TryHackMe — Gotta Catch ’Em All!
Something about this room just spoke to me, and inspired me to start writing a walkthrough. I don’t know if it is because it is one of the first I have been able to complete on my own, or if it is simply because I am still a nerd at heart. Admittedly, the theme is what had me try the room in the first place. Even at nearly 30 years old, I still fire up an emulator and play the old Fire Red and Leaf Green games on my iPhone from time to time.
Note: I did my best to obfuscate spoilers throughout the tutorial. Apologies if I missed any. But with a little critical thinking, the usernames can be guessed anyways…
After you start the machine, you will want to get your nmap scan going. How I normally do this for these CTF-style boxes is to just start with a basic scan.
nmap 10.10.XX.XX
This normally completes very fast, and gives me something to start on. After this completes, I will typically begin a more aggressive scan using -A and -p- to scan all ports and get some discovery going. This room, being easy, doesn’t need anything beyond the basic scan.
From this scan, we can see that ssh is open. This could (will) come into play later, but we need credentials to connect. Port 80 is what we will focus on for now.
Navigating to your vulnerable machine’s IP address, you are met with a basic default landing page, which may not look like much.
However, one step that should always be taken is to view the page source for any comments the developer may have accidentally left behind. Typically, you can just right-click > View Page Source. Alternatively, you can press CTRL + U to access this page.
At first glance, this looks pretty default. But as you are scrolling, you may notice this added bit of code.
This gives us a clue that perhaps something has been modified, and we should continue looking for any other crumbs we can find.
As we scroll down, inspecting the code, we find something out of place.
Could these be credentials? This room, again being easy, pretty much tells us they are with the comment line. Don’t always expect this.
Armed with our new credentials, let’s connect to the machine!
ssh username@ipaddress
Now that we are in, it is time to enumerate. Detailed enumeration here can save you some time later in this room.
Almost immediately, we find a compressed folder on the Desktop. Decompress that by running unzip followed by the file name.
unzip P0kEmOn.zip
This allows us to see that first text document containing our first flag. This was something I really liked about this room, though. The flags are all in various types of encoding, adding just a small extra challenge.
Looking at this, it is clear that this is in hex. The things that give it away are that it is in two character chunks, and the alphanumeric stays below the letter “f.” Hexadecimal has 16 possible characters for each, 0–9, a-f.
Now we need to convert this to something that makes sense to us. Time to whip out the ol’ Googles. I searched for a Hex to ASCII converter, and found this decently capable one here.
This gave us our flag for the grass type Pokémon.
From here, I spent a little time going through the various directories one at a time looking for something. I did find something in the Videos directory, but that will come into play later.
Finally, I went back to basics and used some critical thinking. Okay, the first flag was contained in a file called “grass-type.txt,” so is it possible that I am now looking for “water-type.txt?” I ran a locate command to find out.
locate water-type
It would have taken me ages to find that manually. This was a great lesson in using BASH to your advantage. It has been a while since I have spent any time at OverTheWire.org, and now I will make sure I revisit soon, just to make sure I am brushed up on the basics.
This “encryption” took me entirely too long to recognize. Eventually, I noticed a pattern of repeating characters, which lead me to believe this is not a very advanced encryption method and should be incredibly easy to crack.
Aha! I finally recognized it as what I know as ROT12. It is also known as Caesar Cipher with a shift of 12. ROT is normally seen as ROT13, and it is simply where you rotate the characters 13 places down the alphabet. So “A” becomes “N,” “B” becomes “O,” etc. I think it was the shift of 12 that had me thrown. Which, is a little embarrassing, to be honest. ROT is known as a joke of an encryption method.
Another visit to the ride or die Google, and I had it cracked. Side note, I found this site that I really liked, because you do not need to know the shift factor. It calculates all of them, and you look down a list to see what makes sense. Perfect for situations like this.
Since locate was such a good friend last time, I decided to try it again to find the fire-type.txt file I was looking for.
locate fire-type
Just like the water flag, it was quickly found. Reading that file left us with this:
This encryption is very simple to identify as base64 due to the “==” at the end of the string.
Base64 encoding/decoding is also built into the terminal, so it was perhaps the easiest for me to decode.
echo <encrypted test> | base64 -d
Last up was finding out who Root’s favorite Pokémon is. Earlier enumeration could have saved you quite a bit of time here. In the home folder was an interesting file, roots-pokemon.txt.
Unfortunately, we do not have access to read the file as a standard user. Here again, earlier enumeration could have revealed a theme-following set of directories in the Videos directory.
Following this down, you eventually find a C++ file. Using long method of listing files and directories shows that we have read access on the file. Read that file, and you find what sure looks to be credentials for another user on the machine.
su username
Switched user, using the credentials we found. Then I navigated back up to where our file was, and read it.
This one was not encrypted in any way. So just enter that flag, and celebrate your completion of that room!
I really enjoyed this room. It is a fun, easy room that can be completed very quickly. It has a few good lessons in critical thinking and enumeration. I think it is a great room for beginners to practice if time is a little tight, but you just want to crack a box for the day.
