TryHackMe-Gotta Catch’Em All!


nmap -sC -sV                                                                              
Starting Nmap 7.80 ( ) at 2020-10-24 20:55 PKT
Nmap scan report for
Host is up (0.27s latency).
Not shown: 998 closed ports
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 58:14:75:69:1e:a9:59:5f:b2:3a:69:1c:6c:78:5c:27 (RSA)
| 256 23:f5:fb:e7:57:c2:a5:3e:c2:26:29:0e:74:db:37:c2 (ECDSA)
|_ 256 f1:9b:b5:8a:b9:29:aa:b6:aa:a2:52:4a:6e:65:95:c5 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Can You Find Them All?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 33.19 seconds


Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
[+] Url:
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
2020/10/24 21:13:03 Starting gobuster
/.htaccess (Status: 403)
/.hta (Status: 403)
/.htpasswd (Status: 403)
/index.html (Status: 200)
/server-status (Status: 403)
2020/10/24 21:14:36 Finished

Running the gobuster , didn’t find any directory


Coming on to the web page we see a default apache server running

Going through the source of the web page we will find something interesting

<pokemon>:<hack_the_pokemon> looks like username and password for ssh since port 22 is open.


root@kali:~/TryHackMe/Easy/GottaCatchemAll# ssh pokemon@
pokemon@'s password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-112-generic x86_64)
* Documentation:
* Management:
* Support:
84 packages can be updated.
0 updates are security updates.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

And we got in but we this user is not in sudoers so it cannot run commands as root or doesn't have permissions to run privleged commands

pokemon@root:~$ whoami
pokemon@root:~$ sudo -l
[sudo] password for pokemon:
Sorry, try again.
[sudo] password for pokemon:
sudo: 1 incorrect password attempt
pokemon@root:~$ sudo -l
[sudo] password for pokemon:
Sorry, user pokemon may not run sudo on root.

We can find roots-pokemon.txt but cannot read it as only the user ash and root are owners of it.

Going to pokemon's directory we can see there is

Grass-Type Pokemon

pokemon@root:~/Desktop$ unzip 
creating: P0kEmOn/
inflating: P0kEmOn/grass-type.txt
pokemon@root:~/Desktop$ ls -la
total 16
drwxr-xr-x 3 pokemon pokemon 4096 Oct 24 12:52 .
drwxr-xr-x 19 pokemon pokemon 4096 Oct 24 11:54 ..
drwxrwxr-x 2 pokemon pokemon 4096 Jun 22 22:37 P0kEmOn
-rw-rw-r-- 1 pokemon pokemon 383 Jun 22 22:40

On decompressing it you will get a folder, read the file grass-type.txt and find this hex encoded text

50 6f 4b 65 4d 6f 4e 7b 42 75 6c 62 61 73 61 75 72 7d

On decoding it you will get the flag : PoKeMoN{Bulbasaur}


By running the find command to look for all .txt files we can find 3 files that we need

pokemon@root:/$ find / -type f -name "*.txt" 2>/dev/null                                                                                            

But we already found roots-pokemon.txt we just don't have permissions to view it

Water-Type Pokemon

pokemon@root:/$ cat /var/www/html/water-type.txt

This gives us a rot13(shift cipher) encoded text , by changing the key of rot13 we can get the flag

flag Squirtle_SqUaD{Squirtle}

Fire-Type Pokemon

pokemon@root:/$ cat /etc/why_am_i_here?/fire-type.txt 

By looking at two equal signs(=) we can say that this is a base64 encoded text on decoding it

flag P0k3m0n{Charmander}

Root’s Favorite Pokemon

Now only thing which is left is to root the box and read that /home/roots-pokemon.txt

I found another interesting thing in ~/Vidoes

pokemon@root:~$ cd Videos/
pokemon@root:~/Videos$ ls -la
total 12
drwxr-xr-x 3 pokemon pokemon 4096 Jun 22 23:10 .
drwxr-xr-x 19 pokemon pokemon 4096 Oct 24 11:54 ..
drwxrwxr-x 3 pokemon pokemon 4096 Jun 22 23:10 Gotta
pokemon@root:~/Videos$ cd Gotta/
pokemon@root:~/Videos/Gotta$ ls
pokemon@root:~/Videos/Gotta$ cd Catch/
pokemon@root:~/Videos/Gotta/Catch$ ls
pokemon@root:~/Videos/Gotta/Catch$ cd Them/
pokemon@root:~/Videos/Gotta/Catch/Them$ ls
pokemon@root:~/Videos/Gotta/Catch/Them$ cd ALL\!/
pokemon@root:~/Videos/Gotta/Catch/Them/ALL!$ ls

Now on reading that c++ source code

int main() {
std::cout << "ash : pikapika"
return 0;

This will give us password for user ash

Now we can bascially run everything

ash@root:/home$ sudo bash



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store