Gotta Catch’em All — CTF Writeup
Hello infosec people, this is my first CTF write up so don't be too harsh on me.
Let's get started.
I deployed the machine in TryHackMe. I started my VM and connect it to the VPN. We are ready to go.
Based on the penetration testing methodology we have to start from somewhere. We know absolutely nothing about this machine we are about to connect, so we have to start enumerating.
Enumeration
Nmap is your friend here.
I opened zenmap, because i like better the graphical interface, i entered the target machine and i did an intense scan. it's not the best option but that's what i did first.
nmap -A -v 10.10.59.174
In the results i knew that the target machine is a linux machine, and had two important ports open.
Port 22 and Port 80 (SSH and HTTP — Apache)
Hmm okay we have something here. Let’s access the website on port 80
http://10.10.59.174.com
It looks like an ordinary Apache index site. As a beginner i made the mistake to start looking for exploits for Apache and SSH.
In medical school they have a say:
“When You Hear Hooves, Think Horses, Not Zebras”
That's exactly what we have to think for these easy CTFs. I wasn't thinking that the next step i had to take was in front of my face, i just couldn't see it. Well the next step i should’ve take was to look at the source code for any clues but instead ,before, i was looking for exploits (zebras) and stuff.
After i looked in the source code i saw a few comments about pokemon. As i scrolled down i saw a comment that looked like credentials
</div>
<pokemon>:<password>
<! — (Check console for extra surprise!) →
</div>
Okay great, lets try these credentials for SSH login. And they work. We are in.
After running the command:
ls -lAh *
There is a “P0kEmOn.zip” file in Desktop and a folder “Gotta” in Videos.
I moved to the Desktop first and unzip the file.
After i cat the .txt file a HEX encrypted text showed up. I Decrypt it using this website and i got the “grass-type” flag.
Now we have to move on to find the other flags. I remembered that there was something in the Videos folder. I moved into the folder and i found a bunch of sub-folders:
/Videos/Gotta/Catch/Them/ALL!
Inside there was a file:
I used cat to see what is inside and found credentials again:
# include <iostream>
int main() {
std::cout << “ash: password”
return 0;
Hmm, interesting, does this user exists in the system? I went to the /home page to see what users folders were into the system.
There is ash so the user exists and there is a txt file. I tried to cat into it but i didn't have enough permissions, so i escalate privileges using the credentials i got before.
su ash
I used ls -al to see what privileges does ash has and i saw that it has root privileges
That's great!
I cat the .txt file and i was greeted with a flag. It's the “root’s favorite pokemon” question.
Let's go find the third flag now.
Based on the hinds on tryhackme, for the water-type pokemon, the hind tell us to check the website. So i cd to var/www/html → where the website is!
And i found the third flag for the 2nd question.
It was an encrypted flag again so based on the way it looked i guessed it was a ROT13 encryption. But little did i know, it was a ROT14 encryption. Anyway i decrypted it and submitted the third flag.
Now we have only one flag left, the Fire type flag
As i said before, i can change to root because ash has root privileges, this is also called Horizontal Escalation. So i used:
sudo su
I moved to the root folder to see if there is something there. There wasn't anything.
One thing we can use is “find”. We know that it is going to be called fire so let's search for it.
find / -name ‘*fire-type*’ -type f 2>/dev/null
We know that the name is going to be “fire-type” so i used it to locate it. AAAND it found it…
I used cat, it was encrypted with base64 encryption, so i decrypted it and submitted it.
Room Completed!! — END
