This is the room description:
Hope I survive it. Let’s kick it off with a NMap Scan.
The Puzzle Begins
I can see the main page, and scrolling a little lower i was able to access another page.
As said in the puzzle, a gunshot was heard and there’s a question:
Where's the room? I viewed the page source and found the answer:
I access the dining room page, open the emblem page, and get back to the dining room page and refresh it. After refreshing the page, an input field shows up.
I paste the generated emblem code and get redirected to another page where I’m told nothing happened.
Hm… ok… I view the page source afterwards and find a base64 encoded text. Decoding it I get the name of another room.
This is inside the tea room.
Reading the text I’m recommended to visit the art room. I visit the art room and check the map. It seems that there are multiple rooms I’ll have to check.
The first thing I visit is the bar room, and i can unlock the door using the lockpick flag.
I unlock the room.
Reading the file it seems that the string is base32 encoded. I copy it and decode it online.
I get redirected to the Secret Bar Room. I access and copy the gold emblem, but here’s the trick, I paste the emblem I found in the Dining Room. Therefore, I get redirected to a page that gives me a name:
rebecca. Something is fishy here…
Going back to the Dining Room i input the the gold emblem there and get what it seems to be a Caesar Cipher but after a little research I realized it was a Vigenere Cipher and the key was rebecca.
I decode it and this is the output:
Accessing the page I received the key.
Dining Room 2F
I’m done with this room. Time to move to the next one. Therefore i access the Dining Room 2F. Viewing the source code of the page I notice a comment that looks like Caesar Cipher.
Decoding it I find out that I have to visit another page.
I visit the first dining room and access the above mention html page. Thus accessing the page i get a new flag.
I survived so far, time to get to the next room:
Tiger Status Room.
I insert the flag I found above into the input field and press submit. This redirects me to another page where I have to decode some strings and combine them.
I guess that’s what i should have found in this room. Let’s get to the next one: gallery room.
Taking a look at the notes I find the second crest. Let’s enter into the Study Room.
Since I don’t have any helmet symbol I’ll get back at it later.
Access the armor room and paste your shield key. Reading the note i come across the 3rd crest.
Let’s get to the attic. Paste the shield key and read the note. I found the 4th crest!
Getting FTP Access
Time to decode the crests(don’t forget we have to combine them):
- Crest 1: base64 -> base32
- Crest 2: base32 -> base58
- Crest 3: base64 -> binary -> hex
- Crest 4: base58 -> hex
The combined text is:
RlRQIHVzZXI6IGh1bnRlciwgRlRQIHBhc3M6IHlvdV9jYW50X2hpZGVfZm9yZXZlcg==. And the decoded text is:
FTP user: hunter, FTP pass: you_cant_hide_forever.
Logging in FTP I find out the following:
Steganography & Getting Another Key
I downloaded the files.Reading the content of the important text file there is a message from Barry.
The first and the third image has files embedded and the second one has a comment in the EXIF data. The tools used are:
The complete string is:
cGxhbnQ0Ml9jYW5fYmVfZGVzdHJveV93aXRoX3Zqb2x0. The result decoding it is:
plant42_can_be_destroy_with_vjolt. This is the password we can use to decrypt the gpg file.
Back to Study
Since I have the helmet key, I go back to the Study Room and unlock it. Therefore i download the archive and extract its content.
Hoooray! Finally! I have a user. I move to the hidden room:
Hidden Closet Room
Paste the helmet key into the input field and examine the wolf medal.
Yes! Finally! I get to have access to the SSH.
Besides the SSH Pass there is 1 more file which when accessed you might think it’s a Caesar Cipher, but in fact it’s a Vigenere Cipher. Again! But since I don’t have the cipher key, i cannot decrypt it. Yet!
User Access & Flag
I find a text file in a hidden directory. Let’s read it.
I have the key to decrypt the Vigenere Cipher now.
Time to change the user!
Accessing weasker home directory I find a note.
Privilege Escalation & Root Flag
I try to list my sudo privileges, in case there is any, and this was the output:
This means I can run any command as root(umbrella_corp). Let’s grab the root flag!