown's avatar

Published by Phil

?

Leave a comment