Post

TryHackMe: Gotta Catch Them All!

Posted
Preview Image
By pullupnghost
3 min read
TryHackMe: Gotta Catch Them All!

Gotta Catch’em All was a very easy room but was fun to do. Felt weird not needing Gobuster or ffuf but overall was nice, its also a fairly old room so its normal that its not as complicated as other recent rooms.

Room https://tryhackme.com/room/pokemon

Initial Enumeration

Nmap Scan

We start with our nmap scan:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

┌──(kali㉿kali)-[~/Desktop]
└─$ nmap -T4 -n -sC -sV -Pn -p- 10.10.47.49  
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-03 18:56 GMT
Nmap scan report for 10.10.47.49
Host is up (0.079s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 58:14:75:69:1e:a9:59:5f:b2:3a:69:1c:6c:78:5c:27 (RSA)
|   256 23:f5:fb:e7:57:c2:a5:3e:c2:26:29:0e:74:db:37:c2 (ECDSA)
|_  256 f1:9b:b5:8a:b9:29:aa:b6:aa:a2:52:4a:6e:65:95:c5 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Can You Find Them All?
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 79.00 seconds

Web 80

There aren’t really many options so we proceed to port 80:

Web 80

A default apache page. Sadly when doing a gobuster scan it didn’t came up with anything so next step was checking around the source code:

Web 80 Source

At the bottom of the source code we find what seems to be credentials and a message telling us to check the console for a surprise:

Web 80 Console

A list of Pokemons, not really helpful right now but we will keep an eye on it.

Shell as pokemon

With the credentials from before we will log into the other only available port, ssh:

1
2
3
4
5

┌──(kali㉿kali)-[~/Desktop]
└─$ ssh pokemon@10.10.47.49         
pokemon@10.10.47.49's password: 
pokemon@root:~$ whoami
pokemon

Now inside, looking at pokemon’s Desktop we find a zip file, and unzipping it gives us the grass-type flag file:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

pokemon@root:~/Desktop$ ls
P0kEmOn.zip
pokemon@root:~/Desktop$ ls -la
total 12
drwxr-xr-x  2 pokemon pokemon 4096 Jun 24  2020 .
drwxr-xr-x 19 pokemon pokemon 4096 Feb  3 13:55 ..
-rw-rw-r--  1 pokemon pokemon  383 Jun 22  2020 P0kEmOn.zip
pokemon@root:~/Desktop$ unzip P0kEmOn.zip
Archive:  P0kEmOn.zip
   creating: P0kEmOn/
  inflating: P0kEmOn/grass-type.txt  
pokemon@root:~/Desktop$ cd P0kEmOn/
pokemon@root:~/Desktop/P0kEmOn$ ls
grass-type.txt
pokemon@root:~/Desktop/P0kEmOn$ cat grass-type.txt 
50 6f 4b 65 4d 6f 4e 7b 42 75 6c 62 61 73 61 75 72 7d

The only problem is the flag is in hex code, but nothing that CyberChef can’t do:

CyberChef Grass

Shell as ash

After digging more around pokemon’s machine, inside the Videos folder we find another folder called Gotta with other folders inside of folders that lead to the ‘Gotta Catch Them All!’ phrase:

1
2
3
4
5
6
7

pokemon@root:~$ ls -la Videos
total 12
drwxr-xr-x  3 pokemon pokemon 4096 Jun 22  2020 .
drwxr-xr-x 19 pokemon pokemon 4096 Feb  3 13:55 ..
drwxrwxr-x  3 pokemon pokemon 4096 Jun 22  2020 Gotta
...
pokemon@root:~/Videos/Gotta/Catch/Them/ALL!$

Inside it there’s a weird file, that when read gave us the ash user password:

1
2
3
4
5
6
7
8
9

pokemon@root:~/Videos/Gotta/Catch/Them/ALL!$ ls
Could_this_be_what_Im_looking_for?.cplusplus
pokemon@root:~/Videos/Gotta/Catch/Them/ALL!$ cat Could_this_be_what_Im_looking_for\?.cplusplus 
# include <iostream>

int main() {
        std::cout << "ash : pikapika"
        return 0;
}

With these credentials we just had to do su ash and we are inside:

1
2
3

pokemon@root:~/Desktop/P0kEmOn$ su ash
Password: 
ash@root:/home/pokemon/Desktop/P0kEmOn$

Now inside we didn’t have to do much more, just finding the other Pokemon type files, starting with the water type:

1
2
3
4
5

ash@root:/$ find / -type f -name 'water*' 2>/dev/null
/var/www/html/water-type.txt
ash@root:/$ cd /var/www/html/
ash@root:/var/www/html$ cat water-type.txt
Ecgudfxq_EcGmP{Ecgudfxq}

It gave us some weird words, but after some searching we can see that its encoded with ROT13, so now we just have to throw it into CyberChef and get the water-type flag:

CyberChef Water

For the fire-type flag the process was exactly the same, starting with finding it:

1
2
3
4
5
6
7

ash@root:/$ find / -type f -name 'fire*' 2>/dev/null
...
/etc/why_am_i_here?/fire-type.txt
...
ash@root:/var/www/html$ cd /etc/why_am_i_here\?/
ash@root:/etc/why_am_i_here?$ cat fire-type.txt
UDBrM20wbntDaGFybWFuZGVyfQ==

And then going to CyberChef:

CyberChef Fire

Lastly, for the root flag, we just have to go to the home directory to find a file called roots-pokemon.txt that we just need to read to get the flag;

1
2

ash@root:/home$ cat roots-pokemon.txt 
[REDACTED]
TryHackMe
ssh
This post is licensed under CC BY 4.0 by the author.