To start with I run a quick all ports scan with Nmap just to make sure I do not miss anything:
Then a version scan on the above ports, while also running scripts.
OK, so we have three ports open, port 21 (Ftp), port 22 (ssh) and port 80 Apache web server. As there appears to be no anonymous login allowed on the ftp server, I will start with port 80, the Apache webserver.
Port 80:
Checking the source code there is nothing here; however, there is a link to /mansionmain.
Checking the source code we can find the following directory in the comments ‘/diningRoom/’. Lets navigate to that room.
Dining Room:
There is a link asking whether you will take the emblem on the wall, also in the page source there is what looks like a base64 encoded string.
Decoding the base64 string reveals “How about the /teaRoom/ which appears to be another directory for a room.
Lets take the emblem on the wall, doing so reveals what looks like our first flag and hints that we can put something on the emblem slot. We are asked to refresh /diningRoom.
I put the flag in the field and press submit, but nothing happens.
Lets explore the Tea Room
Clicking on the Lockpick link gives us the Lockpick Flag
In the notes it also states that Jill should visit the /artRoom.
Art Room
Investigating the paper on the wall gives us what looks like a map of all the rooms:
Bar Room
Trying the lockpick flag and clicking ‘Submit’ opens the door to the barRoom.
Lets read the note:
I would strongly suggest using a very good decoder, I tend to use CybreChef, see link below:
So this is base32, using the decoder, we can decode the message:
Play the piano by submitting the piano flag:
There is a gold emblem on the wall, take it and we get the gold_emblem flag.
I try the gold_emblem flag, but nothing happens. I then try the emblem from the dining room and BINGO, we are redirected to a page giving the name ‘rebecca’
I am wondering whether I can use this the gold emblem flag in the Dining Room. Adding the gold emblem flag and submitting gives us the follow:
Straight off this looks like a rotation cipher , where the characters have been rotated by a defined number; however it's not and I had a hard time working this one out. Having to take a quick hint, this turns out to be a Vigenere Cipher and the key is ‘rebecca’ that we got earlier with the gold emblem.
“there is a shield key inside the dining room. The html page is called the_great_shield_key”
We navigate to /diningRoom/the_great_shield_key.html and get the shield_key flag
Using the map found earlier I start to methodically go through each room.
Dining room 2F
Checking the source code we see the following comment:
“Lbh trg gur oyhr trz ol chfuvat gur fgnghf gb gur ybjre sybbe. Gur trz vf ba gur qvavatEbbz svefg sybbe. Ivfvg fnccuver.ugzy”
Another cipher, first I will try a ROT13, which proves correct.
“You get the blue gem by pushing the status to the lower floor. The gem is on the diningRoom first floor. Visit sapphire.html”
We can now navigate back to /diningRoom/sapphire.html and we get the blue_jewel flag.
Tiger Status Room
Enter the blue_jewel flag and submit. We are redirected to a page and are presented with instructions that we need to collect and combine 4 crests. We are given the first one and told that it has been encoded twice and that it contains 14 letters.
Using a process of iteration to decode, I used CyberChef to start trying each option starting at base32 to base64 until I had an output which made sense. At base64 the decode seemed correct as it had the ‘=’ at the end signifying base64.
I then used the output as the input and started the process again.
Base32 gave a sensible output string.
Crest 1: RlRQIHVzZXI6IG
Gallery Room
Examining the note we get the second crest:
Using the same process, the second crest can be decoded using base32 and base58. This gives the required 18 letters.
Crest 2: h1bnRlciwgRlRQIHBh
Study Room
Looks like we need a another flag to enter this room. It states, “A helmet symbol is embedded on the door.” I will leave this and move on to the Armour Room, as this could be the clue relating to the Helmet.
Armour Room
Oh boy, this is also locked
However, we do have the shield flag from earlier from the Dining Room.
Submitting the shield flag we enter into the armour room.
Read the note and we get the hind for Crest 3.
The first thing is that the code ends with an ‘=’ sign, so it is probably a base. It has been encoded three times and the crest contains 19 letters. Back to CyberChef. Starting with base64, the output looks binary, decoding the binary, we get a Hex output and decoding from Hex we get
Crest 3: c3M6IHlvdV9jYW50X2h
Attic Room
Again we try the shield flag and submit and we are in.
Read the note.
Crest 4 has been encoded twice and contains 17 letters, again I will use the same process as before.
This has been encoded with base58 and Hex.
Crest 4: pZGVfZm9yZXZlcg==
As per the instructions, we need to combine all the crests:
RlRQIHVzZXI6IGh1bnRlciwgRlRQIHBhc3M6IHlvdV9jYW50X2hpZGVfZm9yZXZlcg==
Straight away we can see that this is base64 encoded, so all we have to do is decode from base64.
We now have the FTP credentials to access port 21, back to our terminal.
FTP user: hunter, FTP pass: you_cant_hide_forever
FTP Server Port 21
Log into the ftp server using the found credentials
ftp 10.10.70.240
Next I mget * all the files and download them for analysis.
Reading the important.txt file we receive the following information:
Jill,
I think the helmet key is inside the text file, but I have no clue on decrypting stuff. Also, I come across a /hidden_closet/ door but it was locked.
From,
Barry
The file helmet_key.txt.gpg is encrypted using the GNU Privacy Guard, so it is likely we will need a key to access this file.
To start I am going to see whether there is any information contained within the jpg files. It is possible using Steganography that information has been embedded in these files. There are various ways to find information contained within these files such as binwalk and strings, Exiftool etc.
Image: 001-key.jpg
Using Exiftool with 001-key.jpg showed nothing, moving on to Steghid to se whether there are any embedded file.
We can see that there is a file embedded in the image called key-001.txt, we can use Steghide to extract the file.
The file contains “cGxhbnQ0Ml9jYW”, so we assume that this is the first part of the key
Image: 002-key.jpg
Using Strings we find a code contained within the comments.
Comment : 5fYmVfZGVzdHJveV9
Image: 003-key.jpg
Initially I tried Steghide; however, it required a passphrase.
Binwalk extracts key-003.txt and we have the third part of the key 3aXRoX3Zqb2x0
Combining all the keys we get:
cGxhbnQ0Ml9jYW5fYmVfZGVzdHJveV93aXRoX3Zqb2x0
This is base64 encoded, decoding the string:
plant42_can_be_destroy_with_vjolt
I believe this is the gpg key to decrypt the helmet_key.txt.gpg file.
I installed nautilus so I could decrypt the file:
sudo apt-get install seahorse-nautilus
To decrypt the file I simple opened the encrypted file using the File Manager and entered the key. This could also be done from the command line.
gpg helmet_key.txt.gpg
Once decrypted we get the helmet_key flag
Study Room
Armed with the helmet_key flag we can now enter the Study Room.
We can examine the book which allows us to download a Gunzip file called doom.tar.gz.
We decompress the file first using Gunzip and then Tar. The extracted file is called eagle_medal.txt
Reviewing the file we get the SSH user: umbrella_guest
Hidden Closet Room
Again a locked door, but it has the helmet symbol, so lets try and use the helmet_key flag.
Reading the MO disk 1 we get the following encoded message:
wpbwbxr wpkzg pltwnhro, txrks_xfqsxrd_bvv_fy_rvmexa_ajk
Having had to check the hint for this, it mentions using the same process as that used for the Shield_key, which was the Vigenere cipher; however, this time we do not have a key.
Using the above site I enter the encoded message and select the “Autosolve” options:
albert weasker login password stars members are my guinea pig
Cleaning this up
albert weasker password: stars_members_are_my_guinea_pig
No idea what I need this for at the moment
Examining the the wolf medal:
SSH password: T_virus_rules
We now have the username and password to access the ssh server on port 22
Username: umbrella_guest Password: T_virus_rules
Port 22 SSH Server
The first thing I notice is a hidden directory called .jailcell
Navigating to this directory we see a file called chris.txt:
Jill: Chris, is that you?
Chris: Jill, you finally come. I was locked in the Jail cell for a while. It seem that weasker is behind all this.
Jil, What? Weasker? He is the traitor?
Chris: Yes, Jill. Unfortunately, he play us like a damn fiddle.
Jill: Let’s get out of here first, I have contact brad for helicopter support.
Chris: Thanks Jill, here, take this MO Disk 2 with you. It look like the key to decipher something.
Jill: Alright, I will deal with him later.
Chris: see ya.MO disk 2: albert
Looks like bad news, we find out that Weasker is the traitor.
Looking in the /home directory, we can see that we have two other users, hunter and weasker.
Changing to the hunter account, there is nothing really here apart from the FTP files that we downloaded earlier.
Changing to weasker as we have read /write, there is a file called weasker_note.txt.
Reading the note:
Weaker: Finally, you are here, Jill.
Jill: Weasker! stop it, You are destroying the mankind.
Weasker: Destroying the mankind? How about creating a ‘new’ mankind. A world, only the strong can survive.
Jill: This is insane.
Weasker: Let me show you the ultimate lifeform, the Tyrant.(Tyrant jump out and kill Weasker instantly)
(Jill able to stun the tyrant will a few powerful magnum round)Alarm: Warning! warning! Self-detruct sequence has been activated. All personal, please evacuate immediately. (Repeat)
Jill: Poor bastard
Remembering back to the Closet Room we decoded a cypher:
albert weasker password: stars_members_are_my_guinea_pig
Lets see if we can use this password to change user to Weasker.
Looking at Weasker, we can see that he has access to just about everything. Based on this we should be able to Sudo as root.
sudo su
We can now access /root and claim the last flag.
I really enjoyed this box. Although it really was a more CTF than exploiting system vulnerabilities, I lived the Resident Evil theme, plot and challenges.
Well done to the creator of this box as a lot of thought and work must have gone into it.
