TryHackMe: Gotta Catch’em All! Walkthrough by Mayur Parmar(th3cyb3rc0p)

4 years ago 187
BOOK THIS SPACE FOR AD
ARTICLE AD

This room is based on the original Pokemon series. Can you obtain all the Pokemon in this room?

Cyber Defecers

Image for post

Image for post

Room Link: https://tryhackme.com/room/pokemon

Image for post

Image for post

Information Gathering:

Image for post

Image for post

I have done the port scanning & got 2 ports.

port 80(web),22(ssh)

Directory brute-forcing:

Image for post

Image for post

From dirb tool got nothing interesting directory.

Image for post

Image for post

when I open the IP address it gives me the default apache page. so I quickly look in the source code. and found some juicy information in the comment lines. got some hints when I look closely I notice that on the webpage no login options are available. we can log in through the SSH service, from the source code I got some credentials.

SSH Login:

Syntax: ssh user@ipaddress

Image for post

Image for post

we successfully logged in using ssh credentials.

#1 Find the Grass-Type Pokemon

After logging in I look for some interesting files. and found one interesting file in the Desktop directory. named P0kEm0n.zip

it’s a zip file so we have to unzip to show the content inside it.

so I used unzip utility present in the Linux OS.

Command: unzip <filename>

Image for post

Image for post

after extracting data I found one folder from it named P0kEm0n. inside this folder, I got one file that is grass-type.txt

when I read content and got some number inside it and I got to know that is this is HexaDecimal numbers.so we have to convert into text.

Image for post

Image for post

#2 Find the Water-Type Pokemon

Image for post

Image for post

from the above question, I quickly searched word water-type using locate command and got our file that contains a flag.

from this file, I got some encrypted data. and I know that this text is encrypted using caesar cipher

Image for post

Image for post

#3 Find the Fire-Type Pokemon

Image for post

Image for post

here I applied the same method of question 2 and got one text file.

it has == at the end of the string so I remembered its base64 value.

so I decoded using the Linux command line.

command: echo <encrypted text> | base 64 -d

where -d is represents decoding option,

#4 Who is Root’s Favorite Pokemon?

when I goto home directory there I got our flag. but when I was trying to open that it will say that permission denied.

so I thought I have to escalate privileges, but then I found something juicy information in the videos directory. got folder inside folders. and lastly got one C++ file. when I view contents in source code. I got some credentials.

Image for post

Image for post

so I thought this is the root account credentials.

so I change user using su command,

command: su <user>

Image for post

Image for post

after logging, I’m able to view the content of our flag file that is roots-pokemon.txt

References

Author: Mayur Parmar(th3cyb3rc0p)

Follow me on Twitter & LinkedIn( mostly I will share tips on these social media platforms)

https://twitter.com/th3cyb3rc0p?lang=en

https://in.linkedin.com/in/th3cyb3rc0p

https://www.instagram.com/th3cyb3rc0p/?hl=en

https://twitter.com/cyberdefecers?lang=en

https://ctftime.org/team/112504

Read Entire Article