TryHackMe - Gotta Catch'em All! (Beginner)

TryHackMe - Gotta Catch'em All! (Beginner)

An easy room with beginner-friendly Crypto challenges.

logo2

Welcome to a very quick write up.

Still in the topic of covering the absolute basics. I was initially not going to be writing about this one because I was just going to be doing it for fun, but it showcases some basic cryptography examples that may come in handy for somebody starting their journey.

Find the room for free here: TryHackMe - Gotta Catch’em All!

Reconnaissance

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

SSH and web. We already know the drill, let’s jump straight away to the website to find the SSH creds.

Port 80

Enumeration

A default page is all we find when connecting to port 80. It’s slightly modified, so why not taking a look at the source code?

We find some hard-coded pokemon in a script but it just looks like a red herring. If we keep scrolling down we find this:

SSH creds

This really looks like a username and password. Why not trying it in port 22?

Port 22

First flag

ssh -l pokemon $ip

So we have 4 flags to find, let’s start doing a quick reckon in the user directory:

ls -R *

enum

Great, it seems we have found 2 interesting things:

  1. A zip file in /Desktop. If we unzip it we find the first flag. To decode it we will use xxd and it’s binary manipulation abilities. Passing the flags -r -p will convert any hexdump data in ASCII characters that we can read. 1st flag

  2. A C++ source code containing new creds. We don’t need them yet so we’ll take a note and move on. 2nd user

Privesc + Second flag

When we start exploring outside of the home folder of the user we initially found creds for, we stumble across this:

enum2

The other user we found creds for is the owner of the file, and the file is in the root group. Looks like it’s time to escalate our privileges. Doing sudo -l with our current user doesn’t bring anything up, so let’s just switch user with su ash

When connecting, something weird happens:

weird

We can’t see the bash history? If he cat /etc/passwd we even see this user hasn’t got a shell defined for them:

weird2

So just let’s try and escalate to sudo. sudo -l reveals we can cast any command we want as sudo

sudol

Now, to start the privilege escalation, first thing to do is checking whether we have permissions to doing so from this user with sudo -l:

sudol

Let’s go for the easy win: sudo su

Now that we are root we can see the file we mentioned early:

root@root:/home# cat roots-pokemon.txt 
<Redacted>

Third and Fourth flags

We saw earlier that the file within the .zip archive was called green-type.txt. Let’s try and take advantage of the naming and try luck by using the find command and some RegEx:

root@root:/home# find / -type f 2>/dev/null | grep -E "type.txt$"

enum3

There we have our 2 last flags!

Fire type

Starting with the fire type, we get a base64 encoded string:

root@root:/home/pokemon# cat /etc/why_am_i_here?/fire-type.txt
UDBrM20wbntDaGFybWFuZGVyfQ==

Fortunately for us, Linux has a command which decodes base64 strings for us by calling it directly with the flag -d

root@root:/home/pokemon# base64 -d /etc/why_am_i_here?/fire-type.txt
<Redacted>

Water type

We find ourselves with this:

root@root:/var/www/html# cat water-type.txt 
Ecgudfxq_EcGmP{Ecgudfxq}

It looks like a Rot ciphertext. We can now just copy-paste it in any online Rot solver, but I’m going to showcase the tr command and do this from the CLI.

I had a hinge Ecgudfxq meant Squirtle, by the letters distribution and the lack of letters repetition. If we know the first cipher letter E is equivalent to plaintext letter S, our tr command will start with e-z, then from a to the letter before e (a-d) and then we need to repeat it with the capital letters: e-za-dE-ZA-D. Then, we want to translate that into a format we can read, so if e equals s, the first letter we need to put for the command is s to z, then from a to the preceeding letter to s, which is r: s-za-rS-ZA-R. Our command will look like this:

root@root:/var/www/html# cat water-type.txt | tr 'e-za-dE-ZA-D' 's-za-rS-ZA-R'
<Redacted>     

© 2021 Subtle Labs. All rights reserved. Made with love and coffee from Edinburgh, UK.