Biohazard

Room Link: https://tryhackme.com/room/biohazard

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

Loot

Flag	Found in	Used in
emblem{fec832623ea498e20bf4fe1821d58727}	http://10.10.225.236/diningRoom/emblem.php
lock_pick{037b35e2ff90916a9abf99129c8e1837}	http://10.10.225.236/teaRoom/master_of_unlock.html	Used in /barRoom/
music_sheet{362d72deaf65f5bdc63daece6a1f676e}	http://10.10.225.236/barRoom357162e3db904857963e6e0b64b96ba7/musicNote.html
blue_jewel{e1d457e96cac640f863ec7bc475d48aa}	http://10.10.113.215/diningRoom/sapphire.html

Rooms found

/diningRoom/
/teaRoom/
/artRoom/
/barRoom/
/diningRoom2F/
/tigerStatusRoom/
/galleryRoom/
/studyRoom/
/armorRoom/
/attic/

Used this script to loop through the rooms to quickly look for clues

search.sh

#!/bin/bash

# List of rooms
rooms=(
  "/diningRoom/"
  "/teaRoom/"
  "/artRoom/"
  "/barRoom/"
  "/diningRoom2F/"
  "/tigerStatusRoom/"
  "/galleryRoom/"
  "/studyRoom/"
  "/armorRoom/"
  "/attic/"
)

# Base URL
base_url="http://$VICTIM"  # Replace with the actual base URL

# Loop through each room and curl the site
for room in "${rooms[@]}"; do
  url="$base_url$room"
  echo "Curling: $url"
  curl "$url"
  echo -e "\n----------------------------------------\n"
done

TCP/80 - HTTP

Kali

gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

Mansion Main

diningRoom

diningRoom2F

diningRoom

tigerStatusRoom

I put the blue gem flag in here

Crest 1 : S0pXRkVVS0pKQkxIVVdTWUpFM0VTUlk9

galleryRoom

Crest 2 : GVFWK5KHK5WTGTCILE4DKY3DNN4GQQRTM5AVCTKE

barRoom

Using the other emblem we get this

diningRoom

Used the gold emblem here

attic

Crest 4 : gSUERauVpvKzRpyPpuYz66JDmRTbJubaoArM6CAQsnVwte6zF9J4GGYyun3k5qM9ma4s

armorRoom

Crest 3: MDAxMTAxMTAgMDAxMTAwMTEgMDAxMDAwMDAgMDAxMTAwMTEgMDAxMTAwMTEgMDAxMDAwMDAgMDAxMTAxMDAgMDExMDAxMDAgMDAxMDAwMDAgMDAxMTAwMTEgMDAxMTAxMTAgMDAxMDAwMDAgMDAxMTAxMDAgMDAxMTEwMDEgMDAxMDAwMDAgMDAxMTAxMDAgMDAxMTEwMDAgMDAxMDAwMDAgMDAxMTAxMTAgMDExMDAwMTEgMDAxMDAwMDAgMDAxMTAxMTEgMDAxMTAxMTAgMDAxMDAwMDAgMDAxMTAxMTAgMDAxMTAxMDAgMDAxMDAwMDAgMDAxMTAxMDEgMDAxMTAxMTAgMDAxMDAwMDAgMDAxMTAwMTEgMDAxMTEwMDEgMDAxMDAwMDAgMDAxMTAxMTAgMDExMDAwMDEgMDAxMDAwMDAgMDAxMTAxMDEgMDAxMTEwMDEgMDAxMDAwMDAgMDAxMTAxMDEgMDAxMTAxMTEgMDAxMDAwMDAgMDAxMTAwMTEgMDAxMTAxMDEgMDAxMDAwMDAgMDAxMTAwMTEgMDAxMTAwMDAgMDAxMDAwMDAgMDAxMTAxMDEgMDAxMTEwMDAgMDAxMDAwMDAgMDAxMTAwMTEgMDAxMTAwMTAgMDAxMDAwMDAgMDAxMTAxMTAgMDAxMTEwMDA=

Crest

Crest part was not hard, just dumped them all into cyberchef which was able to decode it automatically, then put them all together to reveal the FTP account

TCP/21 - FTP

Kali

ftp $VICTIM
Username: hunter
Password: you_cant_hide_forever
mget *

Kali

steghide extract -sf 001-key.jpg 
cat key-001.txt 

Kali

exiftool 002-key.jpg 

Kali

binwalk 003-key.jpg -e
cat _003-key.jpg.extracted/key-003.txt 

Combining the three get us this

Kali

gpg --output doc --decrypt helmet_key.txt.gpg
Password: plant42_can_be_destroy_with_vjolt
cat doc

hidden_closet

Used Vignere cipher again, except we didn't have the key so I bruteforced it, it was albert.

studyRoom

Kali

tar xvf doom.tar.gz 
cat eagle_medal.txt 

TCP/22 - SSH

Kali

ssh umbrella_guest@$VICTIM
Password: T_virus_rules

Kali

ssh weasker@$VICTIM
Password: stars_members_are_my_guinea_pig

Victim

sudo -i