TryHackMe: Gotta Catch’em All! Walkthrough by Mayur Parmar(th3cyb3rc0p)

This room is based on the original Pokemon series. Can you obtain all the Pokemon in this room?

Room Link: https://tryhackme.com/room/pokemon

Information Gathering:

I have done the port scanning & got 2 ports.

port 80(web),22(ssh)

Directory brute-forcing:

From dirb tool got nothing interesting directory.

when I open the IP address it gives me the default apache page. so I quickly look in the source code. and found some juicy information in the comment lines. got some hints when I look closely I notice that on the webpage no login options are available. we can log in through the SSH service, from the source code I got some credentials.

SSH Login:

Syntax: ssh user@ipaddress

we successfully logged in using ssh credentials.

#1 Find the Grass-Type Pokemon

After logging in I look for some interesting files. and found one interesting file in the Desktop directory. named P0kEm0n.zip

it’s a zip file so we have to unzip to show the content inside it.

so I used unzip utility present in the Linux OS.

Command: unzip <filename>

after extracting data I found one folder from it named P0kEm0n. inside this folder, I got one file that is grass-type.txt

when I read content and got some number inside it and I got to know that is this is HexaDecimal numbers.so we have to convert into text.

#2 Find the Water-Type Pokemon

from the above question, I quickly searched word water-type using locate command and got our file that contains a flag.

from this file, I got some encrypted data. and I know that this text is encrypted using caesar cipher

#3 Find the Fire-Type Pokemon

here I applied the same method of question 2 and got one text file.

it has == at the end of the string so I remembered its base64 value.

so I decoded using the Linux command line.

command: echo <encrypted text> | base 64 -d

where -d is represents decoding option,

#4 Who is Root’s Favorite Pokemon?

when I goto home directory there I got our flag. but when I was trying to open that it will say that permission denied.

so I thought I have to escalate privileges, but then I found something juicy information in the videos directory. got folder inside folders. and lastly got one C++ file. when I view contents in source code. I got some credentials.

so I thought this is the root account credentials.

so I change user using su command,

command: su <user>

after logging, I’m able to view the content of our flag file that is roots-pokemon.txt

References

Author: Mayur Parmar(th3cyb3rc0p)

Follow me on Twitter & LinkedIn( mostly I will share tips on these social media platforms)

https://twitter.com/th3cyb3rc0p?lang=en

https://in.linkedin.com/in/th3cyb3rc0p

https://www.instagram.com/th3cyb3rc0p/?hl=en

https://twitter.com/cyberdefecers?lang=en

https://ctftime.org/team/112504