First things first, Biohazard is a CTF room by TryHackMe of medium difficulty. As its tags are giving away, the challenge deals with lots of hashes and steganography, plus a little fan fact, it is based on the Resident Evil game series ( for those that did not already guess that from the avatar of the room).
So, let’s put on some Resident Evil OST, welcome ourselves into Raccoon City and jump into solving Biohazard CTF.
Let’s get started then!
As always, we should really do some enumeration first in order to get an idea of what we are dealing with.
Fire up Nmap!
root@ip-10–10–83–246:~# nmap -sV -sC 10.10.86.232
Starting Nmap 7.60 ( https://nmap.org ) at 2020–12–12 15:56 GMT
Nmap scan report for ip-10–10–86–232.eu-west-1.compute.internal (10.10.121.32)
Host is up (0.0015s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c9:03:aa:aa:ea:a9:f1:f4:09:79:c0:47:41:16:f1:9b (RSA)
| 256 2e:1d:83:11:65:03:b4:78:e9:6d:94:d1:3b:db:f4:d6 (ECDSA)
|_ 256 91:3d:e4:4f:ab:aa:e2:9e:44:af:d3:57:86:70:bc:39 (EdDSA)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Beginning of the end
MAC Address: 02:BB:F9:42:46:C9 (Unknown)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.21 seconds
Well, we have a little something up there, don’t we?
FTP, SSH ports are open, however, there will not be of any use for the time being, as we haven’t figure out just yet any credentials. So let’s move on port 80.
At first glimpse, it seems that there is not many things we can do on the Main Hall, but a little look with the Developer Tools and we found ourselves a clue.
In the meanwhile (and because I was too impatient), I’ve triggered a dirb scan against the site but I didn’t get much, apart from the /attic/ directory.
root@ip-10–10–83–246:~# dirb http://10.10.86.232
— — — — — — — — -
DIRB v2.22
By The Dark Raver
— — — — — — — — -START_TIME: Sat Dec 12 16:17:06 2020
URL_BASE:http://10.10.86.232
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt— — — — — — — — -
GENERATED WORDS: 4612
— — Scanning URL: http://10.10.86.232 — —
==> DIRECTORY: http://10.10.86.232/attic/
==> DIRECTORY: http://10.10.86.232/css/
==> DIRECTORY: http://10.10.86.232/images/
+ http://10.10.86.232/index.html (CODE:200|SIZE:692)
==> DIRECTORY: http://10.10.86.232/js/
+ http://10.10.86.232/server-status (CODE:403|SIZE:277)
— — Entering directory: http://10.10.121.32/attic/ — —
+ http://10.10.86.232/attic/index.php (CODE:200|SIZE:592)
— — Entering directory: http://10.10.86.232/css/ — —
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)
— — Entering directory: http://10.10.86.232/images/ — —
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)
— — Entering directory:http://10.10.86.232/js/ — —
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)
— — — — — — — — -
END_TIME: Sat Dec 12 16:17:12 2020
DOWNLOADED: 9224 — FOUND: 3
Visiting /attic directory, seems that we are too early here, so we get back to the /diningRoom from the Main Hall.
On the dining room, there is some familiar type of hash ( a base64 one) waiting for us. As soon as we decode it, we are instructed to move on the next room. Also, the YES option, gives us the emblem flag. Our very first flag, not bad, right?
Off to the Tea Room, it is.
On the Tea Room, we do not find much apart from the lock_pick flag and the next room, /artRoom/. Let’s see what we might find there.
Et voilà! The mansion map is waiting for us there. From now on, we have quite an investigation to go through.
On the /barRoom and as soon as we enter the lock_pick flag, we can see a piano along with a note. Another hash. This time, it’s a base32. After decoding it, we get the music_sheet flag.
Back to the /barRoom, as soon as we enter the music_sheet flag, we get our hands on the golden_emblem flag. Moving on to the /diningRoom2F.
Once again, Developers Tools is a friend of ours and it unveils yet another hash. (Well, I’ve told you we were going to meet a lot of these guys, and we are still on the first stages of the CTF).
After a little research, I figured out that this time we are dealing with a ROT13 encryption, a variant of Caesar cipher. The message instructs us that we can get to the blue gem by visiting /diningRoom/sapphire.html for revealing the blue_jewel flag.
Next is the /tigerStatusRoom. There, we can place the flag from the previous room to get a looking-like piece of hash, named as crest 1.
As far as I can tell from the notes, some decoding must be done before putting it together with the rest of the pieces (which I do not possess at the moment). Well, good sirs, I smell some trouble.
Back to the rooms, for now. Next is the/galleryRoom, on which we will find the 2nd crest, with similar notes as the 1st one.
After that I was kind of stuck, as /studyRoom, /armorRoom and /attic directories are accessible by providing some flags, which I have not found up until now. Checking my notes(it is always a good practice to take some while hacking), I remembered about the gold_emblem flag I found earlier. Back to the dining Room and guess what… Yet another hash!
That took me a good amount of time. It was some kind of cipher that I met for the first time named Vigenère. After that, it was ease to decode it using this online tool (and thankfully I did not had to use a key for it).
Some attempts later for guessing the correct name of the html page, /diningRoom/the_great_shield_key.html rewarded me with the shield flag. Talking about weapons though, it’s time for the /armorRoom.
There, we discover the third crest (omg what is all that?).
One more room unlocks with the shield flag, so let’s check that as well. As expected, /attic gave us the last piece of the puzzle.
Now, the harder part of the challenge, decoding and putting altogether the crests. For the sake of keeping the walkthrough as short as possible, I will just write down the encryption type used for each of crests. For those that want to crack their own way into them, bear in mind the tip about the number of letters and start with the most common types of hashes. You can find the tool that I used for decoding the crests here.
· Crest 1 →base64 →base32
· Crest 2 →base32 →base58
· Crest 3 →base64 →binary →hex
· Crest 4 →base58 →hex
Putting the puzzle together, we get a base64 hash, that gives us the FTP credentials after decoded.
Let’s get ourselves to the FTP, then.
Long story short, there we find quite a lot of files, so I am going to get them on our local machine in order to examine them.
After downloading the important.txt file, we get one more room added to our list, /hidden_closet/.
The next file that caught my attention was helmet_key.txt.gpg. We expect that this text might contain the helmet flag that we are missing, but first we have to get our way into it. The rest of the files seem like jpg files, so quickly I realize that the images could have undergone steganography processing. This is the output of running all of them through exiftool.
root@ip-10–10–83–246:~# for i in $(ls | \grep jpg); do exiftool $i && echo -e ‘\n — — — — — — — — — — — — — — — — — — — \n’; done
ExifTool Version Number : 10.80
File Name : 001-key.jpg
Directory : .
File Size : 7.8 kB
File Modification Date/Time : 2020:12:06 15:44:31+00:00
File Access Date/Time : 2020:12:06 15:44:31+00:00
File Inode Change Date/Time : 2020:12:06 15:44:31+00:00
File Permissions : rw-r — r —
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : None
X Resolution : 1
Y Resolution : 1
Image Width : 400
Image Height : 320
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 400x320
Megapixels : 0.128— — — — — — — — — — — — — — — — — — —
ExifTool Version Number : 10.80
File Name : 002-key.jpg
Directory : .
File Size : 2.2 kB
File Modification Date/Time : 2020:12:06 15:44:32+00:00
File Access Date/Time : 2020:12:06 15:44:32+00:00
File Inode Change Date/Time : 2020:12:06 15:44:32+00:00
File Permissions : rw-r — r —
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : None
X Resolution : 1
Y Resolution : 1
Comment : 5fYmVfZGVzdHJveV9
Image Width : 100
Image Height : 80
Encoding Process : Progressive DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 100x80
Megapixels : 0.008— — — — — — — — — — — — — — — — — — —
ExifTool Version Number : 10.80
File Name : 003-key.jpg
Directory : .
File Size : 2.1 kB
File Modification Date/Time : 2020:12:06 15:45:11+00:00
File Access Date/Time : 2020:12:06 15:45:11+00:00
File Inode Change Date/Time : 2020:12:06 15:45:11+00:00
File Permissions : rw-r — r —
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : None
X Resolution : 1
Y Resolution : 1
Comment : Compressed by jpeg-recompress
Image Width : 100
Image Height : 80
Encoding Process : Progressive DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 100x80
Megapixels : 0.008— — — — — — — — — — — — — — — — — — —
Images 2 and 3 reveal some comments. It seems that we are dealing with a hash puzzle once again. We will now use steghide and binwalk tools for image 1 and 3 correspondingly in order to extract the info we want. As I forgot to take a screenshot of the steghide command, I will only display the binwalk command. Apologies for that, but it will not be to hard to figure it out yourselves. :)
Putting it altogether, we now have a…(yes, you guess it right) new hash. This base64 is giving us the password for the helmet_key.txt.gpg file, as it seems to contains the helmet flag. Time to visit the last room of the map.
Now we enter the study room, after careful “examination”, we are come across a compressed file called doom.tar.gz. Remember the SSH port we found earlier? Now, we have the SSH user.
Finally, let’s go to the /hidden_closet room. Any guesses what we expect to find here?
On the /hidden_closet, we get the SSH password as well as another hash (which seems like a Vigenere cipher as well. So my intuition was correct, however no clue what it refers to. Maybe it can be used as an escalation after we ssh on the target).
As soon as we SSH, we found ourselves to the umbrella_guest’s home directory. There we come across the ~/.jailcell/chris.txt which contains a message along with the key “albert” (I guess it was supposed to serve as a key for decrypting the message above, but after all it was useless).
By checking the rest of the users on home directory, we suspect that there is indeed a weasker user, so let’s use the password from the Vigenere cipher above to switch into it.
We switched as weasker successfully and here’s is the end of the CTF as both ~/.bash_history and sudo -l guarantee that we can now elevate as root without any struggle and get the final flag.
Congrats! We are root now and we gain ourselves a new badge.
I hope you enjoyed this walkthrough, as much as I enjoyed completing and writing up about this challenge.
Thank you for your time, until next time! ;)
Stay safe and keep hacking!
