6 July 2022

Pentesting Fun Stuff

following the cyber security path…

BioHazard

As I really like CTF based challenges, this challenge from TryHackMe.com got my attention.

Description

Welcome to Biohazard room, a puzzle-style CTF. Collecting the item, solving the puzzle and escaping the nightmare is your top priority. Can you survive until the end?

Enumeration

As always I start with an nmap portscan.

root@lab:~/THM/biohazard# nmap -T4 -sS -sV -sC -p 21,22,80  biohazard 
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-23 09:49 CEST
Nmap scan report for biohazard (10.10.71.93)
Host is up (0.033s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c9:03:aa:aa:ea:a9:f1:f4:09:79:c0:47:41:16:f1:9b (RSA)
|   256 2e:1d:83:11:65:03:b4:78:e9:6d:94:d1:3b:db:f4:d6 (ECDSA)
|_  256 91:3d:e4:4f:ab:aa:e2:9e:44:af:d3:57:86:70:bc:39 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Beginning of the end
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.86 seconds

# open ports:

  • 21 [openSSH, version 7.6p1]
  • 22 [vsFTPd, version 3.0.3 – no anon enabled]
  • 80 [Apache, version 2.4.29]

Lets start with the webserver as the other two protocols need credentials.

The Mansion

First stop is the front of a spooky mansion.

Nothing in the source code, but there is a link to another page: /mansionmain/

In the source code there is a comment on where to go next.

<!-- It is in the /diningRoom/ -->

There is a link on the page and a comment in the source code.

<!-- SG93IGFib3V0IHRoZSAvdGVhUm9vbS8= -->
root@lab:~/THM/biohazard# echo 'SG93IGFib3V0IHRoZSAvdGVhUm9vbS8=' | base64 -d
How about the /teaRoom/

The link let you take an emblem.

emblem{fec832623ea498e20bf4fe1821d58727}

Look like you can put something on the emblem slot, refresh /diningRoom/

When refreshing the page there is an input field where you can enter a flag. But nothing happens (not my words…..but words on screen.).

The tea room shows a nice picture.

On this page there is a link (lockpick) to another flag and a reference to another page, the artRoom.

Nothing in the source code, but another link on the page. It leads to a list of possible rooms (a map as noted on the page). Let’s put this in a file for save keeping.

root@lab:~/THM/biohazard# echo '/diningRoom/
> /teaRoom/
> /artRoom/
> /barRoom/
> /diningRoom2F/
> /tigerStatusRoom/
> /galleryRoom/
> /studyRoom/
> /armorRoom/
> /attic/' > map.txt

To swiftly go though all the rooms, I use curl to do the manual labor.

root@lab:~/THM/biohazard# for i in $(cat map.txt); do curl -s http://biohazard$i && echo -e '---------------------------------------\n'; done
<html>
        <head>
                <title>Dining room</title>
                <h1 align="center">Dining room</h1>
        </head>

        <body>
        	<img alt="diningroom" src="../images/maxresdefault.jpg" style="display: block;margin-left: auto;margin-right: auto; width: 50%;"/>

        	<p>After reaching the room, Jill and Barry started their investigation</p>
		<p>Blood stein can be found near the fireplace. Hope it is not belong to Chris.</p>
		<p>After a short investigation with barry, Jill can't find any empty shell. Maybe another room?</p>
		<!-- SG93IGFib3V0IHRoZSAvdGVhUm9vbS8= -->
        </body>

	There is an emblem slot on the wall, put the emblem?			<form action="emblem_slot.php" method="POST">
			<input type="text" name="emblem_slot" col="100" placeholder="Input flag"><br>
			<input type="submit" value="submit">
			</form>
	
</html>



---------------------------------------

<html>
	<head>
		<title> Tea Room </title>
		<h1 align="center">The nightmare begin</h1>
	</head>
	<body>
	<img alt="zombie" src="../images/reheader.jpg" style="display: block;margin-left: auto;margin-right: auto; width: 50%;"/>
	
	<p>What the freak is this! This doesn't look like a human.</p>
	<p>The undead walk toward Jill. Without wasting much time, Jill fire at least 6 shots to kill that thing</p>
	<p>In addition, there is a body without a head laying down the floor</p>
	<p>After the investigation, the body belong to kenneth from Bravo team. What happened here?</p>
	<p>After a jiff, Barry broke into the room and found out the truth. In addition, Barry give Jill a <a href="master_of_unlock.html">Lockpick</a>.
	<p>Barry also suggested that Jill should visit the /artRoom/</p> 
	</body>
</html>
---------------------------------------

<html>
        <head>
                <title>Art room</title>
                <h1 align="center">Art room</h1>
        </head>

        <body>
        <img alt="Art room" src="../images/25-image21.jpg" style="display: block;margin-left: auto;margin-right: auto; width: 50%;"/>

	<p> A number of painting and a sculpture can be found inside the room</p>
	<p><b> There is a paper stick on the wall, Investigate it?</b>   <a href="MansionMap.html">YES</a> </p>

       
        </body>

</html>

---------------------------------------

<html>
        <head>
                <title>Bar room entrance</title>
                <h1 align="center">Bar room entrance</h1>
        </head>

        <body>
        <img alt="door" src="../images/16-Image33-1.jpg" style="display: block;margin-left: auto;margin-right: auto; width: 50%;"/>

        <p>Look like the door has been locked</p>
	<p>It can be open by a <b>lockpick</b> </p>
	<form action=unlock_door.php method="POST">
		<input type="text" col="100" name="door_flag" placeholder="Enter flag"/>
		<input type="submit" value="submit"/>
	</form>
        </body>

</html>

---------------------------------------

<html>
        <head>
                <title>Dining room 2F</title>
                <h1 align="center">Dining room 2F</h1>
        </head>

        <body>
        <img alt="dining room 2F" src="../images/Vlcsnap-2015-01-26-08h54m37s183.png" style="display: block;margin-left: auto;margin-right: auto; width: 50%;"/>

	<p>Once Jill reach the room, she saw a tall status with a shiining blue gem on top of it. However, she can't reach it</p>
	<!-- Lbh trg gur oyhr trz ol chfuvat gur fgnghf gb gur ybjre sybbe. Gur trz vf ba gur qvavatEbbz svefg sybbe. Ivfvg fnccuver.ugzy -->       
        </body>

</html>



---------------------------------------

<html>
        <head>
                <title>Tiger status room</title>
                <h1 align="center">Tiger status room</h1>
        </head>

        <body>
        <img alt="tiger status" src="../images/maxresdefault.jpg.2" style="display: block;margin-left: auto;margin-right: auto; width: 50%;"/>

        <p>You reached a small room with a tiger status</p>
	<p>Look like you can put a gem on the tiger's eye</p>
	<form action="gem.php" method="POST">
		<input type="text" col="100" name="gem" placeholder="Enter flag"/>
		<input type="submit" value="submit"/>
	</form>
        </body>

</html>



---------------------------------------

<html>
        <head>
                <title>Gallery room</title>
                <h1 align="center">Gallerty</h1>
        </head>

        <body>
        <img alt="mansion_front" src="../images/maxresdefault.jpg.3" style="display: block;margin-left: auto;margin-right: auto; width: 50%;"/>

        <p>Upon Jill walk into the room, she saw a bunch of gallery and zombie crow in the room</p>
	<p>Nothing is interesting, expect the note on the wall</p>
	<p><b>Examine the note?<b>   <a href="note.txt">EXAMINE</a></p>
        </body>

</html>



---------------------------------------

<html>
        <head>
                <title>Study room entrance</title>
                <h1 align="center">Study room entrance</h1>
        </head>

        <body>
        <img alt="door" src="../images/16-Image33-1.jpg" style="display: block;margin-left: auto;margin-right: auto; width: 50%;"/>

        <p>Look like the door has been locked</p>
	<p>A <b>helmet symbol</b> is embedded on the door </p>
	<form action=unlock_door.php method="POST">
		<input type="text" col="100" name="door_flag" placeholder="Enter flag"/>
		<input type="submit" value="submit"/>
	</form>
        </body>

</html>


---------------------------------------

<html>
        <head>
                <title>Armor room entrance</title>
                <h1 align="center">Armor room entrance</h1>
        </head>

        <body>
        <img alt="door" src="../images/16-Image33-1.jpg" style="display: block;margin-left: auto;margin-right: auto; width: 50%;"/>

        <p>Look like the door has been locked</p>
	<p>A <b>shield symbol</b> is embedded on the door </p>
	<form action=unlock_door.php method="POST">
		<input type="text" col="100" name="door_flag" placeholder="Enter flag"/>
		<input type="submit" value="submit"/>
	</form>
        </body>

</html>



---------------------------------------

<html>
        <head>
                <title>Attic entrance</title>
                <h1 align="center">Attic entrance</h1>
        </head>

        <body>
        <img alt="door" src="../images/16-Image33-1.jpg" style="display: block;margin-left: auto;margin-right: auto; width: 50%;"/>

        <p>Look like the door has been locked</p>
	<p>A <b>shield symbol</b> is embedded on the door </p>
	<form action=unlock_door.php method="POST">
		<input type="text" col="100" name="door_flag" placeholder="Enter flag"/>
		<input type="submit" value="submit"/>
	</form>
        </body>

</html>




---------------------------------------

Looks like there are some interesting things in the rooms. A quick glance shows a comment and a file to examine.

Starting with the barRoom. There is an input field which needs a lockpick flag. When entering the lockpick flag, I get another view.

A link to a note appears…..something I already knew from the curl output. The note has a string in it.

Look like a music note
NV2XG2LDL5ZWQZLFOR5TGNRSMQ3TEZDFMFTDMNLGGVRGIYZWGNSGCZLDMU3GCMLGGY3TMZL5

Which looks like base32.

music_sheet{362d72deaf65f5bdc63daece6a1f676e}

Entering this flag into the input field leads me to /barRoomHidden.php

On this page is a link which gives another emblem/flag.

gold_emblem{58a8c41a9d08b8a4e38d02a4d7ff4843}

Look like you can put something on the emblem slot, refresh the previous page

But when entering this emblem into the input field I get another ‘nothing happens on the page’.When putting in the other emblem I get a string, which looks like an username: rebecca

With this new emblem I’m going back to the dining room and enter the gold emblem into the input field.

klfvg ks r wimgnd biz mpuiui ulg fiemok tqod. Xii jvmc tbkg ks tempgf tyi_hvgct_jljinf_kvc

Looks like a rotation cipher. But after some tries I figured out that it was Vigenere cipher and the key was rebecca. Vigenere cipher is a poly-alphabetic substitution system that use a key and a double-entry table.

there is a shield key inside the dining room. The html page is called the_great_shield_key
shield_key{48a7a9227cd7eb89f0a062590798cbac}

On to the next room.

The dining room on the second floor has an interesting comment.

<!-- Lbh trg gur oyhr trz ol chfuvat gur fgnghf gb gur ybjre sybbe. Gur trz vf ba gur qvavatEbbz svefg sybbe. Ivfvg fnccuver.ugzy -->

Which looks like another form of rotation cipher. When using ROT13 decipher I get the string in plain text.

You get the blue gem by pushing the status to the lower floor. The gem is on the diningRoom first floor. Visit sapphire.html

Visiting give another flag.

In the Tiger status room there is an input field which takes the previous flag.

crest 1:
S0pXRkVVS0pKQkxIVVdTWUpFM0VTUlk9
Hint 1: Crest 1 has been encoded twice
Hint 2: Crest 1 contanis 14 letters
Note: You need to collect all 4 crests, combine and decode to reavel another path
The combination should be crest 1 + crest 2 + crest 3 + crest 4. Also, the combination is a type of encoded base and you need to decode it

After some decoding base64, base32 and another round of base64 I get: FTP user:

Let’s hunt for the other missing chests.

The gallery holds a note with another crest.

crest 2:
GVFWK5KHK5WTGTCILE4DKY3DNN4GQQRTM5AVCTKE
Hint 1: Crest 2 has been encoded twice
Hint 2: Crest 2 contanis 18 letters
Note: You need to collect all 4 crests, combine and decode to reavel another path
The combination should be crest 1 + crest 2 + crest 3 + crest 4. Also, the combination is a type of encoded base and you need to decode it

The attic needs the shield key from before….

and contains a note with crest 4.

crest 4:
gSUERauVpvKzRpyPpuYz66JDmRTbJubaoArM6CAQsnVwte6zF9J4GGYyun3k5qM9ma4s
Hint 1: Crest 2 has been encoded twice
Hint 2: Crest 2 contanis 17 characters
Note: You need to collect all 4 crests, combine and decode to reavel another path
The combination should be crest 1 + crest 2 + crest 3 + crest 4. Also, the combination is a type of encoded base and you need to decode it

The armor room also needed the shield key.

And contains a note with crest number 3:

crest 3:
MDAxMTAxMTAgMDAxMTAwMTEgMDAxMDAwMDAgMDAxMTAwMTEgMDAxMTAwMTEgMDAxMDAwMDAgMDAxMTAxMDAgMDExMDAxMDAgMDAxMDAwMDAgMDAxMTAwMTEgMDAxMTAxMTAgMDAxMDAwMDAgMDAxMTAxMDAgMDAxMTEwMDEgMDAxMDAwMDAgMDAxMTAxMDAgMDAxMTEwMDAgMDAxMDAwMDAgMDAxMTAxMTAgMDExMDAwMTEgMDAxMDAwMDAgMDAxMTAxMTEgMDAxMTAxMTAgMDAxMDAwMDAgMDAxMTAxMTAgMDAxMTAxMDAgMDAxMDAwMDAgMDAxMTAxMDEgMDAxMTAxMTAgMDAxMDAwMDAgMDAxMTAwMTEgMDAxMTEwMDEgMDAxMDAwMDAgMDAxMTAxMTAgMDExMDAwMDEgMDAxMDAwMDAgMDAxMTAxMDEgMDAxMTEwMDEgMDAxMDAwMDAgMDAxMTAxMDEgMDAxMTAxMTEgMDAxMDAwMDAgMDAxMTAwMTEgMDAxMTAxMDEgMDAxMDAwMDAgMDAxMTAwMTEgMDAxMTAwMDAgMDAxMDAwMDAgMDAxMTAxMDEgMDAxMTEwMDAgMDAxMDAwMDAgMDAxMTAwMTEgMDAxMTAwMTAgMDAxMDAwMDAgMDAxMTAxMTAgMDAxMTEwMDA=
Hint 1: Crest 3 has been encoded three times
Hint 2: Crest 3 contanis 19 letters
Note: You need to collect all 4 crests, combine and decode to reavel another path
The combination should be crest 1 + crest 2 + crest 3 + crest 4. Also, the combination is a type of encoded base and you need to decode it

Time to combine my findings.

Crest 1: S0pXRkVVS0pKQkxIVVdTWUpFM0VTUlk9
After a round of base64 > base32 I get: RlRQIHVzZXI6IG
Crest 2: GVFWK5KHK5WTGTCILE4DKY3DNN4GQQRTM5AVCTKE
After a round of base32 > base 58 I get: h1bnRlciwgRlRQIHBh
Crest 3: MDAxMTAxMTAgMDAxMTAwMTEgMDAxMDAwMDAgMDAxMTAwMTEgMDAxMTAwMTEgMDAxMDAwMDAgMDAxMTAxMDAgMDExMDAxMDAgMDAxMDAwMDAgMDAxMTAwMTEgMDAxMTAxMTAgMDAxMDAwMDAgMDAxMTAxMDAgMDAxMTEwMDEgMDAxMDAwMDAgMDAxMTAxMDAgMDAxMTEwMDAgMDAxMDAwMDAgMDAxMTAxMTAgMDExMDAwMTEgMDAxMDAwMDAgMDAxMTAxMTEgMDAxMTAxMTAgMDAxMDAwMDAgMDAxMTAxMTAgMDAxMTAxMDAgMDAxMDAwMDAgMDAxMTAxMDEgMDAxMTAxMTAgMDAxMDAwMDAgMDAxMTAwMTEgMDAxMTEwMDEgMDAxMDAwMDAgMDAxMTAxMTAgMDExMDAwMDEgMDAxMDAwMDAgMDAxMTAxMDEgMDAxMTEwMDEgMDAxMDAwMDAgMDAxMTAxMDEgMDAxMTAxMTEgMDAxMDAwMDAgMDAxMTAwMTEgMDAxMTAxMDEgMDAxMDAwMDAgMDAxMTAwMTEgMDAxMTAwMDAgMDAxMDAwMDAgMDAxMTAxMDEgMDAxMTEwMDAgMDAxMDAwMDAgMDAxMTAwMTEgMDAxMTAwMTAgMDAxMDAwMDAgMDAxMTAxMTAgMDAxMTEwMDA
After a round of base64 > binary > hex I get: c3M6IHlvdV9jYW50X2h
Crest 4: gSUERauVpvKzRpyPpuYz66JDmRTbJubaoArM6CAQsnVwte6zF9J4GGYyun3k5qM9ma4s
After a round of base58 > hex  I get: pZGVfZm9yZXZlcg==

That combined gets me this string: RlRQIHVzZXI6IGh1bnRlciwgRlRQIHBhc3M6IHlvdV9jYW50X2hpZGVfZm9yZXZlcg==

Which base64 decoded is the answer to the next fase:

FTP user: hunter, FTP pass: you_cant_hide_forever

The guard house

To move to the next phase I can access the FTP server with the found credentials.

root@lab:~/THM/biohazard# ftp
ftp> open biohazard
Connected to biohazard.
220 (vsFTPd 3.0.3)
Name (biohazard:root): hunter
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 

In the FTP folder there are several files.

-rw-r--r--    1 0        0            7994 Sep 19 06:01 001-key.jpg
-rw-r--r--    1 0        0            2210 Sep 19 06:08 002-key.jpg
-rw-r--r--    1 0        0            2146 Sep 19 06:19 003-key.jpg
-rw-r--r--    1 0        0             121 Sep 19 05:54 helmet_key.txt.gpg
-rw-r--r--    1 0        0             170 Sep 20 04:29 important.txt

After downloading these files, I start with the text file.

root@lab:~/THM/biohazard# cat important.txt 
Jill,

I think the helmet key is inside the text file, but I have no clue on decrypting stuff. Also, I come across a /hidden_closet/ door but it was locked.

From,
Barry
root@lab:~/THM/biohazard# file helmet_key.txt.gpg 
helmet_key.txt.gpg: GPG symmetrically encrypted data (AES256 cipher)

As the helmet key is encrypted I need to find the keys. So, the jpg files are up for inspection.

root@lab:~/THM/biohazard/ftp# for i in $(ls | \grep jpg); do exiftool $i && echo -e '\n--------------------------------------\n'; done
ExifTool Version Number         : 11.65
File Name                       : 001-key.jpg
Directory                       : .
File Size                       : 7.8 kB
File Modification Date/Time     : 2019:09:23 12:12:33+02:00
File Access Date/Time           : 2019:09:23 12:17:10+02:00
File Inode Change Date/Time     : 2019:09:23 12:19:28+02:00
File Permissions                : rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : None
X Resolution                    : 1
Y Resolution                    : 1
Image Width                     : 400
Image Height                    : 320
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 400x320
Megapixels                      : 0.128

--------------------------------------

ExifTool Version Number         : 11.65
File Name                       : 002-key.jpg
Directory                       : .
File Size                       : 2.2 kB
File Modification Date/Time     : 2019:09:23 12:12:43+02:00
File Access Date/Time           : 2019:09:23 12:17:16+02:00
File Inode Change Date/Time     : 2019:09:23 12:19:28+02:00
File Permissions                : rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : None
X Resolution                    : 1
Y Resolution                    : 1
Comment                         : 5fYmVfZGVzdHJveV9
Image Width                     : 100
Image Height                    : 80
Encoding Process                : Progressive DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 100x80
Megapixels                      : 0.008

--------------------------------------

ExifTool Version Number         : 11.65
File Name                       : 003-key.jpg
Directory                       : .
File Size                       : 2.1 kB
File Modification Date/Time     : 2019:09:23 12:12:50+02:00
File Access Date/Time           : 2019:09:23 12:17:21+02:00
File Inode Change Date/Time     : 2019:09:23 12:19:28+02:00
File Permissions                : rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : None
X Resolution                    : 1
Y Resolution                    : 1
Comment                         : Compressed by jpeg-recompress
Image Width                     : 100
Image Height                    : 80
Encoding Process                : Progressive DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 100x80
Megapixels                      : 0.008

--------------------------------------

Looks like file 2 and 3 have a comment.

The first key picture had a hidden text file.

root@lab:~/THM/biohazard/ftp# steghide extract -sf 001-key.jpg 
Enter passphrase: 
wrote extracted data to "key-001.txt".
root@lab:~/THM/biohazard/ftp# cat key-001.txt 
cGxhbnQ0Ml9jYW

The second picture had a string in the EXIF data.

And the third picture had a zip file containing a text file.

root@lab:~/THM/biohazard/ftp# binwalk -e 003-key.jpg 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01
1930          0x78A           Zip archive data, at least v2.0 to extract, uncompressed size: 14, name: key-003.txt
2124          0x84C           End of Zip archive, footer length: 22

root@lab:~/THM/biohazard/ftp# ls
001-key.jpg  002-key.jpg  003-key.jpg  _003-key.jpg.extracted  helmet_key.txt.gpg  important.txt  key-001.txt
root@lab:~/THM/biohazard/ftp# cat _003-key.jpg.extracted/
78A.zip      key-003.txt  
root@lab:~/THM/biohazard/ftp# cat _003-key.jpg.extracted/key-003.txt 
3aXRoX3Zqb2x0

After combining the 3 strings I got:

root@lab:~/THM/biohazard/ftp# echo 'cGxhbnQ0Ml9jYW5fYmVfZGVzdHJveV93aXRoX3Zqb2x0' | base64 -d
plant42_can_be_destroy_with_vjolt

And with this we can decrypt the GPG file.

root@lab:~/THM/biohazard/ftp# gpg -d helmet_key.txt.gpg 
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: AES256 encrypted data
gpg: encrypted with 1 passphrase
helmet_key{458493193501d2b94bbab2e727f8db4b}

Time to revisit the mansion.

The mansion part deux

First room to visit is the study room.

There is a link to a tarball, which I download. The second stop is the hidden closet.

Here there are two links.

MO_disk.txt

wpbwbxr wpkzg pltwnhro, txrks_xfqsxrd_bvv_fy_rvmexa_ajk

Wolf_medal.txt

SSH password: T_virus_rules

The string I can’t decrypt for now, because I don’t have the key. So extracting the tarball is the next step.

root@lab:~/THM/biohazard# tar -xzvf doom.tar.gz 
eagle_medal.txt
root@lab:~/THM/biohazard# cat eagle_medal.txt 
SSH user: umbrella_guest

With this I can go to the next part.

underground laboratory

root@lab:~/THM/biohazard# ssh umbrella_guest@biohazard
umbrella_guest@biohazard's password: 
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

320 packages can be updated.
58 updates are security updates.

Last login: Fri Sep 20 03:25:46 2019 from 127.0.0.1
umbrella_guest@umbrella_corp:~$ id
uid=1001(umbrella_guest) gid=1001(umbrella) groups=1001(umbrella)

When looking in my home folder I saw this file.

umbrella_guest@umbrella_corp:~/.jailcell$ cat chris.txt 
Jill: Chris, is that you?
Chris: Jill, you finally come. I was locked in the Jail cell for a while. It seem that weasker is behind all this.
Jil, What? Weasker? He is the traitor?
Chris: Yes, Jill. Unfortunately, he play us like a damn fiddle.
Jill: Let's get out of here first, I have contact brad for helicopter support.
Chris: Thanks Jill, here, take this MO Disk 2 with you. It look like the key to decipher something.
Jill: Alright, I will deal with him later.
Chris: see ya.

MO disk 2: albert

My first hunch about that encrypted string was correct as this is the missing key.

weasker login password, stars_members_are_my_guinea_pig

The final part.

umbrella_guest@umbrella_corp:~/.jailcell$ su weasker
Password: 
weasker@umbrella_corp:/home/umbrella_guest/.jailcell$ cd
weasker@umbrella_corp:~$ ls -lah
total 80K
drwxr-xr-x  9 weasker weasker 4.0K Sep 20 06:36 .
drwxr-xr-x  5 root    root    4.0K Sep 20 03:24 ..
-rw-------  1 weasker weasker   18 Sep 20 06:36 .bash_history
-rw-r--r--  1 weasker weasker  220 Sep 18 23:40 .bash_logout
-rw-r--r--  1 weasker weasker 3.7K Sep 18 23:40 .bashrc
drwxrwxr-x 10 weasker weasker 4.0K Sep 20 06:35 .cache
drwxr-xr-x 11 weasker weasker 4.0K Sep 20 03:01 .config
drwxr-xr-x  2 weasker weasker 4.0K Sep 19 03:27 Desktop
drwx------  3 weasker weasker 4.0K Sep 19 03:27 .gnupg
-rw-------  1 weasker weasker  346 Sep 20 06:36 .ICEauthority
drwxr-xr-x  3 weasker weasker 4.0K Sep 19 03:27 .local
drwx------  5 weasker weasker 4.0K Sep 19 05:06 .mozilla
-rw-r--r--  1 weasker weasker  807 Sep 18 23:40 .profile
drwx------  2 weasker weasker 4.0K Sep 19 05:17 .ssh
-rw-r--r--  1 weasker weasker    0 Sep 20 04:27 .sudo_as_admin_successful
-rw-r--r--  1 root    root     534 Sep 20 06:31 weasker_note.txt
-rw-------  1 weasker weasker  109 Sep 20 06:36 .Xauthority
-rw-------  1 weasker weasker 5.5K Sep 20 06:36 .xsession-errors
-rw-------  1 weasker weasker 6.6K Sep 20 06:33 .xsession-errors.old
weasker@umbrella_corp:~$ id
uid=1000(weasker) gid=1000(weasker) groups=1000(weasker),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),118(lpadmin),126(sambashare)
weasker@umbrella_corp:~$ sudo -l
[sudo] password for weasker: 
Matching Defaults entries for weasker on umbrella_corp:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User weasker may run the following commands on umbrella_corp:
    (ALL : ALL) ALL
weasker@umbrella_corp:~$ sudo su -
root@umbrella_corp:~#
root@umbrella_corp:~# cat /home/weasker/weasker_note.txt 
Weaker: Finally, you are here, Jill.
Jill: Weasker! stop it, You are destroying the  mankind.
Weasker: Destroying the mankind? How about creating a 'new' mankind. A world, only the strong can survive.
Jill: This is insane.
Weasker: Let me show you the ultimate lifeform, the Tyrant.

(Tyrant jump out and kill Weasker instantly)
(Jill able to stun the tyrant will a few powerful magnum round)

Alarm: Warning! warning! Self-detruct sequence has been activated. All personal, please evacuate immediately. (Repeat)
Jill: Poor bastard


root@umbrella_corp:~# cat root.txt 
In the state of emergency, Jill, Barry and Chris are reaching the helipad and awaiting for the helicopter support.

Suddenly, the Tyrant jump out from nowhere. After a tough fight, brad, throw a rocket launcher on the helipad. Without thinking twice, Jill pick up the launcher and fire at the Tyrant.

The Tyrant shredded into pieces and the Mansion was blowed. The survivor able to escape with the helicopter and prepare for their next fight.

The End

flag: 3c5794a00dc56c35f2bf096571edf3bf

Wow…..that was a long run with a lot of turns. A big round of applause for the creator DesKel as this was a lot of work setting up.

 

 

 

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.