TryHackMe-Gotta Catch’Em All!

NMAP

nmap -sC -sV 10.10.122.194                                                                              
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-24 20:55 PKT
Nmap scan report for 10.10.122.194
Host is up (0.27s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 58:14:75:69:1e:a9:59:5f:b2:3a:69:1c:6c:78:5c:27 (RSA)
| 256 23:f5:fb:e7:57:c2:a5:3e:c2:26:29:0e:74:db:37:c2 (ECDSA)
|_ 256 f1:9b:b5:8a:b9:29:aa:b6:aa:a2:52:4a:6e:65:95:c5 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Can You Find Them All?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.19 seconds

Gobuster

Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.122.194
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/10/24 21:13:03 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.hta (Status: 403)
/.htpasswd (Status: 403)
/index.html (Status: 200)
/server-status (Status: 403)
===============================================================
2020/10/24 21:14:36 Finished
===============================================================

PORT 80

PORT 22

root@kali:~/TryHackMe/Easy/GottaCatchemAll# ssh pokemon@10.10.122.194
pokemon@10.10.122.194's password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-112-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
84 packages can be updated.
0 updates are security updates.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
pokemon@root:~$
pokemon@root:~$ whoami
pokemon
pokemon@root:~$ sudo -l
[sudo] password for pokemon:
Sorry, try again.
[sudo] password for pokemon:
sudo: 1 incorrect password attempt
pokemon@root:~$ sudo -l
[sudo] password for pokemon:
Sorry, user pokemon may not run sudo on root.
pokemon@root:~$

Grass-Type Pokemon

pokemon@root:~/Desktop$ unzip P0kEmOn.zip 
Archive: P0kEmOn.zip
creating: P0kEmOn/
inflating: P0kEmOn/grass-type.txt
pokemon@root:~/Desktop$ ls -la
total 16
drwxr-xr-x 3 pokemon pokemon 4096 Oct 24 12:52 .
drwxr-xr-x 19 pokemon pokemon 4096 Oct 24 11:54 ..
drwxrwxr-x 2 pokemon pokemon 4096 Jun 22 22:37 P0kEmOn
-rw-rw-r-- 1 pokemon pokemon 383 Jun 22 22:40 P0kEmOn.zip
pokemon@root:~/Desktop$
50 6f 4b 65 4d 6f 4e 7b 42 75 6c 62 61 73 61 75 72 7d

Find

pokemon@root:/$ find / -type f -name "*.txt" 2>/dev/null                                                                                            
/var/cache/dictionaries-common/ispell-dicts-list.txt
/var/lib/nssdb/pkcs11.txt
/var/www/html/water-type.txt
/etc/X11/rgb.txt
/etc/why_am_i_here?/fire-type.txt
/etc/brltty/Input/bd/all.txt
/etc/brltty/Input/vs/all.txt
/etc/brltty/Input/eu/all.txt
/etc/brltty/Input/tt/all.txt
/etc/brltty/Input/lb/all.txt
/etc/brltty/Input/vr/all.txt
/etc/brltty/Input/tn/all.txt
/etc/brltty/Input/mb/all.txt
/etc/brltty/Input/mn/all.txt
/etc/brltty/Input/vd/all.txt
/etc/brltty/Input/bl/18.txt
/etc/brltty/Input/bl/40_m20_m40.txt
/etc/brltty/Input/ba/all.txt
/etc/brltty/Input/ec/spanish.txt
/etc/brltty/Input/ec/all.txt
.....
/var/www/html/water-type.txt
/etc/why_am_i_here?/fire-type.txt
/home/roots-pokemon.txt

Water-Type Pokemon

pokemon@root:/$ cat /var/www/html/water-type.txt
Ecgudfxq_EcGmP{Ecgudfxq}

Fire-Type Pokemon

pokemon@root:/$ cat /etc/why_am_i_here?/fire-type.txt 
UDBrM20wbntDaGFybWFuZGVyfQ==

Root’s Favorite Pokemon

pokemon@root:~$ cd Videos/
pokemon@root:~/Videos$ ls -la
total 12
drwxr-xr-x 3 pokemon pokemon 4096 Jun 22 23:10 .
drwxr-xr-x 19 pokemon pokemon 4096 Oct 24 11:54 ..
drwxrwxr-x 3 pokemon pokemon 4096 Jun 22 23:10 Gotta
pokemon@root:~/Videos$ cd Gotta/
pokemon@root:~/Videos/Gotta$ ls
Catch
pokemon@root:~/Videos/Gotta$ cd Catch/
pokemon@root:~/Videos/Gotta/Catch$ ls
Them
pokemon@root:~/Videos/Gotta/Catch$ cd Them/
pokemon@root:~/Videos/Gotta/Catch/Them$ ls
ALL!
pokemon@root:~/Videos/Gotta/Catch/Them$ cd ALL\!/
pokemon@root:~/Videos/Gotta/Catch/Them/ALL!$ ls
Could_this_be_what_Im_looking_for?.cplusplus
pokemon@root:~/Videos/Gotta/Catch/Them/ALL!$
int main() {
std::cout << "ash : pikapika"
return 0;
ash@root:/home$ sudo bash
root@root:/home#

BS CS undergraduate | CTF Player