Biohazard (CTF Challenge - THM)
Published
•17 min read
Introduction
Welcome to Biohazard room, a puzzle-style CTF. Collecting the item, solving the puzzle and escaping the nightmare is your top priority. Can you survive until the end?
If you have any question, do not hesitate to DM me on the discord channel.
Answer the questions below
How many open ports?
nmap -p- -sV IP_Address
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
The next step is continuing with the enumeration and recon process to help us understand the site more and find as much information as possible
gobuster dir -u http://IP_Address -w /usr/share/wordlists/dirb/common.txt -x php,html,txt
===============================================================
/.hta.php (Status: 403) [Size: 279]
/.hta.html (Status: 403) [Size: 279]
/.hta (Status: 403) [Size: 279]
/.htaccess (Status: 403) [Size: 279]
/.hta.txt (Status: 403) [Size: 279]
/.htaccess.txt (Status: 403) [Size: 279]
/.htaccess.html (Status: 403) [Size: 279]
/.htaccess.php (Status: 403) [Size: 279]
/.htpasswd (Status: 403) [Size: 279]
/.htpasswd.php (Status: 403) [Size: 279]
/.htpasswd.html (Status: 403) [Size: 279]
/.htpasswd.txt (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/attic (Status: 301) [Size: 316] [--> http://IP_Address/attic/]
/css (Status: 301) [Size: 314] [--> http://IP_Address/css/]
/images (Status: 301) [Size: 317] [--> http://IP_Address/images/]
/index.html (Status: 200) [Size: 692]
/index.html (Status: 200) [Size: 692]
/js (Status: 301) [Size: 313] [--> http://IP_Address/js/]
/server-status (Status: 403) [Size: 279]
checked on the folders and noticed that it was just files showing up, meaning we stood better chances checking the site itself of running curl commands of the specific URLs
gobuster dir -u http://IP_Address/attic -w /usr/share/wordlists/dirb/common.txt -x php,html,txt
===============================================================
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/.hta (Status: 403) [Size: 279]
/.htaccess (Status: 403) [Size: 279]
/.hta.txt (Status: 403) [Size: 279]
/.hta.html (Status: 403) [Size: 279]
/.hta.php (Status: 403) [Size: 279]
/.htpasswd.php (Status: 403) [Size: 279]
/.htpasswd (Status: 403) [Size: 279]
/.htaccess.txt (Status: 403) [Size: 279]
/.htaccess.html (Status: 403) [Size: 279]
/.htaccess.php (Status: 403) [Size: 279]
/.htpasswd.txt (Status: 403) [Size: 279]
/.htpasswd.html (Status: 403) [Size: 279]
/index.php (Status: 200) [Size: 592]
/index.php (Status: 200) [Size: 592]
What is the team name in operation
we now have the team name: STARS alpha team
curl http://IP_Address
<!doctype html>
<head>
<title>Beginning of the end</title>
<h1 align="center">The nightmare begin</h1>
</head>
<body>
<img alt="mansion_front" src="images/Mansion_front.jpg" style="display: block;margin-left: auto;margin-right: auto; width: 50%;"/>
<p>July 1998, Evening</p>
<p>The STARS alpha team, Chris, Jill, Barry, Weasker and Joseph is in the operation on searching the STARS bravo team in the nortwest of Racoon city.</p>
<p>Unfortunately, the team was attacked by a horde of infected zombie dog. Sadly, Joseph was eaten alive.</p>
<p>The team decided to run for the nearby <a href="/mansionmain"> mansion </a> and the nightmare begin..........</p>
</body>
</html>
The Mansion
Collect all necessary items and advanced to the next level. The format of the Item flag:
Item_name{32 character}
Some of the doors are locked. Use the item flag to unlock the door.
Tips: It is better to record down all the information inside a notepad
Answer the questions below
What is the emblem flag
Just from the above, we can see there's a path /mansionmain. Our next check: http://IP_Address/mansionmain/
curl http://IP_Address/mansionmain/
<!doctype html>
<head>
<title>Main hall</title>
<h1 align="center">Main hall</h1>
</head>
<body>
<img alt="mainhall" src="../images/Mainhall12.jpg" style="display: block;margin-left: auto;margin-right: auto; width: 50%;"/>
<p>The team reach the mansion safe and sound. However, it appear that Chris is missing</p>
<p>Jill try to open the door but stopped by Weasker</p>
<p>Suddenly, a gunshot can be heard in the nearby room. Weaker order Jill to make an investigate on the gunshot. Where is the room?</p>
<!-- It is in the /diningRoom/ -->
</body>
</html>
next we have a new path
/diningRoom/:http://IP_Address/diningRoom
curl http://IP_Address/diningRoom/
<html>
<head>
<title>Dining room</title>
<h1 align="center">Dining room</h1>
</head>
<body>
<img alt="diningroom" src="../images/maxresdefault.jpg" style="display: block;margin-left: auto;margin-right: auto; width: 50%;"/>
<p>After reaching the room, Jill and Barry started their investigation</p>
<p>Blood stein can be found near the fireplace. Hope it is not belong to Chris.</p>
<p>After a short investigation with barry, Jill can't find any empty shell. Maybe another room?</p>
<!-- SG93IGFib3V0IHRoZSAvdGVhUm9vbS8= -->
</body>
<p><b>There is an emblem on the wall, will you take it? </b><a href="emblem.php">YES</a></p>
</html>
Clicking YES on the page gives us the emblem flag
Decoded: SG93IGFib3V0IHRoZSAvdGVhUm9vbS8= using base64decode
What is the lock pick flag
next we navigate to /teaRoom/: http://IP_Address/teaRoom/
What is the music sheet flag
We find the flag, but also introduced to anew path /artRoom/: http://IP_Address/artRoom/
Then next clicking on YES (http://IP_Address/artRoom/MansionMap.html) and this reveals a number of paths, some of which we haven't come across so far, but will be handy in finding more flags and answering the next set of questions.
Look like a map
Location:
/diningRoom/
/teaRoom/
/artRoom/
/barRoom/
/diningRoom2F/
/tigerStatusRoom/
/galleryRoom/
/studyRoom/
/armorRoom/
/attic/
curl http://IP_Address/barRoom/
<html>
<head>
<title>Bar room entrance</title>
<h1 align="center">Bar room entrance</h1>
</head>
<body>
<img alt="door" src="../images/16-Image33-1.jpg" style="display: block;margin-left: auto;margin-right: auto; width: 50%;"/>
<p>Look like the door has been locked</p>
<p>It can be open by a <b>lockpick</b> </p>
<form action=unlock_door.php method="POST">
<input type="text" col="100" name="door_flag" placeholder="Enter flag"/>
<input type="submit" value="submit"/>
</form>
</body>
</html>
curl http://IP_Address/barRoom357162e3db904857963e6e0b64b96ba7/
<html>
<head>
<title>Bar room</title>
<h1 align="center">Bar room</h1>
</head>
<body>
<img alt="Bar room" src="../images/maxresdefault.jpg.1" style="display: block;margin-left: auto;margin-right: auto; width: 50%;"/>
<p>what a messy bar room</p>
<p>A piano can be found in the bar room</p>
<p><b>Play the piano?</b></p>
<form action="piano.php" method="POST">
<input type="text" col="100" name="piano" placeholder="Enter flag"/>
<input type="submit" value="submit"/>
</form>
<p><b>Also, you found a note that written as "moonlight somata", read it?</b> <a href="musicNote.html">READ</a></p>
</body>
</html>
http://IP_Address/barRoom357162e3db904857963e6e0b64b96ba7/
Look like a music note NV2XG2LDL5ZWQZLFOR5TGNRSMQ3TEZDFMFTDMNLGGVRGIYZWGNSGCZLDMU3GCMLGGY3TMZL5
What is the gold emblem flag
curl http://IP_Address/barRoom/
<html>
<head>
<title>Bar room entrance</title>
<h1 align="center">Bar room entrance</h1>
</head>
<body>
<img alt="door" src="../images/16-Image33-1.jpg" style="display: block;margin-left: auto;margin-right: auto; width: 50%;"/>
<p>Look like the door has been locked</p>
<p>It can be open by a <b>lockpick</b> </p>
<form action=unlock_door.php method="POST">
<input type="text" col="100" name="door_flag" placeholder="Enter flag"/>
<input type="submit" value="submit"/>
</form>
</body>
</html>
curl http://IP_Address/barRoom357162e3db904857963e6e0b64b96ba7/barRoomHidden.php
<html>
<head>
<title>Secret bar room</title>
<h1 align="center">Secret bar room</h1>
</head>
<body>
<img alt="gold emblem" src="../images/gee.png" style="display: block;margin-left: auto;margin-right: auto; width: 50%;"/>
There is an emblem slot on the wall, put the emblem? <form action="emblem_slot.php" method="POST">
<input type="text" name="emblem_slot" col="100" placeholder="Input flag"><br>
<input type="submit" value="submit">
</form>
</body>
</html>
What is the blue gem flag
You get the blue gem by pushing the status to the lower floor. The gem is on the diningRoom first floor. Visit sapphire.html
Next is to navigate to sapphire.html from the same path in order to find the blue jewel flag
The guard house
After gaining access to the FTP server, you need to solve another puzzle.
Answer the questions below
Where is the hidden directory mentioned by Barry
ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxrwx 2 1002 1002 4096 Sep 20 2019 .
drwxrwxrwx 2 1002 1002 4096 Sep 20 2019 ..
-rw-r--r-- 1 0 0 7994 Sep 19 2019 001-key.jpg
-rw-r--r-- 1 0 0 2210 Sep 19 2019 002-key.jpg
-rw-r--r-- 1 0 0 2146 Sep 19 2019 003-key.jpg
-rw-r--r-- 1 0 0 121 Sep 19 2019 helmet_key.txt.gpg
-rw-r--r-- 1 0 0 170 Sep 20 2019 important.txt
226 Directory send OK.
ftp> get 001-key.jpg
local: 001-key.jpg remote: 001-key.jpg
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for 001-key.jpg (7994 bytes).
226 Transfer complete.
7994 bytes received in 0.00 secs (19.6486 MB/s)
ftp> 002-key.jpg
?Invalid command
ftp> get 002-key.jpg
local: 002-key.jpg remote: 002-key.jpg
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for 002-key.jpg (2210 bytes).
226 Transfer complete.
2210 bytes received in 0.00 secs (4.2925 MB/s)
ftp> get 003-key.jpg
local: 003-key.jpg remote: 003-key.jpg
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for 003-key.jpg (2146 bytes).
226 Transfer complete.
2146 bytes received in 0.00 secs (3.6743 MB/s)
ftp> get helmet_key.txt.gpg
local: helmet_key.txt.gpg remote: helmet_key.txt.gpg
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for helmet_key.txt.gpg (121 bytes).
226 Transfer complete.
121 bytes received in 0.00 secs (237.7547 kB/s)
ftp> get important.txt
local: important.txt remote: important.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for important.txt (170 bytes).
226 Transfer complete.
170 bytes received in 0.00 secs (436.8832 kB/s)
ftp> exit
- We have the hidden directory
cat important.txt
Jill,
I think the helmet key is inside the text file, but I have no clue on decrypting stuff. Also, I come across a /hidden_closet/ door but it was locked.
From,
Barry
###Password for the encrypted file
strings 001-key.jpg
JFIF
"*%%*424DD\
"*%%*424DD\
$3br
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
#3R
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
*Pr+6
)XG0
QPOu
^j2]
~Rpx
f$n[
3s3uc]D`A
*H=E%ij
J8t8"
Ro9
Bri(
rqZ`
e=FM
77*{)
70_SL
vg[[fb@8
1c1DD
Pj*@
RsZ:
`:Wk@
FUu*
.!GF
%FO=jJ
G#kvaX7VsZ
nBx"
xfN
SUu-
|<V{P
08*r
QM9b#P
&?QVRB:V,d
">?x
Zz? >}
o}m$2
Vm.^
OSLf
dnG?
mZ[@
i\lc
iyua:\
Vp>`}Z
<',kgp^
RWIu
z+DG+M
k)V*
*I&#
,v`/l
.\c~>n
APQE
w)yau$
'>Y?2
5KSMl
?gI6
Eq5f
0Q\D
Mm#E<M
X.,u8
:v x
>vgvw9f$
4=.]N
B^/C
E,S(h
AaS,
b]7&N
)qcs
b[yVD#
[yqsv
<),Q
zM<@
!d?l
_Di>"
!|zU
O+fI
root@ip-10-128-117-253:~# strings 002-key.jpg
JFIF
5fYmVfZGVzdHJveV9
"*%%*424DD\
"*%%*424DD\
5Zs5
az8C
C%(KH\
ftkI
B}-*J
'ttT
uJ@2
!1Aaq
"2Q 0#Bbr
l)YWH]E
}VR7
p*qJ
v4NM
U!.#
! "AQ
#2Raq
?1>o
I^(h
+M_M
Z6"=
,hfb
Yx$k3
12Ra
strings 003-key.jpg
JFIF
Compressed by jpeg-recompress
"*%%*424DD\
"*%%*424DD\
"aq#0Rb
2BCS
g#~D
2wb=
,g)A
'%fM
,rS5W
5.s z3
mm5gs
f__"
v#X?j
`2I#2
i`nxedoU;
ds9\
ZuE@
$AdR?/
hL*W
w;rY
~`z0
rK$`
f=WmpNF
wBH=
key-003.txtUT
key-003.txtUT
unzip 003-key.jpg
Archive: 003-key.jpg
warning [003-key.jpg]: 1930 extra bytes at beginning or within zipfile
(attempting to process anyway)
inflating: key-003.txt
ls
001-key.jpg burp.json Downloads Instructions Postman snap
002-key.jpg CTFBuilder helmet_key.txt.gpg key-003.txt Rooms thinclient_drives
003-key.jpg Desktop important.txt Pictures Scripts Tools
cat key-003.txt
3aXRoX3Zqb2x0
steghide extract -sf 001-key.jpg -p ""
wrote extracted data to "key-001.txt".
steghide extract -sf 001-key.jpg -p "jill"
steghide: could not extract any data with that passphrase!
steghide extract -sf 001-key.jpg -p "barry"
steghide: could not extract any data with that passphrase!
steghide extract -sf 001-key.jpg -p "chris"
steghide: could not extract any data with that passphrase!
steghide extract -sf 001-key.jpg -p "umbrella"
steghide: could not extract any data with that passphrase!
steghide extract -sf 002-key.jpg -p ""
steghide: could not extract any data with that passphrase!
steghide extract -sf 002-key.jpg -p "jill"
steghide: could not extract any data with that passphrase!
ls
001-key.jpg burp.json Downloads Instructions Pictures Scripts Tools
002-key.jpg CTFBuilder helmet_key.txt.gpg key-001.txt Postman snap
003-key.jpg Desktop important.txt key-003.txt Rooms thinclient_drives
cat key-001.txt
cGxhbnQ0Ml9jYW
Combining the phrases gives us a base64 phrase that allows us to decode to find the password for the encrypted file
001:
cGxhbnQ0Ml9jYW002:
5fYmVfZGVzdHJveV9003:
3aXRoX3Zqb2x0
cGxhbnQ0Ml9jYW5fYmVfZGVzdHJveV93aXRoX3Zqb2x0: plant42_can_be_destroy_with_vjolt
What is the helmet key flag
- Try opening the
helmet_key.txt.gpgfile, and the password will be required, which isplant42_can_be_destroy_with_vjolt. This will give us a text file that has the helmet key flag.
cat helmet_key.txt
helmet_key{458493193501d2b94bbab2e727f8db4b}
The Revisit
Done with the puzzle? There are places you have explored before but yet to access.
Answer the questions below
What is the SSH login username
Navigating the
/studyRoomrequires thehelmet_key{458493193501d2b94bbab2e727f8db4b}flag and we're redirected to the next pagehttp://IP_Address/studyRoom28341c5e98c93b89258a6389fd608a3c/where we end up having thedoom.tar.gzfile downloaded:doom.tar.gz: has a text file that has the SSH login username
tar -xzvf doom.tar.gz
eagle_medal.txt
root@ip-IP_Address:~# cat eagle_medal.txt
SSH user: umbrella_guest
What is the SSH login password
- Navigating the Examine the wold medal? within
http://IP_Address/hiddenCloset8997e740cb7f5cece994381b9477ec38/page shows us the SSH login password
SSH password: T_virus_rules
Who the STARS bravo team leader
- The team leader's name is here:
curl http://IP_Address/hiddenCloset8997e740cb7f5cece994381b9477ec38/
<html>
<head>
<title>Closet room</title>
<h1 align="center">Closet room</h1>
</head>
<body>
<img alt="closet_room" src="../images/maxresdefault.jpg.5" style="display: block;margin-left: auto;margin-right: auto; width: 50%;"/>
<p>The closet room lead to an underground cave</p>
<p>In the cave, Jill met injured Enrico, the leader of the STARS Bravo team. He mentioned there is a traitor among the STARTS Alpha team.</p>
<p>When he was about to tell the traitor name, suddenly, a gun shot can be heard and Enrico was shot dead.</p>
<p>Jill somehow cannot figure out who did that. Also, Jill found a MO disk 1 and a wolf Medal</p>
<p><b>Read the MO disk 1?</b> <a href="MO_DISK1.txt">READ</a></p>
<p><b>Examine the wolf medal?</b> <a href="wolf_medal.txt">EXAMINE</a></p>
</body>
</html>
Underground laboratory
Time for the final showdown. Can you escape the nightmare?
Answer the questions below
Where you found Chris
- Since we have the SSH user and password, we can now access it and find the name, and also escalate privileges to find the root flag.
ssh umbrella_guest@IP_Address
umbrella_guest@umbrella_corp:~$ ls -la
total 64
drwxr-xr-x 8 umbrella_guest umbrella 4096 Sep 20 2019 .
drwxr-xr-x 5 root root 4096 Sep 20 2019 ..
-rw-r--r-- 1 umbrella_guest umbrella 220 Sep 19 2019 .bash_logout
-rw-r--r-- 1 umbrella_guest umbrella 3771 Sep 19 2019 .bashrc
drwxrwxr-x 6 umbrella_guest umbrella 4096 Sep 20 2019 .cache
drwxr-xr-x 11 umbrella_guest umbrella 4096 Sep 19 2019 .config
-rw-r--r-- 1 umbrella_guest umbrella 26 Sep 19 2019 .dmrc
drwx------ 3 umbrella_guest umbrella 4096 Sep 19 2019 .gnupg
-rw------- 1 umbrella_guest umbrella 346 Sep 19 2019 .ICEauthority
drwxr-xr-x 2 umbrella_guest umbrella 4096 Sep 20 2019 .jailcell
drwxr-xr-x 3 umbrella_guest umbrella 4096 Sep 19 2019 .local
-rw-r--r-- 1 umbrella_guest umbrella 807 Sep 19 2019 .profile
drwx------ 2 umbrella_guest umbrella 4096 Sep 20 2019 .ssh
-rw------- 1 umbrella_guest umbrella 109 Sep 19 2019 .Xauthority
-rw------- 1 umbrella_guest umbrella 7546 Sep 19 2019 .xsession-errors
umbrella_guest@umbrella_corp:~$ pwd
/home/umbrella_guest
umbrella_guest@umbrella_corp:~$ ls -la .jailcell/
total 12
drwxr-xr-x 2 umbrella_guest umbrella 4096 Sep 20 2019 .
drwxr-xr-x 8 umbrella_guest umbrella 4096 Sep 20 2019 ..
-rw-r--r-- 1 umbrella_guest umbrella 501 Sep 20 2019 chris.txt
umbrella_guest@umbrella_corp:~$ cat .jailcell/*
Jill: Chris, is that you?
Chris: Jill, you finally come. I was locked in the Jail cell for a while. It seem that weasker is behind all this.
Jil, What? Weasker? He is the traitor?
Chris: Yes, Jill. Unfortunately, he play us like a damn fiddle.
Jill: Let's get out of here first, I have contact brad for helicopter support.
Chris: Thanks Jill, here, take this MO Disk 2 with you. It look like the key to decipher something.
Jill: Alright, I will deal with him later.
Chris: see ya.
MO disk 2: albert
Who is the traitor weasker
This will be found alongside the next password
The login password for the traitor
- Navigating to the path we found
/hidden_closet/, you'll be required to enter the helmet flaghelmet_key{458493193501d2b94bbab2e727f8db4b}. This will navigate you to the page below.
curl http://IP_Address/hiddenCloset8997e740cb7f5cece994381b9477ec38/
<html>
<head>
<title>Closet room</title>
<h1 align="center">Closet room</h1>
</head>
<body>
<img alt="closet_room" src="../images/maxresdefault.jpg.5" style="display: block;margin-left: auto;margin-right: auto; width: 50%;"/>
<p>The closet room lead to an underground cave</p>
<p>In the cave, Jill met injured Enrico, the leader of the STARS Bravo team. He mentioned there is a traitor among the STARTS Alpha team.</p>
<p>When he was about to tell the traitor name, suddenly, a gun shot can be heard and Enrico was shot dead.</p>
<p>Jill somehow cannot figure out who did that. Also, Jill found a MO disk 1 and a wolf Medal</p>
<p><b>Read the MO disk 1?</b> <a href="MO_DISK1.txt">READ</a></p>
<p><b>Examine the wolf medal?</b> <a href="wolf_medal.txt">EXAMINE</a></p>
</body>
</html>
If you click the first option of Read the MO disk 1? it gives us this phrase which, when decoded it returns the password we're looking for:
wpbwbxr wpkzg pltwnhro, txrks_xfqsxrd_bvv_fy_rvmexa_ajk: weasker login password, stars_members_are_my_guinea_pig
The name of the ultimate form
- checking
homefolder, we findweaskerfolder that hasweasker_note.txtfile that has the Tyrant
pwd
/home/umbrella_guest
umbrella_guest@umbrella_corp:~$ cd ../
umbrella_guest@umbrella_corp:/home$ ls -la
total 20
drwxr-xr-x 5 root root 4096 Sep 20 2019 .
drwxr-xr-x 24 root root 4096 Sep 18 2019 ..
drwxr-xr-x 4 hunter hunter 4096 Sep 19 2019 hunter
drwxr-xr-x 8 umbrella_guest umbrella 4096 Sep 20 2019 umbrella_guest
drwxr-xr-x 9 weasker weasker 4096 Sep 20 2019 weasker
umbrella_guest@umbrella_corp:/home$ cd weasker
umbrella_guest@umbrella_corp:/home/weasker$ ls -la
total 80
drwxr-xr-x 9 weasker weasker 4096 Sep 20 2019 .
drwxr-xr-x 5 root root 4096 Sep 20 2019 ..
-rw------- 1 weasker weasker 18 Sep 20 2019 .bash_history
-rw-r--r-- 1 weasker weasker 220 Sep 18 2019 .bash_logout
-rw-r--r-- 1 weasker weasker 3771 Sep 18 2019 .bashrc
drwxrwxr-x 10 weasker weasker 4096 Sep 20 2019 .cache
drwxr-xr-x 11 weasker weasker 4096 Sep 20 2019 .config
drwxr-xr-x 2 weasker weasker 4096 Sep 19 2019 Desktop
drwx------ 3 weasker weasker 4096 Sep 19 2019 .gnupg
-rw------- 1 weasker weasker 346 Sep 20 2019 .ICEauthority
drwxr-xr-x 3 weasker weasker 4096 Sep 19 2019 .local
drwx------ 5 weasker weasker 4096 Sep 19 2019 .mozilla
-rw-r--r-- 1 weasker weasker 807 Sep 18 2019 .profile
drwx------ 2 weasker weasker 4096 Sep 19 2019 .ssh
-rw-r--r-- 1 weasker weasker 0 Sep 20 2019 .sudo_as_admin_successful
-rw-r--r-- 1 root root 534 Sep 20 2019 weasker_note.txt
-rw------- 1 weasker weasker 109 Sep 20 2019 .Xauthority
-rw------- 1 weasker weasker 5548 Sep 20 2019 .xsession-errors
-rw------- 1 weasker weasker 6749 Sep 20 2019 .xsession-errors.old
umbrella_guest@umbrella_corp:/home/weasker$ cat weasker_note.txt
Weaker: Finally, you are here, Jill.
Jill: Weasker! stop it, You are destroying the mankind.
Weasker: Destroying the mankind? How about creating a 'new' mankind. A world, only the strong can survive.
Jill: This is insane.
Weasker: Let me show you the ultimate lifeform, the Tyrant.
(Tyrant jump out and kill Weasker instantly)
(Jill able to stun the tyrant will a few powerful magnum round)
Alarm: Warning! warning! Self-detruct sequence has been activated. All personal, please evacuate immediately. (Repeat)
Jill: Poor bastard
The root flag
ssh weasker@IP_Address
sudo -l
[sudo] password for weasker:
Matching Defaults entries for weasker on umbrella_corp:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User weasker may run the following commands on umbrella_corp:
(ALL : ALL) ALL
weasker@umbrella_corp:~$ sudo su
root@umbrella_corp:/home/weasker# ls -la
total 80
drwxr-xr-x 9 weasker weasker 4096 Sep 20 2019 .
drwxr-xr-x 5 root root 4096 Sep 20 2019 ..
-rw------- 1 weasker weasker 18 Sep 20 2019 .bash_history
-rw-r--r-- 1 weasker weasker 220 Sep 18 2019 .bash_logout
-rw-r--r-- 1 weasker weasker 3771 Sep 18 2019 .bashrc
drwxrwxr-x 10 weasker weasker 4096 Mar 28 08:21 .cache
drwxr-xr-x 11 weasker weasker 4096 Sep 20 2019 .config
drwxr-xr-x 2 weasker weasker 4096 Sep 19 2019 Desktop
drwx------ 3 weasker weasker 4096 Sep 19 2019 .gnupg
-rw------- 1 weasker weasker 346 Sep 20 2019 .ICEauthority
drwxr-xr-x 3 weasker weasker 4096 Sep 19 2019 .local
drwx------ 5 weasker weasker 4096 Sep 19 2019 .mozilla
-rw-r--r-- 1 weasker weasker 807 Sep 18 2019 .profile
drwx------ 2 weasker weasker 4096 Sep 19 2019 .ssh
-rw-r--r-- 1 weasker weasker 0 Sep 20 2019 .sudo_as_admin_successful
-rw-r--r-- 1 root root 534 Sep 20 2019 weasker_note.txt
-rw------- 1 weasker weasker 109 Sep 20 2019 .Xauthority
-rw------- 1 weasker weasker 5548 Sep 20 2019 .xsession-errors
-rw------- 1 weasker weasker 6749 Sep 20 2019 .xsession-errors.old
root@umbrella_corp:/home/weasker# pwd
/home/weasker
root@umbrella_corp:/home/weasker# find / -type f -name root.txt 2>/dev/null
/root/root.txt
root@umbrella_corp:/home/weasker# cat /root/root.txt
In the state of emergency, Jill, Barry and Chris are reaching the helipad and awaiting for the helicopter support.
Suddenly, the Tyrant jump out from nowhere. After a tough fight, brad, throw a rocket launcher on the helipad. Without thinking twice, Jill pick up the launcher and fire at the Tyrant.
The Tyrant shredded into pieces and the Mansion was blowed. The survivor able to escape with the helicopter and prepare for their next fight.
The End
flag: 3c5794a00dc56c35f2bf096571edf3bf
