🔬 Hey! I’m Adwaith, an aspiring offensive security enthusiast, and I’m thrilled to share my walkthrough of the Biohazard CTF on TryHackMe.

Inspired by Resident Evil, this room takes you through puzzles, locked doors, hidden directories, and traitorous teammates-all leading up to the final escape. From FTP and SSH access to cracking encrypted files and capturing the ultimate root flag, this lab was a thrilling survival-style challenge.

Click the link below and join me on this nightmare journey.

Task 2. The Mansion

Let me remind you once again note down every flag, hint, and clue, because we’ll need to reuse them again and again in different situations. Once you enter this room, you’ll understand why.

Our flags will follow this format: Item_name{32_character}.

2.1. What is the emblem flag

currently we are in the Home page:

[ The nightmare begin ]

Clicking on the Mansion link redirects us to the Main Hall page.

[ Main Hall ]

Since no hyperlink is present, Let’s inspected the source of the /mansionmain/ page.

Here we can see a comment in the source:

<!-- It is in the /diningRoom/ -->

Our next destination is /diningRoom/

If you’re unsure, just replace the URL path like this:

http://<machine-ip-address>/<path>/

example:

http://10.201.12.16/diningRoom/

Next, we move from /mansionmain/ to /diningRoom/

[ Dining room ]

There’s a hyperlink called YES on this page but don’t click it yet. First, let’s inspect the /diningRoom/ page to see what’s hidden behind it.

A comment is visible here:

<!-- SG93IGFib3V0IHRoZSAvdGVhUm9vbS8= -->

The comment is encoded in Base64 we’ll come back to it later. For now, let’s return to the /diningRoom/ page and click the hyperlink called YES :

Flag captured: Emblem!

A message appeared saying we need to go back to /diningRoom/ and refresh the page.

Let’s go back to /diningRoom/ :

[ Dining room ]

Then, refresh the page.

[ Dining room ]

Once we took the Emblem flag! and returned, an input box showed up just as expected.

“There is an emblem slot on the wall, put the emblem?”

What if we enter the Emblem flag here? Maybe it will unlock something… let’s try it.

When I tried putting the Emblem flag in the box, it showed “Nothing happen”. Maybe it’s the wrong flag. The actual flag must be somewhere else, so let’s leave the page for now and come back later.

2.2. What is the lock pick flag

we got an base64 encoded string from /diningRoom/ :

<!-- SG93IGFib3V0IHRoZSAvdGVhUm9vbS8= -->

There are many Base64 decoders in online, but to make things easier, I’m introducing CyberChef, also called the “Cyber Swiss Army Knife.”

It can encode, decode, and analyze strings with many cryptographic ciphers. Simply paste your Base64 (or other encoded) string, and it can automatically detect the encoding and decode it even if it’s double or triple encoded. Everything happens in seconds, making analysis much faster. You can check it out and test it yourself it’s a handy tool for future CTFs:

If you’re not familiar with CyberChef, you can learn the basics from this TryHackMe room. It’s a great way to get hands-on experience:

Actually, you can just paste some encoded strings into CyberChef and test them yourself. For now, here’s a quick review:

1. Operations: All types of encryption, decryption, and ciphers are available here. You add the operations you need to the Recipe.
2. Recipe: This section lets you configure and arrange the order of operations. Sometimes you may need multiple recipes this becomes clearer as you try the TryHackMe CyberChef Basics room.
3. Input: Paste your string here.
4. Output: This shows the decrypted text, the recipe used, and other properties.

In this screenshot, I added the Magic operation to the recipe, pasted the Base64 string, and it automatically output the decoded result.

encoded string:

SG93IGFib3V0IHRoZSAvdGVhUm9vbS8=

decoded :

The output revealed another path: /teaRoom/.

Let’s visit it:

[ The nightmare begin ]

On this page, there’s a hyperlink called Lockpick, and another path /artRoom/ is mentioned make sure to note it down. I inspected /teaRoom/, but didn’t find anything, so let’s click the Lockpick link.

Flag captured: lock_pick!

I know what you’re thinking what if we put the lock_pick flag! into the /diningRoom/ input box?

[ Dining room ]

Nope not possible!!!

It’s Just Not, because I already tried it damn it…!!

2.3. What is the music sheet flag

From /teaRoom/, we discovered another path, so next we visit /artRoom/

[ Art room ]

I inspected this page too, but found nothing behind it. Note that when I visit every page, I will inspect each one so we can find if anything is behind it. From here on out, I will never say this again: “I was inspected this page.” So, here is only a hyperlink called YES click there.

[ Mansion Map ]

We got the MansionMap, showing some paths to explore. From here, we’ll visit each path one by one for clues or hidden flags and keep the map open.

we already visited:

/diningRoom/  ----> input emblem flag!
/teaRoom/
/artRoom/

Remember, /diningRoom/ isn’t done yet, we still need the Emblem flag for its input box. Keep this in mind.

Next, our destination is /barRoom/.

[ Bar room entrance ]

On this page, a door appeared that can be opened with the lock_pick flag! we got earlier. Using it, we got inside /barRoom3757162e3db…/.

[ Bar room ]

Here, it’s asking for a flag in the input box, but we don’t have it yet. There’s also a hyperlink called READ, let’s visit it and see what’s inside.

Here, we found an encoded string!

NV2XG2LDL5ZWQZLFOR5TGNRSMQ3TEZDFMFTDMNLGGVRGIYZWGNSGCZLDMU3GCMLGGY3TMZL5

To decode, use CyberChef apply the Magic recipe, paste the encoded string, and get the result:

Flag captured: music_sheet!

If you look on the left side, the recipe shows which encryption was used it’s Base32. Just a note to keep in mind.

2.4. What is the gold emblem flag

Are we heading to the next path on the MansionMap? Not yet we haven’t completed /barRoom/. Remember the input box there.

Let’s go back from musicNote.html to /barRoom3757162e3db…/

[ Bar room ]

The hint here is to play the piano using the music_sheet flag! we got earlier. Let’s put it in the input box and submit.

[ Secret bar room ]

By submitting the music_sheet flag, we were redirected from the Bar Room to the Secret Bar Room.

The hint says the Golden Emblem is embedded on the wall. Let’s click the hyperlink called YES and see what happens.

Flag captured: gold_emblem!

A message appeared, just like before. It says we need to go back to the Secret Bar Room and refresh the page.

Heading back to the Secret Bar Room.

[ Secret bar room ]

Let’s refresh the page.

[ Secret bar room ]

After taking the gold_emblem flag! and going back, an input box appeared.

“There is an emblem slot on the wall, put the emblem?”

It asked for the Emblem flag, which we got earlier from /diningRoom/. Let’s put the flag in here!

Finished /barRoom/ and received the name “rebecca”. Could be a hint, so take note!

2.5. What is the shield key flag

in our done list:

/diningRoom/  ----> input emblem flag!
/teaRoom/
/artRoom/
/barRoom/

Next, we head to /diningRoom2F/

[ Dining room 2F ]

A Blue Gem is mentioned, but no link is present. Time to inspect /diningRoom2F/

Here, we can see a comment

 <!-- Lbh trg gur oyhr trz ol chfuvat gur fgnghf gb gur ybjre sybbe. Gur trz vf ba gur qvavatEbbz svefg sybbe. Ivfvg fnccuver.ugzy -->

From my experience, it looks like an ROT13 cipher is used here though this is just a guess, as many ciphers can look similar. If you don’t know, ROT13 is a simple letter substitution cipher that replaces each letter with the 13th letter after it in the Latin alphabet.

Here’s a diagram to help understand how it works:

Not sure what a cipher, ROT13, or “13th letter” means? No worries I’ve got some references you can check to understand the concept. You don’t need to read them all, just get the idea.

In CyberChef, we’ll drag and drop the ROT13 operation instead of using Magic.

Next, paste the cipher into the Input section, and the Output will show:

From the decoded text, we got a hint: the Blue Gem can be obtained by pushing the status to the lower floor. Since we’re currently in /diningRoom2F/ (second floor), let’s move to the first floor by modifying the path to /diningRoom/sapphire.html and visiting it.

Flag captured: blue_jewel!

Wait, this isn’t what we needed, we got the blue_jewel flag, but we actually need the shield_key flag! Note this down somewhere, as we’ll need it later. For now, /diningRoom2F/ is completed, so let’s keep moving.

In our done list:

/diningRoom/  ----> input emblem flag!
/teaRoom/
/artRoom/
/barRoom/
/diningRoom2F/

our next destination is /tigerStatusRoom/

[ Tiger status room ]

An input box asks for a gem on the Tiger’s Eye.

We got it from /diningRoom/sapphire.html, so submit the blue_jewel flag! and see what happens.

An encoded string here gives a hint: it’s double-encoded and 14 letters long. It says to collect 4 crests, decode them, and combine them to reveal another path. Note this, as we need 3 more crests. /tigerStatusRoom/ is done, let’s continue.

In our done list:

/diningRoom/  ----> input emblem flag!
/teaRoom/
/artRoom/
/barRoom/
/diningRoom2F/
/tigerStatusRoom/

Our next destination is /galleryRoom/

[ Gallerty ]

Here, there’s a hyperlink called EXAMINE. Let’s visit it and see what’s inside.

We got the second crest! Note it down this one is double-encoded, and the output length is 18 letters. With this, /galleryRoom/ is complete.

In our done list:

/diningRoom/  ----> input emblem flag!
/teaRoom/
/artRoom/
/barRoom/
/diningRoom2F/
/tigerStatusRoom/
/galleryRoom/

Our next destination is /studyRoom/

[ Study room entrance ]

An input box appeared asking for a Helmet symbol / the Helmet flag to enter the Study Room. There are no hyperlinks, and I inspected the page no comments, hints, or clues. I tried all the flags we have, but none worked. Did we miss something? Nope. Let’s leave this page for now and come back later. Time to move to the next destination.

In our done list:

/diningRoom/  ----> input emblem flag!
/teaRoom/
/artRoom/
/barRoom/
/diningRoom2F/
/tigerStatusRoom/
/galleryRoom/
/studyRoom/   ----> input helemt flag!

Our next desination is /armorRoom/

[ Armor room entrance ]

This page needs the Shield symbol / the Shield flag. Same situation as /studyRoom/: no hyperlinks, no comments, and trying all our flags was a waste of time. Let’s leave this page for now and come back later. Time to move to the next destination.

In our done list:

/diningRoom/  ----> input emblem flag!
/teaRoom/
/artRoom/
/barRoom/
/diningRoom2F/
/tigerStatusRoom/
/galleryRoom/
/studyRoom/   ----> input helemt flag!
/armorRoom/   ----> input shield flag!

Our next destination is /attic/

[ Attic entrance ]

This page needs the Shield symbol / the Shield flag. Just like /studyRoom/ and /armorRoom/, there are no hyperlinks or comments, and trying all our flags didn’t work. Leave this page for now; we’ll come back later. Let’s move to the next destination.

In our done list:

/diningRoom/  ----> input emblem flag!
/teaRoom/
/artRoom/
/barRoom/
/diningRoom2F/
/tigerStatusRoom/
/galleryRoom/
/studyRoom/   ----> input helemt flag!
/armorRoom/   ----> input shield flag!
/attic/       ----> input shield flag!

Our next destination is…..

………..THE END???

Are you ready?

Do you remember the /diningRoom/ path we left behind earlier? I told you we’d come back to it and now it’s time.

/diningRoom/  ----> input emblem flag!

[ Dining room ]

Earlier, we tried using the emblem flag here, but it didn’t work. This time, we’ve obtained the gold_emblem flag from the Secret Bar Room (/barRoom3757162e3db…/).

Let’s input the flag here and see what happens!

[ Dining room ]

then click submit.

It looks like ROT13, doesn’t it? Let’s try decoding the string using CyberChef. Drag and drop the Magic operation into the recipe, paste the string into the input field, and the result is:

Nothing! As I mentioned earlier, many ciphers can look similar to ROT13. In this case, it only appears to be ROT13, but it’s not. So, how do we figure out which cipher it really is?

To solve this, let me introduce you to a handy website called Enigmator.

here is the link:

This website can perform cryptanalysis but what does that mean? You can research it yourself. Essentially, it helps identify which cipher is being used. Keep in mind, though, Enigmator doesn’t support modern ciphers. There’s a reason I chose this website for identification, and you’ll understand why once you try analyzing different platforms. Now, let’s detect which cipher is in use:

Paste the string into Enigmator, and make sure you select ‘Identify’ under the Cipher option. Then click Identify, and the results will be displayed as follows:

Enigmator detects that it’s a Polyalphabetic Substitution cipher. Here are some references you can check out:

You don’t need to understand the entire theory just get a sense of how it works. In our output, the cipher is initially shown as a Vigenère cipher.

Let’s check if this cipher is available on CyberChef.

It’s available in CyberChef! Let’s drag and drop it into the recipe and see what happens:

In CyberChef, the Recipe section shows an input called Key, and the output says No key entered. That means we need a key to decode this cipher.

You might be thinking what if this isn’t actually a Vigenère cipher? If it turns out to be another cipher, we’d explore other options. For now, we’ll stick with Vigenère.

So now, do you remember the name we found in /barRoom/

Now, simply use this name as the key, and you’ll get the following result:

So, our shield key was hidden in /diningRoom/ , and there was an HTML page called the_great_shield_key The full path would look like this:

/diningRoom/the_great_shield_key.html

Don’t forget to add the html extension. Before we grab the shield_key, here are some shortcuts to decrypt the cipher more easily:

There’s a website called Boxentriq that can automatically solve ciphers. Here, you can see the cipher was decrypted without providing a key, but we can still extract the key from it. How cool is that? It’s a kind of automated cryptanalysis.

If you’re curious about cryptanalysis, there’s a lot more to explore research it yourself to learn the details. Another useful website for this is dcode, which also provides tools to analyze and decode ciphers.

here is the link:

Now, let’s grab the key:

Flag captured: shield_key!

2.6. What is the blue gem flag

The funny thing is

we got the blue gem flag before shield_keyyy!

So, the next question? did you forget that we already got the shield_key!

In our done list:

/diningRoom/  ----> done!
/teaRoom/
/artRoom/
/barRoom/
/diningRoom2F/
/tigerStatusRoom/
/galleryRoom/
/studyRoom/   ----> input helemt flag!
/armorRoom/   ----> input shield flag!
/attic/       ----> input shield flag!

Our next destination is /armorRoom/

[ Armor room entrance ]

put the shield_key then

[ Armor room ]

We’ve entered the Armor Room, where there’s a hyperlink called READ. Click on it, and then:

Here, we obtained the 3rd crest, which is triple-encoded. The final output is 19 characters long make sure to note it down somewhere. Let’s move on.

In our done list:

/diningRoom/  ----> done!
/teaRoom/
/artRoom/
/barRoom/
/diningRoom2F/
/tigerStatusRoom/
/galleryRoom/
/studyRoom/   ----> input helemt flag!
/armorRoom/   ----> done
/attic/       ----> input shield flag!

Our next destination is /attic/

[ Attic entrance ]

put the shield_key then

[ Attic ]

We’re now in the attic, where there’s a hyperlink called READ. Click on it:

Here, we find our final crest, which is double-encoded. The final output is 17 characters long make sure to note it down somewhere. Let’s move on.

In our done list:

/diningRoom/  ----> done!
/teaRoom/
/artRoom/
/barRoom/
/diningRoom2F/
/tigerStatusRoom/
/galleryRoom/
/studyRoom/   ----> input helemt flag!
/armorRoom/   ----> done
/attic/       ----> done

Oue next destination is /studyRoom/

[ Study room entrance ]

Here’s the helmet symbol the helmet flag! We need it to unlock this door, but since we don’t have the key yet, let’s leave this page for now. We’ll come back to it later.

2.7. What is the FTP username

We’ve obtained the 4th crest:

Let’s decode this using CyberChef. I won’t show the entire decoding process step by step, because it’s better if you try it yourself. Follow the hints, take your time, and pay attention to the length of each output.

During the process, you’ll encounter encodings like Base64, Base32, Base58, binary, and hex. You can use the Magic recipe in CyberChef to simplify your work. Once you decode all of them, combine the results into a single string the final string will be Base64.

Then, decode that final string again in CyberChef, and you’ll obtain the FTP username and password:

2.8. What is the FTP password

The FTP password was already obtained earlier by decoding the crest.

We’ve explored the mansion, uncovered secrets, and gathered the first set of clues. But this is only the beginning new mysteries are waiting beyond these walls.

are you ready to step into The guard house ?

Part 2 is coming soon…

Thanks for coming! Stay curious, stay ethical!

Follow me for more about cybersecurity: Medium, Github, LinkedIN

This challenge was created by DESKEL. Thank you for investing your time and effort to develop it so that I can sharpen my skills!