Greetings everyone!
In today’s post, we’ll be attacking another machine on the great platform TryHackMe. This machine is, you guessed it, Pokemon-themed! The description for this room mentions that there are actually four flags to find! Three of them are based off of Pokemon types (Grass, Water, Fire), and then there is a root flag to find. Well, it actually says ‘What is Root’s favorite Pokemon?”. I’m going to treat that as the root flag as I’m assuming that we’ll need root-level access to find that out! Let’s jump in to find out!
As always, we’ll begin with our trusted Nmap scan!
Only two ports open, but one of them is port 80. Let’s start enumerating that web server! The landing page is the default Apache2 page:
While poking around the site, I also ran a Gobuster scan to try and brute-force some hidden directories:
As you can see, nothing of any importance was returned. When checking out the source code of the website, there was an interesting snippet that I noticed:
Now I’ll be honest here: this didn’t click right away for me. After a little bit, I thought “Those couldn’t be credentials, could they?” Only one way to find out! Let’s try connecting via SSH with them!
Annnd it worked. Again, I’m a little frustrated that it took me so long for that to click, but at least now we’re in!
Let’s start poking around a bit to see if we can find all the flags! Moving to the Desktop of the current user (pokemon), there is a ZIP file!
Let’s unzip it for some goodies!
Oh sweet, looks like we found a grass-type.txt! We must be inching closer to our first (grass) flag! Let’s cat it out:
This looks like a hexadecimal output, so let’s convert it to ASCII. I used the following website for this:
Once we enter the string, we are returned with the grass-type flag:
One down! Let’s start hunting for another flag! After a little bit more searching around, I ended up in the Videos folder, and then moved into a few more folders to find what seemed to be very interesting:
Let’s use the “view” command to see if we can see what’s in this file:
Ahh! Now this certainly looks like credentials! Let’s try to switch user with these credentials:
Alright now we’re the user Ash, with his fancy hat and everything!
Let’s move into his home folder and see what we can find!
Huh? Alright so we don’t have permission to view his own folder. Not a big deal, we’ll just have to escalate our privileges!
Let’s check for some low-hanging fruit with the sudo -l command:
Well this looks promising! Let’s do a quick sudo su here to the root user:
Easy-peasy!
Now that we have full root access, we can have a look around everywhere. After some poking and prodding, I was able to find the next two flags. The next text file I found was the water-type.txt file:
So this looks like another weird cipher that we’ll have to convert. Because I didn’t know where to start here, all I did was go down the list of ciphers on this website:
http://practicalcryptography.com/ciphers/
Turns out it’s a ROT cipher! Good enough, time to convert it! Again, this can be done online. Here is the output:
Sweet, there is our second flag!
The next flag (well, text file leading us to the flag) was located in this suspicious folder:
Off the top of my head, I thought that was Base64. So let’s decode it!
There’s our next flag!
Alright, so remember when I said the “root flag” was asking for root’s favorite pokemon? Well, we’re here with full root access so me may as well finish this room off correctly!
In Ash’s home folder (now that we have access!) there is a file that we can cat out which is aptly called “roots-pokemon.txt”:
We did it! We got all three flags as well as that bonus root flag!
Thanks for reading!
