Gotta Catch’em All! TryHackMe Walkthrough/Writeup

Gotta Catch’em All! TryHackMe Writeup/Walkthrough

This writeup gives a brief overview on how to get all flags for the Gotta Catch’em All! TryHackMe Pokémon box on tryhackme.com.

#1 TryHackMe Pokémon — Find the Grass-Type Pokémon

First off, we start with scanning the machine for open ports. We perform a quick scan for the default ports including default scripts and version detection. These flags are -sC and -sV.

nmap -sV -sC <machine_ip>

The results can be found below:

user@host:~$ nmap -sV -sC <box_ip>

Nmap scan report for <box_ip>

Host is up (0.034s latency).

Not shown: 998 closed ports

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey:

| 2048 58:14:75:69:1e:a9:59:5f:b2:3a:69:1c:6c:78:5c:27 (RSA)

| 256 23:f5:fb:e7:57:c2:a5:3e:c2:26:29:0e:74:db:37:c2 (ECDSA)

|_ 256 f1:9b:b5:8a:b9:29:aa:b6:aa:a2:52:4a:6e:65:95:c5 (ED25519)

80/tcp open http Apache httpd 2.4.18 ((Ubuntu))

|_http-server-header: Apache/2.4.18 (Ubuntu)

|_http-title: Can You Find Them All?

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

As we can see only port 22 and port 80 are open. An Apache webserver is running on port 80 and SSH is enabled. We now proceed with checking the webserver. Access the IP address in your browser by adding http:// right before the address itself, so: http://box_ip. You should now see the default Apache page.

As we can see the default images for Apache are missing. This might indicate that the HTML code has been changed. Let’s find out. Right click on the page and then view page-source. As we scroll to the bottom of the page, we see some strange HTML tags.

The pokemon and hack_the_pokemon tags are not default HTML tags. The colon might indicate that these tags are credentials. Let’s try this out.

ssh pokemon@<box_ip>

Providing the password indeed proves that these were the credentials for SSH.

Yay! We have obtained user-access to the server. Now let’s find the flags. After some directory traversal we see that the first flag can be found in the Desktop directory. The Desktop directory contains a zip file which includes the first flag. The file within the zip file is named grass-type.txt.

cd ~/Desktop/

unzip P0kEmOn.zip

cd P0kEmOn

cat grass-type.txt

The result of this file is in hexadecimal notation. Using Cyberchef we can find the correct answer.

#2 TryHackMe Pokémon — Find the Water-Type Pokémon

Now we have to find the water type Pokémon. The first thing is try to find the file. We will use the findcommand in order to find the next flag.

find / -type f -name water-type.txt 2>/dev/null

And we are in luck! The find command found the water-type file. Let’s get the contents of this file.

cat /var/www/html/water-type.txt

The contents of this file seem shifted. Most probably a rotation cipher has been used. Using Cyberchef again with the found string gives us the second flag!

#3 TryHackMe Pokémon — Find the Fire-Type Pokémon

In order to find the fire type we try the find command once more.

find -type f -name fire-type.txt 2>/dev/null

Yet again, the file is found! The file is located at: /etc/why_am_i_here?/fire-type.txt. This time the string is base64 encoded. Using your Cyberchef or your favorite base64 decoder reveals the correct flag.

#4 TryHackMe Pokémon — Who is Root’s Favorite Pokémon?

In order to find Root’s favorite Pokémon we have to become root ourselves. The first command we execute is:

sudo -l

Providing the SSH password leaves us with a message saying we are not able to run sudo as root. Now we have to try something else. Let’s check all the files in the user folder. We run the following command.

pokemon@root:~$ ls -lAh *

-rw-r — r — 1 pokemon pokemon 8.8K Jun 22 19:36 examples.desktop

Desktop:

total 8.0K

drwxrwxr-x 2 pokemon pokemon 4.0K Jun 22 22:37 P0kEmOn

-rw-rw-r — 1 pokemon pokemon 383 Jun 22 22:40 P0kEmOn.zip

Documents:

total 0

Downloads:

total 0

Music:

total 0

Pictures:

total 0

Public:

total 0

Templates:

total 0

Videos:

total 4.0K

drwxrwxr-x 3 pokemon pokemon 4.0K Jun 22 23:10 Gotta

The Videos directory contains some other interesting directories. By changing directory all the way to: ~/Videos/Gotta/Catch/Them/ALL we can find a file with the cplusplus extensions. (This is probably misconfigured). Now run:

cat Could_this_be_what_Im_looking_for\?.cplusplus

This reveals credentials for the ash user of the system. Let’s try these credentials

su ash

And we are now the ash user. Executing:

id

shows us that we have now obtained a root user. The flag is stored in the /home directory and you have to become root in order to open the file.

sudo su

cat /home/roots-pokemon.txt

Congratulations on completing the TryHackMe Pokémon box. This box helps gain more a fun box and helped gain more knowledge in the find command.

Summary

· Scan using nmap to discover SSH and Web services

· From the source code we can get ssh creds for initial foothold

· In Desktop, we get a zip which contains the first flag

· We find the second flag in /var/www/html

· We find the third flag in /etc/why_am_i_here?/

· In /Videos/Gotta/Catch/Them/ALL\!/ directory we can find another set of creds.

· And we find the Root’s pokemon after changing user to the second user and opening the /home/roots-pokemon.txt