BioHazard-  TryHackMe (Medium Box)

Description BioHazard- TryHackMe

Cipher – Base – Stego – Root

This is a CTF Room Based on an old survival horror game, Resident Evil, Can you survive Until the end.

Created By: DesKel


This room focuses on cipher texts because we will encounter various encoded strings during the enumeration phase, and we must determine what type of encoded strings we are dealing with, such as the Caesar cipher, ROT13, and others. We’ll also go over some fundamental concepts like steganography, steganalysis and privilege escalations.



Steganography is a method of concealing secret data within a non-secret file or message in order to prevent detection; the secret data is then extracted at its destination. Steganography can be used in conjunction with encryption to further conceal or safeguard data.


Steganalysis is a method that seeks to counter steganography by identifying and extracting or deleting the secret information. By determining the existence of a secret message, we may be able to determine the techniques that were employed to conceal it. If we can find the tool, we might be able to utilize it to recover the original message.


Ciphertext is plaintext that has been encrypted using an encryption algorithm. Ciphertext cannot be read until it has been decrypted (converted to plaintext). The decryption cipher is a method of converting ciphertext back to plaintext. 

The Mansion BioHazard- TryHackMe

At first we will add the IP address to our host file i.e. biohazard.thm

Now, let us open the webpage and enumerate whether we can find something interesting or not.

Here, we will find an interesting link “mansion”, clicking this link will redirect to a new directory i.e. “”. After visiting the page we will not find anything interesting.

But if we check its source page i.e. view-source there is a message shown “It is in /diningRoom/”. So, we can guess that it is a new directory path.

Path Disclosure

Now, We will visit our newly found directory i.e. “” and we will find something interesting that says “There is an emblem flag on the wall; will you take it?”


And if we click on yes then it will redirect to a new webpage with a new directory path i.e. “emblem.php” where we will find our emblem flag.



Again, If we view the source page, we will find something more interesting i.e. base64 encoded data.


Decoding the data using the help of Cyberchef, {there are many other sites and tools such as hash analyzer, hash identifier and many more but i preferred this website as best}, we will find a new directory i.e. /teaRoom/

Base64 Decode

Visiting the new directory we will find a new link i.e. “Lockpick”.

If we click on that link we will be redirected to a new html page i.e. “master_of_unlock.html” where we will find our Lock Pick Flag.



Now, we again view the source page of the newly found directory i.e. /teaRoom/, there we will find another new directory path named /artRoom/. 


Visiting the webpage there is a message displayed saying “There is a Paper Stick on the wall, Investigate it?”.


And If we tap on Yes we will be redirected to new html page i.e. “MansionMap.html” which consists of the list of all the directories paths.

Now, visiting the new directory i.e. “/barRoom/, we found that there is an input parameter where it asks for a lockpick flag.


As we have already found the flag for lockpick and if we enter the flag, the page will be redirected to new directory named “/barRoom357162e3db904857963e6e0b64b96ba7/”

Visiting the Webpage, we found that there is an another input parameter that asks for a flag and we also find a note named “Moonlight Somata”, present with “READ” link, opening the link we will be redirected to the directory i.e. “/musicNote.html” where we will find encoded data.


With the help of cyberchef, we found out that the encoded data is base32 and decoding it will give our Music Sheet Flag.


Now, we have found the flag for music sheet, using the same flag in newly found directory i.e. “/barRoom357162e3db904857963e6e0b64b96ba7/” will be redirected to another new directory i.e. /barRoomHidden.php, where it displays the message saying “”There is a gold emblem embedded on the wall, will you take it?”

And Tapping on Yes we will be redirected to a new path i.e.”gold_emblem.php” where we found our gold emblem flag.



But If we notice where we found our flag, it says that “you can put something on the emblem slot, if we refresh the page” then if we go back and refresh the page, we notice that an input parameter appears where it asks for the flag. But we do not know what flag it is asking for and then i tried to enter the newly found flag i.e. gold_emblem flag but it says “Nothing Found”, but here is a trick if we enter the emblem flag that we first found in /diningRoom/, we will be redirected to new path named “emblem_slot.php” which displays a message i.e. “rebecca”. Something is fishy here, maybe this is a username for the machine. We will come back later here. Then again we come back to /dinnigRoom/ and enter the Gold Emblem Flag, we will be redirected to a new path displaying some cipher texts.



Vigenere Cipher, The original plaintext structure is somewhat hidden in the ciphertext by utilizing multiple alternative monoalphabetic substitution ciphers rather than just one; the code key determines which substitution is to be used for encrypting each plaintext character.

Trying out the key it gives us the plain text message displaying a new path i.e. “XXXX.html”. Visiting the new path will give us a Shield Key Flag.



Now, we go to a new directory i.e. /diningRoom2F/, we find nothing interesting there.


But visiting its source page we found some kind of cipher text, finding out the ciphertext is a kind of substitution cipher. Using the cyberchef and decoding with ROT13 gives us the plain text message which reflects another new directory named XXXX.html. And visiting the new directory will give us a Blue Gem Flag.



There are more directories remaining that we need to hunt, so let us move to a new directory i.e. /tigerStatusRoom/ which displays the input parameter asking to put a gem on a tiger’s eye. Then if we enter the Blue Gem Flag then it will redirect to a new path i.e. “gem.php” where we will find some interesting things containing some encoded data. We will come back later to this because to solve this scenario we need to first find out all the four crests.


Now moving to another directory named “/galleryRoom/” displays the message “Examine the note” with the link “EXAMINE” 


And clicking on the link will give us a Crest 2.


Now, We have only three directories left i.e. /studyRoom/, /armorRoom/ and /attic/, the last two directories ask for Shield Key Flag which will give us Crest 3 and Crest 4 data respectively. And the first path asks for the helmet key which we have not found till now. 


Now, that we have found all the four crests lets first go on our Crest 1:


Using the help of cyber chef the encoded data remains to be Base64 to Base32, decoding it will give the following Result:


Moving to Crest 2:


Using the help of cyber chef the encoded data remains to be Base32 to Base58, decoding it will give the following Result:



Moving to Crest 3:


Using the help of cyber chef the encoded data remains to be Base64 to Binary to Hex, decoding it will give the following Result:



Moving to Crest 4:


Using the help of cyber chef the encoded data remains to be Base58 to Hex, decoding it will give the following Result:



Combining all the Crest will give us this combination:


The data appears to be Base64 encoded text, decoding the text will give us FTP username and FTP password.


FTP Password: yXXXXXXXr


The Guard House

Moving to FTP login, we find out some interesting things: three images, one GPG file and one text file.


At first let us move on text file it says that there is helmet key inside the text file but it cannot find out how to decrypt it and it also display the new directory “/hidden_closet/”, visiting the path will ask the same thing i.e. Helmet Key.


Enumerating the Image file, At first lets us check whether there is any data embedded in the image file using the tool named “ExifTool” and “Binwalk”.

Exiftool is a useful tool for extracting metadata from files. It is utilized not only on photos, but also on other file formats such as PDF and mp4. It allows us to update and remove metadata from files, as well as provide a wealth of information about them.

Binwalk is a program that looks for embedded files and executable code in a binary image. It is intended specifically for recognizing files and code included within firmware images.

001-Key.jpg: It shows that there is some kind of data embedded in the image file. Now we use the “Steghide” command-line tool for extracting the data embedded on the image file where we find some encoded strings.

I.e. cGxhbnQ0Ml9jYW



Steghide is a steganography application that can hide information in a variety of image and audio formats.

002- Key.jpg: It does not show any kind of embedded data in the image file but the exiftool command shows that there is some comment in the image file which appears to be an encoded string.

I.e. 5fYmVfZGVzdHJveV9


003- Key.jpg: It shows that there is some kind of data embedded in the image file. Now we use the “Binwalk” command-line tool for extracting the data embedded on the image file where we find some encoded strings.

I.e. 3aXRoX3Zqb2x0


Now combining all these encoded strings will give us that the following cipher text is Base64 encoded data and with the help of cyberchef decoding it will give the key for the GPG file.



Now, Using the key we found a text file which reflects the flag for Helmet Key.



The Revisit

Moving Back to /studyRoom/, and using the helmet key flag will redirect to a new path which says that “Examine the Book” with a link “EXAMINE”.


If we click on that link it says to download the gunzip file named “doom.tar.gz”. Extracting the file we get a text file where we found SSH User Credentials.



Now last but not the least, moving to /hidden_closet/ directory it also asks for the helmet Key only. After entering the key, we will be redirected to new directory where we find out two text files i.e. “wolf_medal.txt” and “MO_DISK1.txt”. From the first text file we get SSH Password and the second text file consists of some cipher text which we will talk about later on.


Underground Laboratory

Now, we have ssh login credentials, logging to it:


Enumerating the home directory, we find hidden directory named “.jailcell. Moving to the directory we found out that there is a text file named “chris.txt”. Reading the text file we came to know that there is a message displaying “MO disk 2: albert”. It may be the key for the ciphertext which we have found earlier from the /hidden_closet/ directory.


Moving back to the text file, the encoded text is vigenere cipher and decoding it will give new user credentials.



Moving to a new user: i.e. Weasker

we will find another text file named weasker_note.txt but we find nothing interesting there.


Now, lets us try for privilege escalation at first we tried for sudo privileges and hence the output was surprising because the user was given all permissions i.e. (ALL : ALL) ALL {the user can any command as root}

So we can easily move to the root directory and read the root flag.



Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top
Scroll to Top