Sat. Oct 24th, 2020

Pentesting Fun Stuff

following the cyber security path…

BioHazard

As I really like CTF based challenges, this challenge from TryHackMe.com got my attention.

Description

Welcome to Biohazard room, a puzzle-style CTF. Collecting the item, solving the puzzle and escaping the nightmare is your top priority. Can you survive until the end?

Enumeration

As always I start with an nmap portscan.

# open ports:

  • 21 [openSSH, version 7.6p1]
  • 22 [vsFTPd, version 3.0.3 – no anon enabled]
  • 80 [Apache, version 2.4.29]

Lets start with the webserver as the other two protocols need credentials.

The Mansion

First stop is the front of a spooky mansion.

Nothing in the source code, but there is a link to another page: /mansionmain/

In the source code there is a comment on where to go next.

There is a link on the page and a comment in the source code.

The link let you take an emblem.

When refreshing the page there is an input field where you can enter a flag. But nothing happens (not my words…..but words on screen.).

The tea room shows a nice picture.

On this page there is a link (lockpick) to another flag and a reference to another page, the artRoom.

Nothing in the source code, but another link on the page. It leads to a list of possible rooms (a map as noted on the page). Let’s put this in a file for save keeping.

To swiftly go though all the rooms, I use curl to do the manual labor.

Looks like there are some interesting things in the rooms. A quick glance shows a comment and a file to examine.

Starting with the barRoom. There is an input field which needs a lockpick flag. When entering the lockpick flag, I get another view.

A link to a note appears…..something I already knew from the curl output. The note has a string in it.

Which looks like base32.

Entering this flag into the input field leads me to /barRoomHidden.php

On this page is a link which gives another emblem/flag.

But when entering this emblem into the input field I get another ‘nothing happens on the page’.When putting in the other emblem I get a string, which looks like an username: rebecca

With this new emblem I’m going back to the dining room and enter the gold emblem into the input field.

Looks like a rotation cipher. But after some tries I figured out that it was Vigenere cipher and the key was rebecca. Vigenere cipher is a poly-alphabetic substitution system that use a key and a double-entry table.

On to the next room.

The dining room on the second floor has an interesting comment.

Which looks like another form of rotation cipher. When using ROT13 decipher I get the string in plain text.

Visiting give another flag.

In the Tiger status room there is an input field which takes the previous flag.

After some decoding base64, base32 and another round of base64 I get: FTP user:

Let’s hunt for the other missing chests.

The gallery holds a note with another crest.

The attic needs the shield key from before….

and contains a note with crest 4.

The armor room also needed the shield key.

And contains a note with crest number 3:

Time to combine my findings.

Crest 1: S0pXRkVVS0pKQkxIVVdTWUpFM0VTUlk9
After a round of base64 > base32 I get: RlRQIHVzZXI6IG
Crest 2: GVFWK5KHK5WTGTCILE4DKY3DNN4GQQRTM5AVCTKE
After a round of base32 > base 58 I get: h1bnRlciwgRlRQIHBh
Crest 3: MDAxMTAxMTAgMDAxMTAwMTEgMDAxMDAwMDAgMDAxMTAwMTEgMDAxMTAwMTEgMDAxMDAwMDAgMDAxMTAxMDAgMDExMDAxMDAgMDAxMDAwMDAgMDAxMTAwMTEgMDAxMTAxMTAgMDAxMDAwMDAgMDAxMTAxMDAgMDAxMTEwMDEgMDAxMDAwMDAgMDAxMTAxMDAgMDAxMTEwMDAgMDAxMDAwMDAgMDAxMTAxMTAgMDExMDAwMTEgMDAxMDAwMDAgMDAxMTAxMTEgMDAxMTAxMTAgMDAxMDAwMDAgMDAxMTAxMTAgMDAxMTAxMDAgMDAxMDAwMDAgMDAxMTAxMDEgMDAxMTAxMTAgMDAxMDAwMDAgMDAxMTAwMTEgMDAxMTEwMDEgMDAxMDAwMDAgMDAxMTAxMTAgMDExMDAwMDEgMDAxMDAwMDAgMDAxMTAxMDEgMDAxMTEwMDEgMDAxMDAwMDAgMDAxMTAxMDEgMDAxMTAxMTEgMDAxMDAwMDAgMDAxMTAwMTEgMDAxMTAxMDEgMDAxMDAwMDAgMDAxMTAwMTEgMDAxMTAwMDAgMDAxMDAwMDAgMDAxMTAxMDEgMDAxMTEwMDAgMDAxMDAwMDAgMDAxMTAwMTEgMDAxMTAwMTAgMDAxMDAwMDAgMDAxMTAxMTAgMDAxMTEwMDA
After a round of base64 > binary > hex I get: c3M6IHlvdV9jYW50X2h
Crest 4: gSUERauVpvKzRpyPpuYz66JDmRTbJubaoArM6CAQsnVwte6zF9J4GGYyun3k5qM9ma4s
After a round of base58 > hex  I get: pZGVfZm9yZXZlcg==

That combined gets me this string: RlRQIHVzZXI6IGh1bnRlciwgRlRQIHBhc3M6IHlvdV9jYW50X2hpZGVfZm9yZXZlcg==

Which base64 decoded is the answer to the next fase:

FTP user: hunter, FTP pass: you_cant_hide_forever

The guard house

To move to the next phase I can access the FTP server with the found credentials.

In the FTP folder there are several files.

After downloading these files, I start with the text file.

As the helmet key is encrypted I need to find the keys. So, the jpg files are up for inspection.

Looks like file 2 and 3 have a comment.

The first key picture had a hidden text file.

The second picture had a string in the EXIF data.

And the third picture had a zip file containing a text file.

After combining the 3 strings I got:

And with this we can decrypt the GPG file.

Time to revisit the mansion.

The mansion part deux

First room to visit is the study room.

There is a link to a tarball, which I download. The second stop is the hidden closet.

Here there are two links.

MO_disk.txt

Wolf_medal.txt

The string I can’t decrypt for now, because I don’t have the key. So extracting the tarball is the next step.

With this I can go to the next part.

underground laboratory

When looking in my home folder I saw this file.

My first hunch about that encrypted string was correct as this is the missing key.

The final part.

Wow…..that was a long run with a lot of turns. A big round of applause for the creator DesKel as this was a lot of work setting up.

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.