Biohazard – Try Hack Me

Nov 15, 2019
Iulian

Intro

Biohazard is a room created by Deskel and is rated as medium on the Try Hack Me platform.

This is the room description:

Room description

Hope I survive it. Let’s kick it off with a NMap Scan.

Service Fingerprinting

NMap Scan

The Puzzle Begins

I can see the main page, and scrolling a little lower i was able to access another page.

Main Hall page

As said in the puzzle, a gunshot was heard and there’s a question: Where's the room? I viewed the page source and found the answer: diningRoom.

Answer to the question

I access the dining room page, open the emblem page, and get back to the dining room page and refresh it. After refreshing the page, an input field shows up.

I paste the generated emblem code and get redirected to another page where I’m told nothing happened.

Hm… ok… I view the page source afterwards and find a base64 encoded text. Decoding it I get the name of another room.

Decoding the text

Tea Room

This is inside the tea room.

Tea Room

Reading the text I’m recommended to visit the art room. I visit the art room and check the map. It seems that there are multiple rooms I’ll have to check.

Bar Room

The first thing I visit is the bar room, and i can unlock the door using the lockpick flag.

Bar Room

I unlock the room.

Unlocked Bar Room

Reading the file it seems that the string is base32 encoded. I copy it and decode it online.

Decoded Piano String

I get redirected to the Secret Bar Room. I access and copy the gold emblem, but here’s the trick, I paste the emblem I found in the Dining Room. Therefore, I get redirected to a page that gives me a name: rebecca. Something is fishy here…

Going back to the Dining Room i input the the gold emblem there and get what it seems to be a Caesar Cipher but after a little research I realized it was a Vigenere Cipher and the key was rebecca.

Emblem Slot Page

I decode it and this is the output:

Decoded Vigenere Cipher

Accessing the page I received the key.

Shield Key

Dining Room 2F

I’m done with this room. Time to move to the next one. Therefore i access the Dining Room 2F. Viewing the source code of the page I notice a comment that looks like Caesar Cipher.

Dining Room 2F Page Source

Decoding it I find out that I have to visit another page.

Caesar Cipher decoded

I visit the first dining room and access the above mention html page. Thus accessing the page i get a new flag.

Sapphire Page

Crest Hunting

I survived so far, time to get to the next room: Tiger Status Room.

Tiger Status Room

I insert the flag I found above into the input field and press submit. This redirects me to another page where I have to decode some strings and combine them.

Gem Page

I guess that’s what i should have found in this room. Let’s get to the next one: gallery room.

Gallery Room

Taking a look at the notes I find the second crest. Let’s enter into the Study Room.

Study Room

Since I don’t have any helmet symbol I’ll get back at it later.

Access the armor room and paste your shield key. Reading the note i come across the 3rd crest.

Third Crest

Let’s get to the attic. Paste the shield key and read the note. I found the 4th crest!

Fourth Crest

Getting FTP Access

Time to decode the crests(don’t forget we have to combine them):

  • Crest 1: base64 -> base32
  • Crest 2: base32 -> base58
  • Crest 3: base64 -> binary -> hex
  • Crest 4: base58 -> hex

The combined text is: RlRQIHVzZXI6IGh1bnRlciwgRlRQIHBhc3M6IHlvdV9jYW50X2hpZGVfZm9yZXZlcg==. And the decoded text is: FTP user: hunter, FTP pass: you_cant_hide_forever.

Logging in FTP I find out the following:

FTP Access

Steganography & Getting Another Key

I downloaded the files.Reading the content of the important text file there is a message from Barry.

Barry’s Message

The first and the third image has files embedded and the second one has a comment in the EXIF data. The tools used are:

  • Steghide
  • Exiftool
  • Binwalk

The complete string is: cGxhbnQ0Ml9jYW5fYmVfZGVzdHJveV93aXRoX3Zqb2x0. The result decoding it is: plant42_can_be_destroy_with_vjolt. This is the password we can use to decrypt the gpg file.

Decrypted GPG

Back to Study

Since I have the helmet key, I go back to the Study Room and unlock it. Therefore i download the archive and extract its content.

SSH User

Hoooray! Finally! I have a user. I move to the hidden room: hidden closet.

Hidden Closet Room

Paste the helmet key into the input field and examine the wolf medal.

SSH Pass

Yes! Finally! I get to have access to the SSH.

Besides the SSH Pass there is 1 more file which when accessed you might think it’s a Caesar Cipher, but in fact it’s a Vigenere Cipher. Again! But since I don’t have the cipher key, i cannot decrypt it. Yet!

User Access & Flag

SSH Access

I find a text file in a hidden directory. Let’s read it.

Text from the hidden directory

I have the key to decrypt the Vigenere Cipher now.

Decrypted Cipher

Time to change the user!

Switching to weasker

Accessing weasker home directory I find a note.

Weasker Note

Privilege Escalation & Root Flag

I try to list my sudo privileges, in case there is any, and this was the output:

Sudo Output

This means I can run any command as root(umbrella_corp). Let’s grab the root flag!

Root Flag