THM Writeup: Psycho Break
[ Tasks ]
The Nmap scan reveals that there are 3 ports open
Let’s take a look at port 80. Check out the page source you will find a directory called “/sadiestRoom” mentioned in a comment.
Grab the locker room key
Ok, now it’s time to go to the next room which is the Locker Room before the poor guy gets killed by the sadist.
I see this. After a bit of figuring out, I realized that is cipher is an atbash cipher. How does atbash work? Well, when we encode, an ‘A’ becomes ‘Z’, ‘B’ becomes ‘Y’ etc. You can check more about atbash cipher here. https://en.wikipedia.org/wiki/Atbash. Alright, when you decrypt it you’ll get a key to access the map.
Alright here is the map
Let’s enter the next directory which is “Safe Heaven”. If you view the page source there is a comment saying:
So let’s do what it says “Search through me and find it”. Fire up your web directory/file brute force program, I used gobuster and found out a hidden directory.
Tapped the button and redirected to another page that has a countdown and an image.
Ok, so as before I viewed the page source and found this hint
“I google reverse image search”. So let’s do it, shall we?
The location of the image is can be found by reversing searching the image. So hopefully if the answer is correct we can save Sebastian and get our keeper key. Awesome, our answer was correct.
With the keeper key acquired we can proceed to the “Abandoned Room” the final room which is the scariest amongst the rest “don’t be afraid”.
Tap the button “Go Further” and meet the Spiderlady. There is another countdown “Oh hell no”. As usual, let’s view the page source.
“shell” hmmm. Maybe it might be a PHP parameter called shell. So let’s give it a go.
Alright, we have a directory in the previous directory. Let’s navigate to it.
Let’s view the text file.
Let’s now grab the .zip file and extract it.
There are 2 files extracted.
Oh, poor fellow let’s help him get out of the cell maybe that might give us a clue. Ever heard of “binwalk”. Well, there are some hidden files inside the image we can use binwalk to extract them.
key.wav is a message encoded with morse code. So I used this site to decode.
Hmm. I wonder what the word “SHOWME” is really for. Since there is another .jpg image we can use steghide to extract hidden info.
The file thankyou.txt contains the credentials for the FTP login.
FTP logged in as user joseph.
Let’s see what’s the executable all about.
Hmm. I guess we can write a python script to do a brute-forcing since we also have a wordlist (random.dic).
Here is my simple cracker named psychoCracker (Made in with some styles too 😉 ). Click here to download psychoCracker.
Alright, I got a huge list of numbers. This is a cipher called “abc cipher / Multi-tap Phone Cipher”. You can decode it easily from this website https://www.dcode.fr/multitap-abc-cipher.
So now I believe that we got a username (key used to crack the program) and a password finally we can log in to the system with ssh. Go ahead and view the user flag because you own it. Now to the privsec.
There is a hidden file called .readThis.txt in the home directory.
This cipher turns out to be rot 47.
Hmm, I think we got a hint. Let’s give it a search
Awesome there is a file called .the_eye_of_ruvik.py in the /var directory, owned by the root user and the world read/write is enabled. But wait there is a problem how can we execute it. Let’s take a look at the cron jobs
Perfect the program we just saw gets executed every 2 minutes by root. So the only thing now is to plant a reverse shell in the file “.the_eye_of_ruvik.py” and get an active connection. Click here to view the reverse shell cheatsheet
Hooray after a couple of minutes I got a connection back. Now you can grab your root flag because you owned it ;).
[ Bonus ]
There is a file called readMe.txt in the /root directory which shows
A user called ruvik exists in the system.
So as the note says let’s delete/remove user ruvik.
This is the first room I’ve ever created If you enjoyed it please give me a follow-up on Twitter (https://twitter.com/ShalindaFdo ) and send me your feedback :).