# Nmap 7.91 scan initiated Tue May 4 10:16:27 2021 as: nmap -sSVC -p- -oA nmap_full -v 10.10.193.27 Nmap scan report for 10.10.193.27 Host is up (0.026s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 c9:03:aa:aa:ea:a9:f1:f4:09:79:c0:47:41:16:f1:9b (RSA) | 256 2e:1d:83:11:65:03:b4:78:e9:6d:94:d1:3b:db:f4:d6 (ECDSA) |_ 256 91:3d:e4:4f:ab:aa:e2:9e:44:af:d3:57:86:70:bc:39 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) | http-methods: |_ Supported Methods: GET POST OPTIONS HEAD |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Beginning of the end Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue May 4 10:17:19 2021 -- 1 IP address (1 host up) scanned in 52.54 seconds
<!-- Lbh trg gur oyhr trz ol chfuvat gur fgnghf gb gur ybjre sybbe. Gur trz vf ba gur qvavatEbbz svefg sybbe. Ivfvg fnccuver.ugzy -->
Looks like a substitution cipher (eg. Caesar).
I used my own toolkit named ctf-party to decrypt the
message. The tool can be either used as a CLI or a library:
1 2 3 4 5 6 7 8
$ ctf-party 'Lbh trg gur oyhr trz ol chfuvat gur fgnghf gb gur ybjre sybbe. Gur trz vf ba gur qvavatEbbz svefg sybbe. Ivfvg fnccuver.ugzy' rot13 You get the blue gem by pushing the status to the lower floor. The gem is on the diningRoom first floor. Visit sapphire.html
$ ctf_party_console irb(main):001:0> message = 'Lbh trg gur oyhr trz ol chfuvat gur fgnghf gb gur ybjre sybbe. Gur trz vf ba gur qvavatEbbz svefg sybbe. Ivfvg fnccuver.ugzy' => "Lbh trg gur oyhr trz ol chfuvat gur fgnghf gb gur ybjre sybbe. Gur trz vf ba gur qvavatEbbz svefg sybbe. Ivfvg fnccuver.ugzy" irb(main):002:0> message.rot13 => "You get the blue gem by pushing the status to the lower floor. The gem is on the diningRoom first floor. Visit sapphire.html"
$ ctf_party_console irb(main):001:0> message = 'klfvg ks r wimgnd biz mpuiui ulg fiemok tqod. Xii jvmc tbkg ks tempgf tyi_hvgct_jljinf_kvc' irb(main):004:0> (1..26).each.map { |n| message.rot(shift: n) } => ["lmgwh lt s xjnhoe cja nqvjvj vmh gjfnpl urpe. Yjj kwnd uclh lt ufnqhg uzj_iwhdu_kmkjog_lwd", "mnhxi mu t ykoipf dkb orwkwk wni hkgoqm vsqf. Zkk lxoe vdmi mu vgorih vak_jxiev_lnlkph_mxe", "noiyj nv u zlpjqg elc psxlxl xoj ilhprn wtrg. All mypf wenj nv whpsji wbl_kyjfw_momlqi_nyf", "opjzk ow v amqkrh fmd qtymym ypk jmiqso xush. Bmm nzqg xfok ow xiqtkj xcm_lzkgx_npnmrj_ozg", "pqkal px w bnrlsi gne ruznzn zql knjrtp yvti. Cnn oarh ygpl px yjrulk ydn_malhy_oqonsk_pah", "qrlbm qy x cosmtj hof svaoao arm loksuq zwuj. Doo pbsi zhqm qy zksvml zeo_nbmiz_prpotl_qbi", "rsmcn rz y dptnuk ipg twbpbp bsn mpltvr axvk. Epp qctj airn rz altwnm afp_ocnja_qsqpum_rcj", "stndo sa z equovl jqh uxcqcq cto nqmuws bywl. Fqq rduk bjso sa bmuxon bgq_pdokb_rtrqvn_sdk", "tuoep tb a frvpwm kri vydrdr dup ornvxt czxm. Grr sevl cktp tb cnvypo chr_qeplc_susrwo_tel", "uvpfq uc b gswqxn lsj wzeses evq psowyu dayn. Hss tfwm dluq uc dowzqp dis_rfqmd_tvtsxp_ufm", "vwqgr vd c htxryo mtk xaftft fwr qtpxzv ebzo. Itt ugxn emvr vd epxarq ejt_sgrne_uwutyq_vgn", "wxrhs we d iuyszp nul ybgugu gxs ruqyaw fcap. Juu vhyo fnws we fqybsr fku_thsof_vxvuzr_who", "xysit xf e jvztaq ovm zchvhv hyt svrzbx gdbq. Kvv wizp goxt xf grzcts glv_uitpg_wywvas_xip", "yztju yg f kwaubr pwn adiwiw izu twsacy hecr. Lww xjaq hpyu yg hsadut hmw_vjuqh_xzxwbt_yjq", "zaukv zh g lxbvcs qxo bejxjx jav uxtbdz ifds. Mxx ykbr iqzv zh itbevu inx_wkvri_yayxcu_zkr", "abvlw ai h mycwdt ryp cfkyky kbw vyucea jget. Nyy zlcs jraw ai jucfwv joy_xlwsj_zbzydv_als", "bcwmx bj i nzdxeu szq dglzlz lcx wzvdfb khfu. Ozz amdt ksbx bj kvdgxw kpz_ymxtk_acazew_bmt", "cdxny ck j oaeyfv tar ehmama mdy xawegc ligv. Paa bneu ltcy ck lwehyx lqa_znyul_bdbafx_cnu", "deyoz dl k pbfzgw ubs finbnb nez ybxfhd mjhw. Qbb cofv mudz dl mxfizy mrb_aozvm_cecbgy_dov", "efzpa em l qcgahx vct gjococ ofa zcygie nkix. Rcc dpgw nvea em nygjaz nsc_bpawn_dfdchz_epw", "fgaqb fn m rdhbiy wdu hkpdpd pgb adzhjf oljy. Sdd eqhx owfb fn ozhkba otd_cqbxo_egedia_fqx", "ghbrc go n seicjz xev ilqeqe qhc beaikg pmkz. Tee friy pxgc go pailcb pue_drcyp_fhfejb_gry", "hicsd hp o tfjdka yfw jmrfrf rid cfbjlh qnla. Uff gsjz qyhd hp qbjmdc qvf_esdzq_gigfkc_hsz", "ijdte iq p ugkelb zgx knsgsg sje dgckmi romb. Vgg htka rzie iq rckned rwg_ftear_hjhgld_ita", "jkeuf jr q vhlfmc ahy lothth tkf ehdlnj spnc. Whh iulb sajf jr sdlofe sxh_gufbs_ikihme_jub", "klfvg ks r wimgnd biz mpuiui ulg fiemok tqod. Xii jvmc tbkg ks tempgf tyi_hvgct_jljinf_kvc"]
But the only flag with are missing form the first page is the shield one and
the hint for this one is Blaise de Vigenère so it must be a vigenere cipher.
It requires a key so by pure guessing let's say it could be rebecca we obtained earlier.
By joining the 4 crest parts we have the following base64 string:
RlRQIHVzZXI6IGh1bnRlciwgRlRQIHBhc3M6IHlvdV9jYW50X2hpZGVfZm9yZXZlcg==
which decodes to FTP user: edited, FTP pass: edited.
$ steghide extract -sf ftp/001-key.jpg Enter passphrase: wrote extracted data to "key-001.txt".
$ cat key-001.txt cGxhbnQ0Ml9jYW
And the third is hiding files too:
1 2 3 4 5 6 7 8 9 10
$ binwalk -e ftp/003-key.jpg
DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 JPEG image data, JFIF standard 1.01 1930 0x78A Zip archive data, at least v2.0 to extract, uncompressed size: 14, name: key-003.txt 2124 0x84C End of Zip archive, footer length: 22
$ gpg helmet_key.txt.gpg gpg: WARNING: no command supplied. Trying to guess what you mean ... gpg: AES256.CFB encrypted data gpg: encrypted with 1 passphrase
$ umbrella_guest@umbrella_corp:~$ ls -lhA .jailcell/ total 4.0K -rw-r--r-- 1 umbrella_guest umbrella 501 Sep 20 2019 chris.txt
umbrella_guest@umbrella_corp:~$ cat .jailcell/chris.txt Jill: Chris, is that you? Chris: Jill, you finally come. I was locked in the Jail cell for a while. It seem that weasker is behind all this. Jil, What? Weasker? He is the traitor? Chris: Yes, Jill. Unfortunately, he play us like a damn fiddle. Jill: Let's get out of here first, I have contact brad for helicopter support. Chris: Thanks Jill, here, take this MO Disk 2 with you. It look like the key to decipher something. Jill: Alright, I will deal with him later. Chris: see ya.
MO disk 2: albert
This is the vigenere decryption key for the disk 1.
weasker@umbrella_corp:~$ cat weasker_note.txt Weaker: Finally, you are here, Jill. Jill: Weasker! stop it, You are destroying the mankind. Weasker: Destroying the mankind? How about creating a 'new' mankind. A world, only the strong can survive. Jill: This is insane. Weasker: Let me show you the ultimate lifeform, the Tyrant.
(Tyrant jump out and kill Weasker instantly) (Jill able to stun the tyrant will a few powerful magnum round)
Alarm: Warning! warning! Self-detruct sequence has been activated. All personal, please evacuate immediately. (Repeat) Jill: Poor bastard
weasker@umbrella_corp:~$ id uid=1000(weasker) gid=1000(weasker) groups=1000(weasker),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),118(lpadmin),126(sambashare) weasker@umbrella_corp:~$ sudo -l [sudo] password for weasker: Matching Defaults entries for weasker on umbrella_corp: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User weasker may run the following commands on umbrella_corp: (ALL : ALL) ALL weasker@umbrella_corp:~$ sudo su - root@umbrella_corp:~# pwd /root root@umbrella_corp:~# cat root.txt In the state of emergency, Jill, Barry and Chris are reaching the helipad and awaiting for the helicopter support.
Suddenly, the Tyrant jump out from nowhere. After a tough fight, brad, throw a rocket launcher on the helipad. Without thinking twice, Jill pick up the launcher and fire at the Tyrant.
The Tyrant shredded into pieces and the Mansion was blowed. The survivor able to escape with the helicopter and prepare for their next fight.