THM - Gotta Catch 'em All

Introduction

This room is based on the original Pokemon series. Can you obtain all the Pokemon in this room?

Sure, why not. It’s easy rated. Let’s begin.

Ports

nmap says we’ve got two ports only: 22 (SSH) and 80 (HTTP).

Webserver

The front page is basically just the default Apache page, with a few little additions. Running a gobuster doesn’t turn anything up, so let’s look closely:

<pokemon>:<hack_the_pokemon>
<!--(Check console for extra surprise!)-->

Does that look like maybe SSH credentials? Yes, it does.

On the box

There are 3 flags we can get as user Pokemon, and one we need to get as user Ash. The three flags are encoded differently - one as hex, one as base64 and one as Rot14. Nothing too complex. Finding them is slightly trickier, but is somewhat simplified by the fact that .bash_history is readable, and points the way. This also shows us where to find the password for Ash, and then we just su. So not too much challenge once you’re on.

pokemon@root:~/Videos/Gotta/Catch/Them/ALL!$ cat Could_this_be_what_Im_looking_for\?.cplusplus 
# include <iostream>

int main() {
	std::cout << "ash : pikapika"
	return 0;
}pokemon@root:~/Videos/Gotta/Catch/Them/ALL!$ su ash
Password: 
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

ash@root:/home$ ls -lash
total 20K
4.0K drwxr-xr-x  4 root    root    4.0K Jun 22 23:21 .
4.0K drwxr-xr-x 24 root    root    4.0K Jun 24 13:48 ..
4.0K drwx------  6 root    root    4.0K Jun 24 14:14 ash
4.0K drwxr-xr-x 18 pokemon pokemon 4.0K Aug 11 05:21 pokemon
4.0K -rwx------  1 ash     root       8 Jun 22 23:21 roots-pokemon.txt
ash@root:/home$ cat roots-pokemon.txt