First things first is to run an nmap scan. We see that there are 3 ports open. ftp, ssh, and port http.
I decided to check FTP first. The little I know about FTP leads nowhere. I tried to login anonymously but that didn’t do anything.
But…. if we inspect the webpage it gives us a hint. To go to /sadistRoom…
Sadist Room says Sebastian found a key to the locker room. And to click a button to get the key. When we click it a pop up shows up. Copy the key and click okay. You’ll need to paste the key fast enough or you’ll lose.
After we paste the code the Locker Room loads.
That is a very weird string of text.
Tizmg_nv_zxxvhh_gl_gsv_nzk_kovzhv
If we google the string we see some results and someone mentioning an atbash cipher so I googled “atbash” and came across this site to decode these cipher.
The deciphered string is the key we need for the map. There are 4 different rooms. Lets explore.
If we go to a safe house and inspect the page we see a hint.
This took me about a week before I gave in and myself looked at a walk through. The correct answer will 100% show up if you use dirbuster and the medium list.
This directory will lead you to the keeper room. Press the button and this page will be next.
Inspect this page and you’ll see the hint to solving this.
The hint states that we need to do a reverse image search on google. You’ll want to save the image and drag it into google. Once you get the answer type it into the answer box. You’ll be greeted with a new webpage with the key.
Enter the key into the abandoned room to see this page
As we go further we see another timer. Inspecting the page reveals a hint about how a shell can help you get out of here.
This again took me some time and research but alas here is the answer. We need to use commands to ls on the directory above us. We see two strings.
One of our current directory and another. If you paste that second directory in after abandondedRoom/ You’ll find yourself in the right area.
There are two files you_made_it.txt which congratulates us and helpme.zip.
When you unzip the file it gives you another txt with some back story and a jpg that doesn’t open.
Use binwalk to see whats inside and extract it at the same time.
Another picture and a wav file. Playing the wav its pretty obvious its morse code. I just googled morse code decrypter and used the first result.
We now have a passcode that we can use with steghide on the image we just extracted.
The resulting file give us an ftp username and password.
Ftp in and grab the two files you see using the commands below.
If we use nano to see what these files are you’ll see program needs to be made executable and dic is just a list of numbers.
We get some really random numbers from the script
Through some research this is T9 code and is like how you used to have to type on phone before touch screens. Here is the site I used to decrypt the key.
The decrypted numbers give you both the username and password to ssh in to the computer.
Once logged in we ls -a and see the user.txt and some other interesting files. So the_eye.txt mentions that it’s always watching.
Check /etc/crontab
Root runs this file and its writable so that means we can change stuff in it. Lets make the sub-process call a reverse shell and also use netcat.
To edit use nano /var/.the_eye_of_ruvik.py
As root all you need to do is ls and you’ll have your root.txt. As for the readMe.txt it seems that since that is a ruvik user you’d just have to delete it as shown below.
Thank you for reading this walk through of the Psycho Break CTF on Tryhackme. If you have any questions or suggestions let me know! Until next time! -JC