Yogeshwar Peela

Posted on Jun 1

CTF Writeup: Resident Evil Mansion - TryHackMe

#tryhackme #cybersecurity #ctf

Difficulty: Easy
Theme: Resident Evil 1 (1998)

Overview

A Resident Evil–themed web CTF involving recon of hidden web endpoints, steganography, encoding/decryption challenges, FTP enumeration, and SSH privilege escalation to root.

Phase 1 - Web Enumeration

Landing Page → Main Hall

Visited http://10.49.167.160. The page had a clickable mansion link.

Redirected to /mansionmain/. Viewing page source revealed a comment:

<!-- It is in the /diningRoom/ -->

/diningRoom/

Page source contained a Base64-encoded comment:

SG93IGFib3V0IHRoZSAvdGVhUm9vbS8=

Decoded:

echo 'SG93IGFib3V0IHRoZSAvdGVhUm9vbS8=' | base64 -d
# Output: How about the /teaRoom/

Clicking the YES emblem link yielded:

emblem{REDACTED}

Refreshing /diningRoom/ after collecting the emblem revealed a submission slot. Submitting the emblem flag here returned Nothing happen — kept it noted for later.

/teaRoom/

Clicking the Lockpick link gave:

lock_pick{REDACTED}

The page also pointed to /artRoom/.

/artRoom/

Clicking YES on the paper redirected to Mansionmap.html, which listed all mansion rooms:

/diningRoom/ /teaRoom/ /artRoom/ /barRoom/
/diningRoom2F/ /tigerStatusRoom/ /galleryRoom/
/studyRoom/ /armorRoom/ /attic/

Phase 2 - Room Crawl & Flag Collection

/barRoom/

Door locked — required the lockpick flag. Submitted lock_pick{REDACTED}.

Found a Base32-encoded music note:

NV2XG2LDL5ZWQZLFOR5TGNRSMQ3TEZDFMFTDMNLGGVRGIYZWGNSGCZLDMU3GCMLGGY3TMZL5

Decoded:

echo 'NV2XG2LDL5ZWQZLFOR5TGNRSMQ3TEZDFMFTDMNLGGVRGIYZWGNSGCZLDMU3GCMLGGY3TMZL5' | base32 -d
# Output: music_sheet{REDACTED}

Submitted music_sheet{...} to unlock the Secret Bar Room. Clicking YES on the gold emblem gave:

gold_emblem{REDACTED}

Submitted gold_emblem{...} to the emblem slot in secret bar room → Nothing happen.

Tried submitting the first emblem (emblem{REDACTED}) to /diningRoom/ → page returned rebecca. Noted as a potential cipher key.

Submitted gold_emblem{...} to /diningRoom/ slot and received a Vigenère-ciphered message:

klfvg ks r wimgnd biz mpuiui ulg fiemok tqod. Xii jvmc tbkg ks tempgf tyi_hvgct_jljinf_kvc

Used dcode.fr to identify: Vigenère cipher. Key = rebecca.

Decoded in CyberChef:

there is a shield key inside the dining room. The html page is called the_great_shield_key

Visited /diningRoom/the_great_shield_key:

shield_key{REDACTED}

/diningRoom2F/

Page source comment was ROT13:

Lbh trg gur oyhr trz ol chfuvat gur fgnghf gb gur ybjre sybbe. Gur trz vf ba gur qvavatEbbz svefg sybbe. Ivfvg fnccuver.ugzy

Decoded:

echo '...' | tr 'A-Za-z' 'N-ZA-Mn-za-m'
# You get the blue gem by pushing the status to the lower floor.
# The gem is on the diningRoom first floor. Visit sapphire.html

Visited /diningRoom/sapphire.html:

blue_jewel{REDACTED}

/tigerStatusRoom/

Placed the blue jewel in the tiger statue's eye. Received Crest 1:

S0pXRkVVS0pKQkxIVVdTWUpFM0VTUlk9

Decoded (Base64 → Base32 → partial Base64):

echo 'S0pXRkVVS0pKQkxIVVdTWUpFM0VTUlk9' | base64 -d | base32 -d
# Part 1: RlRQIHVzZXI6IG  (14 chars, encoded twice)

/galleryRoom/

Examined note at /galleryRoom/note.txt. Received Crest 2:

GVFWK5KHK5WTGTCILE4DKY3DNN4GQQRTM5AVCTKE

Decoded (Base32 → Base58):

echo 'GVFWK5KHK5WTGTCILE4DKY3DNN4GQQRTM5AVCTKE' | base32 -d | base58 -d
# Part 2: h1bnRlciwgRlRQIHBh  (18 chars)

/armorRoom/

Door required shield key. Submitted shield_key{REDACTED}.

Read note at the hidden URL. Received Crest 3 (encoded 3 times — Base64 → Binary → Hex → Base64):

MDAxMTAxMTAgMDAxMTAwMTEg...

Decode chain in CyberChef: Base64 → From Binary (space-delimited, 8-bit) → From Hex → (result is part of Base64 string)

# Part 3: c3M6IHlvdV9jYW50X2g  (19 chars)

/attic/

Door required shield key. After submission read note. Received Crest 4:

gSUERauVpvKzRpyPpuYz66JDmRTbJubaoArM6CAQsnVwte6zF9J4GGYyun3k5qM9ma4s

Decoded (Base58 → Hex → Base64 chunk):

# Part 4: pZGVfZm9yZXZlcg==  (17 chars)

Phase 3 - Combining the Crests → FTP Credentials

Combined all 4 parts:

RlRQIHVzZXI6IGh1bnRlciwgRlRQIHBhc3M6IHlvdV9jYW50X2hpZGVfZm9yZXZlcg==

Decoded:

echo -n 'RlRQIHVzZXI6IGh1bnRlciwgRlRQIHBhc3M6IHlvdV9jYW50X2hpZGVfZm9yZXZlcg==' | base64 -d
# FTP user: hunter, FTP pass: you_cant_hide_forever

Phase 4 — FTP Enumeration & Steganography

Logged into FTP and downloaded all files:

ftp 10.48.142.28
# user: hunter / pass: you_cant_hide_forever
ftp> mget *

Files: 001-key.jpg, 002-key.jpg, 003-key.jpg, helmet_key.txt.gpg, important.txt

important.txt mentioned a /hidden_closet/ door and a helmet key inside the GPG file.

Key extraction from images

001-key.jpg — Steghide (no passphrase needed):

steghide extract -sf 001-key.jpg
cat key-001.txt
# cGxhbnQ0Ml9jYW

002-key.jpg - Hidden in EXIF Comment field:

exiftool 002-key.jpg
# Comment: 5fYmVfZGVzdHJveV9

003-key.jpg - Zip embedded via binwalk:

binwalk -e 003-key.jpg
cat _003-key.jpg.extracted/key-003.txt
# 3aXRoX3Zqb2x0

Combined and decoded:

echo 'cGxhbnQ0Ml9jYW5fYmVfZGVzdHJveV93aXRoX3Zqb2x0' | base64 -d
# plant42_can_be_destroy_with_vjolt

Decrypting the GPG file

Used the decoded passphrase:

gpg -d helmet_key.txt.gpg
# passphrase: plant42_can_be_destroy_with_vjolt
# helmet_key{REDACTED}

Phase 5 - Hidden Closet & Final Web Flags

/studyRoom/

Door required helmet key. Submitted → downloaded doom.tar.gz.

gunzip doom.tar.gz && tar -xvf doom.tar
cat eagle_medal.txt
# SSH user: umbrella_guest

/hidden_closet/

Door required helmet key. Inside:

wolf_medal.txt → SSH password: T_virus_rules
MO_DISK1.txt → Vigenère ciphertext:

wpbwbxr wpkzg pltwnhro, txrks_xfqsxrd_bvv_fy_rvmexa_ajk

Key = albert (found later confirmed via MO Disk 2 in SSH). Decoded in CyberChef:

weasker login password, stars_members_are_my_guinea_pig

Phase 6 - SSH Access & Privilege Escalation

Initial Access

ssh umbrella_guest@10.48.142.28
# password: T_virus_rules

Found .jailcell/chris.txt which confirmed Weasker as the traitor and revealed:

MO disk 2: albert

This confirmed the Vigenère key used to decode MO Disk 1.

Lateral Movement to Weasker

su weasker
# password: stars_members_are_my_guinea_pig

Privilege Escalation to Root

sudo -l
# (ALL : ALL) ALL
sudo su
whoami
# root

Root Flag

cat /root/root.txt
# flag: {REDACTED}

Flags Summary

Flag	Value
emblem	`{REDACTED}`
lock_pick	`{REDACTED}`
music_sheet	`{REDACTED}`
gold_emblem	`{REDACTED}`
shield_key	`{REDACTED}`
blue_jewel	`{REDACTED}`
helmet_key	`{REDACTED}`
root flag	`{REDACTED}`

Tools Used

CyberChef — Base64, Base32, Base58, Hex, Binary, Vigenère decode
dcode.fr — Cipher identification
steghide — Steganography extraction from JPEG
exiftool — EXIF metadata extraction
binwalk — Zip extraction from JPEG
gpg — GPG decryption
FTP client — File retrieval
SSH / sudo — Privilege escalation

DEV Community

CTF Writeup: Resident Evil Mansion - TryHackMe

Overview

Phase 1 - Web Enumeration

Landing Page → Main Hall

/diningRoom/

/teaRoom/

/artRoom/

Phase 2 - Room Crawl & Flag Collection

/barRoom/

/diningRoom2F/

/tigerStatusRoom/

/galleryRoom/

/armorRoom/

/attic/

Phase 3 - Combining the Crests → FTP Credentials

Phase 4 — FTP Enumeration & Steganography

Key extraction from images

Decrypting the GPG file

Phase 5 - Hidden Closet & Final Web Flags

/studyRoom/

/hidden_closet/

Phase 6 - SSH Access & Privilege Escalation

Initial Access

Lateral Movement to Weasker

Privilege Escalation to Root

Root Flag

Flags Summary

Tools Used

Top comments (0)