oday I am working on the Gotta Catch’em All challenge from TryHackMe.com.

Getting help from: https://medium.com/@aritrachakraborty_74303/gotta-catchem-all-a-writeup-for-ctf-style-thm-box-but-with-generic-techniques-904dc58e3890

I got the IP address of the box and started with an Nmap scan:

Next, I wanted to see what was open on port 80. I noticed the  http-title was “Can You Find Them All?”.

It looks like a default Apache page, but with that http-title, I figured something was here. Next I looked at the page source:

Found credentials in the source and decided to try them with ssh as port 22 was open.

Checked the home folder with: ls -lAh

Then running: ls -lAh *

Next I went into the Desktop directory and started a python web server to grab that .zip file

Manually grabbed the .zip, could have used wget: wget 10.10.238.31:8000/P0kEmOn.zip

I unzipped this file and got a text file, I ran the cat command to read the contents

This file has hex code in it, I used cyberchef to decode the message:

Got the first flag!

After this, I found more credentials in another file

Logged into Ash’s account

I found the next flag, roots favorite Pokémon.

Next I searched for “fire” to get the last flag: find / -name ‘*fire*’ -type f 2>/dev/null (Too many results)

find / -name ‘*fire*’ -type f 2>/dev/null | grep -ivE “(firefox|firewall)”

Now that file looks interesting…

I decode the Base64: cat /etc/why_am_i_here?/fire-type.txt | base64 -d

Got the next flag

Next I looked in the web servers directory to see if any interesting files are there, I found the file below with some Rot13 inside.

Time to put this in cyberchef to get the flag

The output provided me with the last flag, this was a fun challenge!