BioHazard
As I really like CTF based challenges, this challenge from TryHackMe.com got my attention.
Description
Welcome to Biohazard room, a puzzle-style CTF. Collecting the item, solving the puzzle and escaping the nightmare is your top priority. Can you survive until the end?
Enumeration
As always I start with an nmap portscan.
root@lab:~/THM/biohazard# nmap -T4 -sS -sV -sC -p 21,22,80 biohazard Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-23 09:49 CEST Nmap scan report for biohazard (10.10.71.93) Host is up (0.033s latency). PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 c9:03:aa:aa:ea:a9:f1:f4:09:79:c0:47:41:16:f1:9b (RSA) | 256 2e:1d:83:11:65:03:b4:78:e9:6d:94:d1:3b:db:f4:d6 (ECDSA) |_ 256 91:3d:e4:4f:ab:aa:e2:9e:44:af:d3:57:86:70:bc:39 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Beginning of the end Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.86 seconds
# open ports:
- 21 [openSSH, version 7.6p1]
- 22 [vsFTPd, version 3.0.3 – no anon enabled]
- 80 [Apache, version 2.4.29]
Lets start with the webserver as the other two protocols need credentials.
The Mansion
First stop is the front of a spooky mansion.
Nothing in the source code, but there is a link to another page: /mansionmain/
In the source code there is a comment on where to go next.
<!-- It is in the /diningRoom/ -->
There is a link on the page and a comment in the source code.
<!-- SG93IGFib3V0IHRoZSAvdGVhUm9vbS8= -->
root@lab:~/THM/biohazard# echo 'SG93IGFib3V0IHRoZSAvdGVhUm9vbS8=' | base64 -d How about the /teaRoom/
The link let you take an emblem.
emblem{fec832623ea498e20bf4fe1821d58727}
Look like you can put something on the emblem slot, refresh /diningRoom/
When refreshing the page there is an input field where you can enter a flag. But nothing happens (not my words…..but words on screen.).
The tea room shows a nice picture.
On this page there is a link (lockpick) to another flag and a reference to another page, the artRoom.
Nothing in the source code, but another link on the page. It leads to a list of possible rooms (a map as noted on the page). Let’s put this in a file for save keeping.
root@lab:~/THM/biohazard# echo '/diningRoom/ > /teaRoom/ > /artRoom/ > /barRoom/ > /diningRoom2F/ > /tigerStatusRoom/ > /galleryRoom/ > /studyRoom/ > /armorRoom/ > /attic/' > map.txt
To swiftly go though all the rooms, I use curl to do the manual labor.
root@lab:~/THM/biohazard# for i in $(cat map.txt); do curl -s http://biohazard$i && echo -e '---------------------------------------\n'; done
<html>
<head>
<title>Dining room</title>
<h1 align="center">Dining room</h1>
</head>
<body>
<img alt="diningroom" src="../images/maxresdefault.jpg" style="display: block;margin-left: auto;margin-right: auto; width: 50%;"/>
<p>After reaching the room, Jill and Barry started their investigation</p>
<p>Blood stein can be found near the fireplace. Hope it is not belong to Chris.</p>
<p>After a short investigation with barry, Jill can't find any empty shell. Maybe another room?</p>
<!-- SG93IGFib3V0IHRoZSAvdGVhUm9vbS8= -->
</body>
There is an emblem slot on the wall, put the emblem? <form action="emblem_slot.php" method="POST">
<input type="text" name="emblem_slot" col="100" placeholder="Input flag"><br>
<input type="submit" value="submit">
</form>
</html>
---------------------------------------
<html>
<head>
<title> Tea Room </title>
<h1 align="center">The nightmare begin</h1>
</head>
<body>
<img alt="zombie" src="../images/reheader.jpg" style="display: block;margin-left: auto;margin-right: auto; width: 50%;"/>
<p>What the freak is this! This doesn't look like a human.</p>
<p>The undead walk toward Jill. Without wasting much time, Jill fire at least 6 shots to kill that thing</p>
<p>In addition, there is a body without a head laying down the floor</p>
<p>After the investigation, the body belong to kenneth from Bravo team. What happened here?</p>
<p>After a jiff, Barry broke into the room and found out the truth. In addition, Barry give Jill a <a href="master_of_unlock.html">Lockpick</a>.
<p>Barry also suggested that Jill should visit the /artRoom/</p>
</body>
</html>
---------------------------------------
<html>
<head>
<title>Art room</title>
<h1 align="center">Art room</h1>
</head>
<body>
<img alt="Art room" src="../images/25-image21.jpg" style="display: block;margin-left: auto;margin-right: auto; width: 50%;"/>
<p> A number of painting and a sculpture can be found inside the room</p>
<p><b> There is a paper stick on the wall, Investigate it?</b> <a href="MansionMap.html">YES</a> </p>
</body>
</html>
---------------------------------------
<html>
<head>
<title>Bar room entrance</title>
<h1 align="center">Bar room entrance</h1>
</head>
<body>
<img alt="door" src="../images/16-Image33-1.jpg" style="display: block;margin-left: auto;margin-right: auto; width: 50%;"/>
<p>Look like the door has been locked</p>
<p>It can be open by a <b>lockpick</b> </p>
<form action=unlock_door.php method="POST">
<input type="text" col="100" name="door_flag" placeholder="Enter flag"/>
<input type="submit" value="submit"/>
</form>
</body>
</html>
---------------------------------------
<html>
<head>
<title>Dining room 2F</title>
<h1 align="center">Dining room 2F</h1>
</head>
<body>
<img alt="dining room 2F" src="../images/Vlcsnap-2015-01-26-08h54m37s183.png" style="display: block;margin-left: auto;margin-right: auto; width: 50%;"/>
<p>Once Jill reach the room, she saw a tall status with a shiining blue gem on top of it. However, she can't reach it</p>
<!-- Lbh trg gur oyhr trz ol chfuvat gur fgnghf gb gur ybjre sybbe. Gur trz vf ba gur qvavatEbbz svefg sybbe. Ivfvg fnccuver.ugzy -->
</body>
</html>
---------------------------------------
<html>
<head>
<title>Tiger status room</title>
<h1 align="center">Tiger status room</h1>
</head>
<body>
<img alt="tiger status" src="../images/maxresdefault.jpg.2" style="display: block;margin-left: auto;margin-right: auto; width: 50%;"/>
<p>You reached a small room with a tiger status</p>
<p>Look like you can put a gem on the tiger's eye</p>
<form action="gem.php" method="POST">
<input type="text" col="100" name="gem" placeholder="Enter flag"/>
<input type="submit" value="submit"/>
</form>
</body>
</html>
---------------------------------------
<html>
<head>
<title>Gallery room</title>
<h1 align="center">Gallerty</h1>
</head>
<body>
<img alt="mansion_front" src="../images/maxresdefault.jpg.3" style="display: block;margin-left: auto;margin-right: auto; width: 50%;"/>
<p>Upon Jill walk into the room, she saw a bunch of gallery and zombie crow in the room</p>
<p>Nothing is interesting, expect the note on the wall</p>
<p><b>Examine the note?<b> <a href="note.txt">EXAMINE</a></p>
</body>
</html>
---------------------------------------
<html>
<head>
<title>Study room entrance</title>
<h1 align="center">Study room entrance</h1>
</head>
<body>
<img alt="door" src="../images/16-Image33-1.jpg" style="display: block;margin-left: auto;margin-right: auto; width: 50%;"/>
<p>Look like the door has been locked</p>
<p>A <b>helmet symbol</b> is embedded on the door </p>
<form action=unlock_door.php method="POST">
<input type="text" col="100" name="door_flag" placeholder="Enter flag"/>
<input type="submit" value="submit"/>
</form>
</body>
</html>
---------------------------------------
<html>
<head>
<title>Armor room entrance</title>
<h1 align="center">Armor room entrance</h1>
</head>
<body>
<img alt="door" src="../images/16-Image33-1.jpg" style="display: block;margin-left: auto;margin-right: auto; width: 50%;"/>
<p>Look like the door has been locked</p>
<p>A <b>shield symbol</b> is embedded on the door </p>
<form action=unlock_door.php method="POST">
<input type="text" col="100" name="door_flag" placeholder="Enter flag"/>
<input type="submit" value="submit"/>
</form>
</body>
</html>
---------------------------------------
<html>
<head>
<title>Attic entrance</title>
<h1 align="center">Attic entrance</h1>
</head>
<body>
<img alt="door" src="../images/16-Image33-1.jpg" style="display: block;margin-left: auto;margin-right: auto; width: 50%;"/>
<p>Look like the door has been locked</p>
<p>A <b>shield symbol</b> is embedded on the door </p>
<form action=unlock_door.php method="POST">
<input type="text" col="100" name="door_flag" placeholder="Enter flag"/>
<input type="submit" value="submit"/>
</form>
</body>
</html>
---------------------------------------
Looks like there are some interesting things in the rooms. A quick glance shows a comment and a file to examine.
Starting with the barRoom. There is an input field which needs a lockpick flag. When entering the lockpick flag, I get another view.
A link to a note appears…..something I already knew from the curl output. The note has a string in it.
Look like a music note NV2XG2LDL5ZWQZLFOR5TGNRSMQ3TEZDFMFTDMNLGGVRGIYZWGNSGCZLDMU3GCMLGGY3TMZL5
Which looks like base32.
music_sheet{362d72deaf65f5bdc63daece6a1f676e}
Entering this flag into the input field leads me to /barRoomHidden.php
On this page is a link which gives another emblem/flag.
gold_emblem{58a8c41a9d08b8a4e38d02a4d7ff4843}
Look like you can put something on the emblem slot, refresh the previous page
But when entering this emblem into the input field I get another ‘nothing happens on the page’.When putting in the other emblem I get a string, which looks like an username: rebecca
With this new emblem I’m going back to the dining room and enter the gold emblem into the input field.
klfvg ks r wimgnd biz mpuiui ulg fiemok tqod. Xii jvmc tbkg ks tempgf tyi_hvgct_jljinf_kvc
Looks like a rotation cipher. But after some tries I figured out that it was Vigenere cipher and the key was rebecca. Vigenere cipher is a poly-alphabetic substitution system that use a key and a double-entry table.
there is a shield key inside the dining room. The html page is called the_great_shield_key
shield_key{48a7a9227cd7eb89f0a062590798cbac}
On to the next room.
The dining room on the second floor has an interesting comment.
<!-- Lbh trg gur oyhr trz ol chfuvat gur fgnghf gb gur ybjre sybbe. Gur trz vf ba gur qvavatEbbz svefg sybbe. Ivfvg fnccuver.ugzy -->
Which looks like another form of rotation cipher. When using ROT13 decipher I get the string in plain text.
You get the blue gem by pushing the status to the lower floor. The gem is on the diningRoom first floor. Visit sapphire.html
Visiting give another flag.
In the Tiger status room there is an input field which takes the previous flag.
crest 1: S0pXRkVVS0pKQkxIVVdTWUpFM0VTUlk9 Hint 1: Crest 1 has been encoded twice Hint 2: Crest 1 contanis 14 letters Note: You need to collect all 4 crests, combine and decode to reavel another path The combination should be crest 1 + crest 2 + crest 3 + crest 4. Also, the combination is a type of encoded base and you need to decode it
After some decoding base64, base32 and another round of base64 I get: FTP user:
Let’s hunt for the other missing chests.
The gallery holds a note with another crest.
crest 2: GVFWK5KHK5WTGTCILE4DKY3DNN4GQQRTM5AVCTKE Hint 1: Crest 2 has been encoded twice Hint 2: Crest 2 contanis 18 letters Note: You need to collect all 4 crests, combine and decode to reavel another path The combination should be crest 1 + crest 2 + crest 3 + crest 4. Also, the combination is a type of encoded base and you need to decode it
The attic needs the shield key from before….
and contains a note with crest 4.
crest 4: gSUERauVpvKzRpyPpuYz66JDmRTbJubaoArM6CAQsnVwte6zF9J4GGYyun3k5qM9ma4s Hint 1: Crest 2 has been encoded twice Hint 2: Crest 2 contanis 17 characters Note: You need to collect all 4 crests, combine and decode to reavel another path The combination should be crest 1 + crest 2 + crest 3 + crest 4. Also, the combination is a type of encoded base and you need to decode it
The armor room also needed the shield key.
And contains a note with crest number 3:
crest 3: MDAxMTAxMTAgMDAxMTAwMTEgMDAxMDAwMDAgMDAxMTAwMTEgMDAxMTAwMTEgMDAxMDAwMDAgMDAxMTAxMDAgMDExMDAxMDAgMDAxMDAwMDAgMDAxMTAwMTEgMDAxMTAxMTAgMDAxMDAwMDAgMDAxMTAxMDAgMDAxMTEwMDEgMDAxMDAwMDAgMDAxMTAxMDAgMDAxMTEwMDAgMDAxMDAwMDAgMDAxMTAxMTAgMDExMDAwMTEgMDAxMDAwMDAgMDAxMTAxMTEgMDAxMTAxMTAgMDAxMDAwMDAgMDAxMTAxMTAgMDAxMTAxMDAgMDAxMDAwMDAgMDAxMTAxMDEgMDAxMTAxMTAgMDAxMDAwMDAgMDAxMTAwMTEgMDAxMTEwMDEgMDAxMDAwMDAgMDAxMTAxMTAgMDExMDAwMDEgMDAxMDAwMDAgMDAxMTAxMDEgMDAxMTEwMDEgMDAxMDAwMDAgMDAxMTAxMDEgMDAxMTAxMTEgMDAxMDAwMDAgMDAxMTAwMTEgMDAxMTAxMDEgMDAxMDAwMDAgMDAxMTAwMTEgMDAxMTAwMDAgMDAxMDAwMDAgMDAxMTAxMDEgMDAxMTEwMDAgMDAxMDAwMDAgMDAxMTAwMTEgMDAxMTAwMTAgMDAxMDAwMDAgMDAxMTAxMTAgMDAxMTEwMDA= Hint 1: Crest 3 has been encoded three times Hint 2: Crest 3 contanis 19 letters Note: You need to collect all 4 crests, combine and decode to reavel another path The combination should be crest 1 + crest 2 + crest 3 + crest 4. Also, the combination is a type of encoded base and you need to decode it
Time to combine my findings.
Crest 1: S0pXRkVVS0pKQkxIVVdTWUpFM0VTUlk9
After a round of base64 > base32 I get: RlRQIHVzZXI6IG
Crest 2: GVFWK5KHK5WTGTCILE4DKY3DNN4GQQRTM5AVCTKE
After a round of base32 > base 58 I get: h1bnRlciwgRlRQIHBh
Crest 3: MDAxMTAxMTAgMDAxMTAwMTEgMDAxMDAwMDAgMDAxMTAwMTEgMDAxMTAwMTEgMDAxMDAwMDAgMDAxMTAxMDAgMDExMDAxMDAgMDAxMDAwMDAgMDAxMTAwMTEgMDAxMTAxMTAgMDAxMDAwMDAgMDAxMTAxMDAgMDAxMTEwMDEgMDAxMDAwMDAgMDAxMTAxMDAgMDAxMTEwMDAgMDAxMDAwMDAgMDAxMTAxMTAgMDExMDAwMTEgMDAxMDAwMDAgMDAxMTAxMTEgMDAxMTAxMTAgMDAxMDAwMDAgMDAxMTAxMTAgMDAxMTAxMDAgMDAxMDAwMDAgMDAxMTAxMDEgMDAxMTAxMTAgMDAxMDAwMDAgMDAxMTAwMTEgMDAxMTEwMDEgMDAxMDAwMDAgMDAxMTAxMTAgMDExMDAwMDEgMDAxMDAwMDAgMDAxMTAxMDEgMDAxMTEwMDEgMDAxMDAwMDAgMDAxMTAxMDEgMDAxMTAxMTEgMDAxMDAwMDAgMDAxMTAwMTEgMDAxMTAxMDEgMDAxMDAwMDAgMDAxMTAwMTEgMDAxMTAwMDAgMDAxMDAwMDAgMDAxMTAxMDEgMDAxMTEwMDAgMDAxMDAwMDAgMDAxMTAwMTEgMDAxMTAwMTAgMDAxMDAwMDAgMDAxMTAxMTAgMDAxMTEwMDA
After a round of base64 > binary > hex I get: c3M6IHlvdV9jYW50X2h
Crest 4: gSUERauVpvKzRpyPpuYz66JDmRTbJubaoArM6CAQsnVwte6zF9J4GGYyun3k5qM9ma4s
After a round of base58 > hex I get: pZGVfZm9yZXZlcg==
That combined gets me this string: RlRQIHVzZXI6IGh1bnRlciwgRlRQIHBhc3M6IHlvdV9jYW50X2hpZGVfZm9yZXZlcg==
Which base64 decoded is the answer to the next fase:
FTP user: hunter, FTP pass: you_cant_hide_forever
The guard house
To move to the next phase I can access the FTP server with the found credentials.
root@lab:~/THM/biohazard# ftp ftp> open biohazard Connected to biohazard. 220 (vsFTPd 3.0.3) Name (biohazard:root): hunter 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp>
In the FTP folder there are several files.
-rw-r--r-- 1 0 0 7994 Sep 19 06:01 001-key.jpg -rw-r--r-- 1 0 0 2210 Sep 19 06:08 002-key.jpg -rw-r--r-- 1 0 0 2146 Sep 19 06:19 003-key.jpg -rw-r--r-- 1 0 0 121 Sep 19 05:54 helmet_key.txt.gpg -rw-r--r-- 1 0 0 170 Sep 20 04:29 important.txt
After downloading these files, I start with the text file.
root@lab:~/THM/biohazard# cat important.txt Jill, I think the helmet key is inside the text file, but I have no clue on decrypting stuff. Also, I come across a /hidden_closet/ door but it was locked. From, Barry
root@lab:~/THM/biohazard# file helmet_key.txt.gpg helmet_key.txt.gpg: GPG symmetrically encrypted data (AES256 cipher)
As the helmet key is encrypted I need to find the keys. So, the jpg files are up for inspection.
root@lab:~/THM/biohazard/ftp# for i in $(ls | \grep jpg); do exiftool $i && echo -e '\n--------------------------------------\n'; done ExifTool Version Number : 11.65 File Name : 001-key.jpg Directory : . File Size : 7.8 kB File Modification Date/Time : 2019:09:23 12:12:33+02:00 File Access Date/Time : 2019:09:23 12:17:10+02:00 File Inode Change Date/Time : 2019:09:23 12:19:28+02:00 File Permissions : rw-r--r-- File Type : JPEG File Type Extension : jpg MIME Type : image/jpeg JFIF Version : 1.01 Resolution Unit : None X Resolution : 1 Y Resolution : 1 Image Width : 400 Image Height : 320 Encoding Process : Baseline DCT, Huffman coding Bits Per Sample : 8 Color Components : 3 Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2) Image Size : 400x320 Megapixels : 0.128 -------------------------------------- ExifTool Version Number : 11.65 File Name : 002-key.jpg Directory : . File Size : 2.2 kB File Modification Date/Time : 2019:09:23 12:12:43+02:00 File Access Date/Time : 2019:09:23 12:17:16+02:00 File Inode Change Date/Time : 2019:09:23 12:19:28+02:00 File Permissions : rw-r--r-- File Type : JPEG File Type Extension : jpg MIME Type : image/jpeg JFIF Version : 1.01 Resolution Unit : None X Resolution : 1 Y Resolution : 1 Comment : 5fYmVfZGVzdHJveV9 Image Width : 100 Image Height : 80 Encoding Process : Progressive DCT, Huffman coding Bits Per Sample : 8 Color Components : 3 Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2) Image Size : 100x80 Megapixels : 0.008 -------------------------------------- ExifTool Version Number : 11.65 File Name : 003-key.jpg Directory : . File Size : 2.1 kB File Modification Date/Time : 2019:09:23 12:12:50+02:00 File Access Date/Time : 2019:09:23 12:17:21+02:00 File Inode Change Date/Time : 2019:09:23 12:19:28+02:00 File Permissions : rw-r--r-- File Type : JPEG File Type Extension : jpg MIME Type : image/jpeg JFIF Version : 1.01 Resolution Unit : None X Resolution : 1 Y Resolution : 1 Comment : Compressed by jpeg-recompress Image Width : 100 Image Height : 80 Encoding Process : Progressive DCT, Huffman coding Bits Per Sample : 8 Color Components : 3 Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2) Image Size : 100x80 Megapixels : 0.008 --------------------------------------
Looks like file 2 and 3 have a comment.
The first key picture had a hidden text file.
root@lab:~/THM/biohazard/ftp# steghide extract -sf 001-key.jpg Enter passphrase: wrote extracted data to "key-001.txt".
root@lab:~/THM/biohazard/ftp# cat key-001.txt cGxhbnQ0Ml9jYW
The second picture had a string in the EXIF data.
And the third picture had a zip file containing a text file.
root@lab:~/THM/biohazard/ftp# binwalk -e 003-key.jpg DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 JPEG image data, JFIF standard 1.01 1930 0x78A Zip archive data, at least v2.0 to extract, uncompressed size: 14, name: key-003.txt 2124 0x84C End of Zip archive, footer length: 22 root@lab:~/THM/biohazard/ftp# ls 001-key.jpg 002-key.jpg 003-key.jpg _003-key.jpg.extracted helmet_key.txt.gpg important.txt key-001.txt root@lab:~/THM/biohazard/ftp# cat _003-key.jpg.extracted/ 78A.zip key-003.txt root@lab:~/THM/biohazard/ftp# cat _003-key.jpg.extracted/key-003.txt 3aXRoX3Zqb2x0
After combining the 3 strings I got:
root@lab:~/THM/biohazard/ftp# echo 'cGxhbnQ0Ml9jYW5fYmVfZGVzdHJveV93aXRoX3Zqb2x0' | base64 -d plant42_can_be_destroy_with_vjolt
And with this we can decrypt the GPG file.
root@lab:~/THM/biohazard/ftp# gpg -d helmet_key.txt.gpg
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: AES256 encrypted data
gpg: encrypted with 1 passphrase
helmet_key{458493193501d2b94bbab2e727f8db4b}
Time to revisit the mansion.
The mansion part deux
First room to visit is the study room.
There is a link to a tarball, which I download. The second stop is the hidden closet.
Here there are two links.
MO_disk.txt
wpbwbxr wpkzg pltwnhro, txrks_xfqsxrd_bvv_fy_rvmexa_ajk
Wolf_medal.txt
SSH password: T_virus_rules
The string I can’t decrypt for now, because I don’t have the key. So extracting the tarball is the next step.
root@lab:~/THM/biohazard# tar -xzvf doom.tar.gz eagle_medal.txt root@lab:~/THM/biohazard# cat eagle_medal.txt SSH user: umbrella_guest
With this I can go to the next part.
underground laboratory
root@lab:~/THM/biohazard# ssh umbrella_guest@biohazard
umbrella_guest@biohazard's password:
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
320 packages can be updated.
58 updates are security updates.
Last login: Fri Sep 20 03:25:46 2019 from 127.0.0.1
umbrella_guest@umbrella_corp:~$ id
uid=1001(umbrella_guest) gid=1001(umbrella) groups=1001(umbrella)
When looking in my home folder I saw this file.
umbrella_guest@umbrella_corp:~/.jailcell$ cat chris.txt Jill: Chris, is that you? Chris: Jill, you finally come. I was locked in the Jail cell for a while. It seem that weasker is behind all this. Jil, What? Weasker? He is the traitor? Chris: Yes, Jill. Unfortunately, he play us like a damn fiddle. Jill: Let's get out of here first, I have contact brad for helicopter support. Chris: Thanks Jill, here, take this MO Disk 2 with you. It look like the key to decipher something. Jill: Alright, I will deal with him later. Chris: see ya. MO disk 2: albert
My first hunch about that encrypted string was correct as this is the missing key.
weasker login password, stars_members_are_my_guinea_pig
The final part.
umbrella_guest@umbrella_corp:~/.jailcell$ su weasker
Password:
weasker@umbrella_corp:/home/umbrella_guest/.jailcell$ cd
weasker@umbrella_corp:~$ ls -lah
total 80K
drwxr-xr-x 9 weasker weasker 4.0K Sep 20 06:36 .
drwxr-xr-x 5 root root 4.0K Sep 20 03:24 ..
-rw------- 1 weasker weasker 18 Sep 20 06:36 .bash_history
-rw-r--r-- 1 weasker weasker 220 Sep 18 23:40 .bash_logout
-rw-r--r-- 1 weasker weasker 3.7K Sep 18 23:40 .bashrc
drwxrwxr-x 10 weasker weasker 4.0K Sep 20 06:35 .cache
drwxr-xr-x 11 weasker weasker 4.0K Sep 20 03:01 .config
drwxr-xr-x 2 weasker weasker 4.0K Sep 19 03:27 Desktop
drwx------ 3 weasker weasker 4.0K Sep 19 03:27 .gnupg
-rw------- 1 weasker weasker 346 Sep 20 06:36 .ICEauthority
drwxr-xr-x 3 weasker weasker 4.0K Sep 19 03:27 .local
drwx------ 5 weasker weasker 4.0K Sep 19 05:06 .mozilla
-rw-r--r-- 1 weasker weasker 807 Sep 18 23:40 .profile
drwx------ 2 weasker weasker 4.0K Sep 19 05:17 .ssh
-rw-r--r-- 1 weasker weasker 0 Sep 20 04:27 .sudo_as_admin_successful
-rw-r--r-- 1 root root 534 Sep 20 06:31 weasker_note.txt
-rw------- 1 weasker weasker 109 Sep 20 06:36 .Xauthority
-rw------- 1 weasker weasker 5.5K Sep 20 06:36 .xsession-errors
-rw------- 1 weasker weasker 6.6K Sep 20 06:33 .xsession-errors.old
weasker@umbrella_corp:~$ id
uid=1000(weasker) gid=1000(weasker) groups=1000(weasker),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),118(lpadmin),126(sambashare)
weasker@umbrella_corp:~$ sudo -l
[sudo] password for weasker:
Matching Defaults entries for weasker on umbrella_corp:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User weasker may run the following commands on umbrella_corp:
(ALL : ALL) ALL
weasker@umbrella_corp:~$ sudo su -
root@umbrella_corp:~#
root@umbrella_corp:~# cat /home/weasker/weasker_note.txt Weaker: Finally, you are here, Jill. Jill: Weasker! stop it, You are destroying the mankind. Weasker: Destroying the mankind? How about creating a 'new' mankind. A world, only the strong can survive. Jill: This is insane. Weasker: Let me show you the ultimate lifeform, the Tyrant. (Tyrant jump out and kill Weasker instantly) (Jill able to stun the tyrant will a few powerful magnum round) Alarm: Warning! warning! Self-detruct sequence has been activated. All personal, please evacuate immediately. (Repeat) Jill: Poor bastard
root@umbrella_corp:~# cat root.txt In the state of emergency, Jill, Barry and Chris are reaching the helipad and awaiting for the helicopter support. Suddenly, the Tyrant jump out from nowhere. After a tough fight, brad, throw a rocket launcher on the helipad. Without thinking twice, Jill pick up the launcher and fire at the Tyrant. The Tyrant shredded into pieces and the Mansion was blowed. The survivor able to escape with the helicopter and prepare for their next fight. The End flag: 3c5794a00dc56c35f2bf096571edf3bf
Wow…..that was a long run with a lot of turns. A big round of applause for the creator DesKel as this was a lot of work setting up.