🕵️ I’m Adwaith, an aspiring offensive security enthusiast, back to continue my walkthrough of the Biohazard CTF on TryHackMe.

As the mansion’s shadows faded behind me, I stepped into the guard house, an area that promised new challenges at every turn. Locked doors, hidden corners, and mysterious passages awaited, each requiring careful exploration and sharp instincts. With my first set of clues in hand, the nightmare was far from over, and every step forward could reveal traps, puzzles, or unexpected twists.

are you ready to step into The guard house ?

Task 3. The guard house

3.1. Where is the hidden directory mentioned by Barry

Before we move on to the next question, let’s see where we are in Part 1,

We need to unlock the door to /studyRoom/ using the helmet flag!

[ Study room entrance ]

We got the FTP login by decrypting the four crests.
Now, let’s get back to our question, log in to the FTP server we obtained earlier and see what’s inside.

After logging into the FTP server and listing the files, you can see several files. However, my attention was drawn to a file called helmet_key, which is exactly what we’re looking for to unlock the Study Room entrance.

/studyRoom/   ----> input helemt flag!

But it’s not just the helmet_key, there are also other files, like .jpg and .txt To make sure we don’t miss anything, let’s download all the files to our system using this command:

If you want to download a single file, you can use this command:

get <file_name>

But in our case, we need to download multiple files at once, so we use this command:

mget *

So, we have successfully downloaded the files:

Now, let’s take a look on our system:

When I tried to cat the helmet_key, it showed binary content. This means the file is actually encrypted, with an extension .gpg added at the end of the .txt file.

Now, let’s take a closer look at what’s inside this file (or binary):

When we check the file type, it shows that it’s a GPG symmetrically encrypted file, mentioning a cipher called AES-256. So, the helmet_key was actually encrypted using the AES-256 cipher.

What is AES? Is it like a Vigenère cipher? Nope!

AES (Advanced Encryption Standard) is a modern encryption method used to protect digital data. It’s a symmetric cipher, which means the same key is used for both encryption and decryption. AES works by dividing information into 128-bit blocks and scrambling them using complex mathematical operations. Depending on the key length (128, 192, or 256 bits), this process repeats through multiple rounds. This makes the output look completely random and unreadable without the key. Because it’s fast and secure, AES is widely used in Wi-Fi, banking, VPNs, and file encryption.

Now, you might be wondering how to open the helmet_key file, where do we input the key? This is where .gpg comes into play.

After some research, I found out that GPG (GNU Privacy Guard) is an open-source encryption tool. You can learn more about it online, but here’s a quick overview of how GPG encryption and decryption works:

Now I understand how to decrypt the .gpg file by simply typing gpg followed by the file name. But when you try to open the .gpg file, you’ll see a prompt asking for a passphrase.

I first tried leaving the passphrase field blank, thinking maybe the file didn’t have one but that didn’t work.

There’s another way we’ve used before (you can check my previous post called “Basic Pentesting”). I thought, why not try cracking the passphrase with John the Ripper? It might work, or it might just be luck, but let’s give it a shot.

The first step is to convert the .gpg file into hashes using this command:

gpg2john helmet_key.txt.gpg > gpg.hash

The file was successfully converted into a hash:

Now, let’s brute-force the hash with John the Ripper to obtain the key using this command:

john --wordlist=/usr/share/wordlists/rockyou.txt gpg.hash

Brute-forcing has started:

I waited for a long time but didn’t get the key.

Since we haven’t explored the other files yet, we’ll come back to this later.

There’s another text file called important.txt. Let’s inspect it:

Inside this file, it mentions that the helmet key is there, but there are no clues on how to decrypt it. However, it does mention a path: /hidden_closet/ by Barry.

Let’s visit that location and see what key we need to unlock the door:

[ Closet room entrance ]

Looks like this door also needs the helmet key.

In our done list:

/studyRoom/       ----> input helemt flag!
/hidden_closet/   ----> input helemt flag!

So I realized that to access these paths, we definitely need to crack the passphrase or key for the helmet flag!

3.2. Password for the encrypted file

So here we are anyway, we need to decrypt the helmet key. Actually, we haven’t finished exploring the other files yet. Don’t worry about the gpg.hash we created earlier for cracking the helmet key just forget about it for now.

There are three .jpg images. Let’s take a look and see if they contain any hints.

I opened all three images, but there was nothing inside. However, do you notice a pattern? I’ll show you.

We’ve done something similar before when finding the FTP username and password. So what actually happened there? We needed to collect four crests, then decode them and combine them into one string. After decoding that string again, we finally got the result.

I think something similar is happening here, but this time with image files. Let’s inspect them. I’ll first determine the file type, just like we did before with the .gpg extension.

command:

file <input-file>

example:

file 001-key.jpg

001-key.jpg:

001-key.jpg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 400x320, components 3

This one’s just a regular image. Let’s check the next one.

002-key.jpg:

002-key.jpg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, comment: "5fYmVfZGVzdHJveV9", progressive, precision 8, 100x80, components 3

But here, we found something interesting a string hidden in the comment of 002-key.jpg . It looks like it could be Base64 encoded.

 comment: "5fYmVfZGVzdHJveV9",

I put this string into CyberChef, and after inspecting its properties, it turned out to be Base85 encoded.

Maybe it’s related to the key. Let’s note it down and move on to the next .jpg file.

003-key.jpg:

003-key.jpg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, comment: "Compressed by jpeg-recompress", progressive, precision 8, 100x80, components 3

So, in the comment section, it’s not an encrypted string. It shows:

comment: "Compressed by jpeg-recompress",

This isn’t just an ordinary image there’s something hidden behind it, possibly compressed within the file. What if we try to decompress it like a zip file?

command:

unzip 003-key.jpg

out:

Inside, we found a file named key-003.txt.

So, as you can see, a new file called key-003.txt has appeared. Let’s inspect it.

as you can see, a new file called key-003.txt has appeared. Let’s inspect it.

001-key ?
002-key 5fYmVfZGVzdHJveV9
003-key 3aXRoX3Zqb2x0

By the way, notice this difference:

Actually, this is my way of finding those keys. There’s an exact, proper method to extract them but then why did I show you this?

Because it might help in different situations, I wanted to show you my approach. Let me make it clear, we are dealing with steganography.

If you want to learn more, here’s a reference you can check out:

Steganography is the practice of hiding data inside an image in various ways. There are many different types, and I won’t go into all of them here it would take too long but you can explore them through the link provided.

Sometimes, we find a text file embedded inside an image. Other times, different types of data are hidden, which means we need to use different tools to reveal the hidden information.

I’ll show you how to use these tools to extract hidden data:

1. steghide
2. stegseek
3. exiftool
4. binwalk

[ steghide ]

command:

steghide --info 001-key.jpg

This command helps you analyze an image to check if it contains any hidden messages or files without actually extracting them.

After hitting y, it will ask for a passphrase just press Enter!

Once you run this command, it shows that a file called key-001.txt is embedded in 001-key.jpg.

If you want to extract that embedded text file from the image, here’s how to do it:

command:

steghide --extract -sf 001-key.jpg

When it asks for a passphrase, just hit Enter, and the file will be extracted!

Let’s take a look at the extracted text:

Now we have the first key!

You might be wondering about the parameters I used with steghide:

--info    -> display information about a cover- or stego-file
--extract -> extract data
-sf       -> select stego file

There are more parameters available just type steghide to see all the options.

[ stegseek ]

Now, let’s move on to stegseek. We didn’t use this earlier, but it can be really helpful.

Do you remember when we tried to get information from the image using steghide?

Here, I told you to just hit Enter when prompted for a passphrase. In our case, it wasn’t needed, but this won’t always be the case.

If the creator embeds a passphrase, you’ll need to find it because that’s the only way to extract the hidden data or file.

Let me show you a scenario:

Here, you can see an image in my demo directory.

I created a file called secret.txt and embedded it inside cat.jpg using steghide.

Here, you can see that it’s asking for a passphrase. So, I set a passphrase for it.

Notice here that to extract the embedded text file, you must provide the correct passphrase.

The old trick hitting Enter with a blank password like we did for 001-key.jpg won’t work this time.

What would you do in this scenario?

In this situation, we can use stegseek to brute-force the passphrase using a wordlist.

command:

stegseek cat.jpg -wl /usr/share/wordlists/rockyou.txt

result:

It detected the passphrase, which was silver. The original file we embedded, secret.txt, was extracted as cat.jpg.out.

Let’s see how it works by checking the extracted file:

We successfully extracted the embedded file. Sometimes, a .jpg is protected by a passphrase, so this method can be very helpful it’s a common way to find the passphrase.

Now, if we look at the other .jpg files (excluding 001-key.jpg):

This means we need a passphrase. It’s asking for one as well so can we brute-force it?

This is exactly why I suggested manually inspecting the .jpg files and checking their formats first.

When you examine the files carefully, the approach becomes clearer. 001-key.jpg has no comments or hidden content, so there’s no need for stegseek or additional tools. In contrast, the second image contains a comment, and the next key was compressed this gives clues about which method to use and helps avoid confusion. I hope this method is useful.

[ exiftool ]

This tool helps you gather more information about an image. You can extract comments and other metadata as well.

command:

exiftool 002-key.jpg

002-key.jpg:

003-key.jpg:

When you look closely, you’ll notice comments in both images along with other information. There’s even more you can do with ExifTool just type exiftool in your terminal to explore its features.

[ binwalk ]

Here, you can see that when we run this single command, it shows that a zip file exists in the image, including the name of the text file inside.

command:

binwalk -e 003-key.jpg

After extracting the .jpg , a new directory appeared called _003-key.jpg.extracted.

Let’s see what’s inside that directory. Here we have key-003.txt.

Let’s cat that file. And here it is our key!

Of course, these aren’t the only tools or methods for steganography, there’s a lot more to explore. I’ll cover a deeper dive in a future post.

For now, we’ve successfully obtained our keys:

001-key -> cGxhbnQ0Ml9jYW
002-key -> 5fYmVfZGVzdHJveV9
003-key -> 3aXRoX3Zqb2x0

What we need to do now is combine all the strings into one:

cGxhbnQ0Ml9jYW5fYmVfZGVzdHJveV93aXRoX3Zqb2x0

At last, take the combined string, drop it into CyberChef, and apply the “Magic” recipe. This will give you the passphrase for the .gpg file.

Now we have the password for the encrypted file.

3.3. What is the helmet key flag

Now, let’s decrypt helmet_key.txt.gpg using the passphrase.

Let’s list our directory. We’ve successfully decrypted helmet_key!

Let’s cat the helmet_key.txt:

Flag captured: helmet_key!

Task 4. The Revisit

4.1. What is the SSH login username

We got the helmet key, remember now let’s unlock those doors!

/studyRoom/       ----> input helemt flag!
/hidden_closet/   ----> input helemt flag!

Let’s go to the Study Room entrance and enter the helmet key!

[ Study room entrance ]

We made it inside from the Study Room entrance to the Study Room!

[ Study room]

Inside, there’s a hyperlink labeled EXAMINE. Clicking it downloads a compressed file called doom.tar.gz , Our next step is to decompress it and see what’s inside.

When we check the file type:

doom.tar.gz: gzip compressed data, last modified: Fri Sep 20 07:04:11 2019, from Unix, original size modulo 2^32 10240

The file has the extension .tar.gz . This is a type of archive format similar to a .zip file but more commonly used in Linux. You can look up the details yourself if you want to dive deeper, but for now, just remember, it works like a zip file.

Let’s decompress it and see if something’s hidden inside.
Use this command to unzip the .gz file:

command:

gunzip doom.tar.gz

result:

After running the command, the .gz part is gone and we’re left with doom.tar, Now, we need to use another command for the .tar extension to see what’s inside the archive.

command:

tar -xf doom.tar

result:

From the archive, we extracted a text file called eagle_medal.txt.
Let’s check what’s inside by simply running cat :

We got the ssh username!

4.2. What is the SSH login password

/studyRoom/       ----> done
/hidden_closet/   ----> input helemt flag!

We’ve already completed the /studyRoom/

Our next destination is /hidden_closet/ let’s head there and enter the helmet key!

[ Closet room entrance ]

We entered the closet passing through the Closet entrance and into the Closet room.

[ Closet room ]

Inside, you’ll see two hyperlinks READ and EXAMINE.
Let’s start by clicking READ and see what it reveals.

From the first hyperlink, we get another text. I think it’s a Vigenère cipher, so let’s put it into Enigmator and see which cipher is being used.

So, it’s a Vigenère cipher, but we don’t have the key. For a shortcut this time, let’s go to the dcode website, paste the cipher, and see what the output reveals.

Here, you can see that the left side shows the result it contains a username and password. It’s not the SSH password, so let’s note it down somewhere.

dcode link:

Next, let’s move on to the other hyperlink called EXAMINE in the Closet room.

[ Closet room ]

there it is.

we got the ssh password!

4.3. Who the STARS bravo team leader

They already mentioned who STARS’ Bravo team leader is in the Closet Room. When you read the text, you can understand it clearly.

Task 5. Underground laboratory

5.1. Where you found Chris

Do you remember the SSH credentials we obtained earlier?
Let’s use them to log in.

After logging in and listing the current directory, we notice some hidden files have appeared.

Here, there’s a directory called .jailcell. Let’s go inside.

Here, we found Chris inside the jailcell!

5.2. Who is the traitor

When you cat the chris.txt file we found earlier, it reveals who the traitor is. Just read through the conversation.

5.3. The login password for the traitor

So, we’ve already obtained the yearly password. It’s not the SSH password, we deciphered it and got a username and password from the Hidden Closet.

5.4. The name of the ultimate form

When we navigate to the /home directory, we can see that there are three users there.

In hunter, we previously accessed it via the FTP connection to get the helmet key. If you’re interested, you can check for any hidden files I’ve examined those folders once again.

The second user, umbrella_guest, hasn’t been fully explored yet. We already found .jailcell with Chris inside, so now let’s visit weasker and see what’s inside.

Here, we found a file called weasker_note.txt. Let’s check what’s inside.

When you read this conversation, it mentions which Ultimateform!

5.5. The root flag

I checked whether the current user can escalate to root, but it’s not possible.

My next move is to look for any SUID binaries, as they might lead to root access.

I tested each binary, but none worked. However, I noticed a suspicious binary called pkexec.

I found an exploit, but it’s mostly trial and error because I don’t know if it will work on this machine. If it’s patched, it won’t work.

There’s another problem: the exploit needs to be compiled with a compiler because it’s coded in C. Unfortunately, there’s no compiler available on the target machine, so uploading the exploit there would be pointless.

Can we install a compiler? No it’s not possible. A normal user can’t install software without root permissions. So, what do we do?

Do you remember the credentials we obtained from deciphering the text in the Closet Room? The username was weasker. We’ve already seen that this user exists on the target machine.

Let’s try to switch to the user weasker.

We’ve successfully switched to the user weasker. Now, let’s check for root access.

It shows that weasker can become root! Let’s simply switch to the root user.

Let’s navigate to the root directory.

Here, we can see a file called root.txt. Let’s cat that file.

We got the root flag!

“Root flag captured Biohazard pwned!!!!!!!!!!!!”

Thanks for coming! Stay curious, stay ethical!

Follow me for more about cybersecurity: Medium, Github, LinkedIN

This challenge was created by DESKEL. Thank you for investing your time and effort to develop it so that I can sharpen my skills!