Gotta Catch’em All!
This room is based on the original Pokemon series. Can you obtain all the Pokemon in this room?
External
Initial nmap scan:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 58:14:75:69:1e:a9:59:5f:b2:3a:69:1c:6c:78:5c:27 (RSA)
| 256 23:f5:fb:e7:57:c2:a5:3e:c2:26:29:0e:74:db:37:c2 (ECDSA)
|_ 256 f1:9b:b5:8a:b9:29:aa:b6:aa:a2:52:4a:6e:65:95:c5 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Can You Find Them All?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Since we don’t have any ssh credentials right now, lets run some scans on the web page running on port 80.
I’ll save you some time after running my initial gobuster and nikto scans, nothing came back, so looks like it’s time for some manual enumeration.
Web App
Looking at the web page, we see that it is just a default Apache2 page, since we got nothing back from our directory scans, let’s look at the source by pressing CTRL + U
While scrolling through, we need to look for things that someone might be trying to hide, such as content inside of comments or
The comment above looks unfamiliar from any default apache2 page I have seen so, lets take a look at the console.
We see that there is an array of 10 different pokemon.
At this point I looked up if I could some how interact with this array in some weird way or inject it, and no, I was a bit lost until I looked back at the page source and…
Right above the comment that I was so infatuated about, there are two strange html tags with a colon in between them, from experience this normally means an username:password combination.
Looks like they worked!
Internal
Taking a look around in our home directory, there isn’t anything that really stands out, so I checked the Desktop out and, looks like there is a zip file that we can take a look at.
Using the unzip command we see that a grass-type.txt file was uncompressed. Inside of the file is what seems to be hex-encoded.
Using CyberChef we can decode the contents and get our first “pokemon”!
Moving back to the /home directory we see that the user ash has a home directory as well as root’s pokemon but we do not have access to either of these, now we need to find the water and fire type pokemon
I decided to head over to where the web server is running /var/www/html.
There it is! Upon catting the flag out, the flag seems a big off, doesn’t really look like any hash or anything just a little, scrambled once again from experience, I know that we can use an online Caesar Cipher decoder to unscramble the pokemon.
Now we can submit it, now it’s time for the fire type pokemon
Since the previous name’s of the files had the same structure I decided to use a simple find command to see if the pattern continued.
pokemon@root:/var/www/html$ find / -name "fire-type.txt" 2>>/dev/null
/etc/why_am_i_here?/fire-type.txt
pokemon@root:/var/www/html$ cat /etc/why_am_i_here?/fire-type.txt
<REDACTED>
The pattern did in fact continue and reading the contents of the file we see once again another encoded output, this time it is base64.
By echo-ing the encoded text and piping it into the integrated base64 command in linux we can see the decoded flag and submit it.
Now it those are all the flags that the user pokemon has direct access to so, now it is time to privesc
By running a recursive directory search on the /home directory we can see if there are any interesting files deep into any file trees, and we get something pretty interesting.
pokemon@root:~$ ls -laR /home
The very last output of the command caught my eye, although it is a “cplusplus” file we can still read the file.
Inside the file we see credentials to the ash user!
Now that we are a new user we will start our manual enumeration, let’s see if we can run any commands with sudo with the sudo -l command.
Running this command we see that we can run any command as any user, including root. Knowing the location of root’s pokemon, we can cat-it-out using sudo. (or we can just do sudo /bin/bash -p and become root)
Just like that, those are all the flags, thank you for joining me on this writeup :)