THM - Gotta Catch 'em All
Introduction
This room is based on the original Pokemon series. Can you obtain all the Pokemon in this room?
Sure, why not. It’s easy rated. Let’s begin.
Ports
nmap says we’ve got two ports only: 22 (SSH) and 80 (HTTP).
Webserver
The front page is basically just the default Apache page, with a few little additions. Running a gobuster doesn’t turn anything up, so let’s look closely:
Does that look like maybe SSH credentials? Yes, it does.
On the box
There are 3 flags we can get as user Pokemon, and one we need to get as user Ash. The three flags are encoded differently - one as hex, one as base64 and one as Rot14. Nothing too complex. Finding them is slightly trickier, but is somewhat simplified by the fact that .bash_history is readable, and points the way. This also shows us where to find the password for Ash, and then we just su. So not too much challenge once you’re on.