Gotta Catch'em All!

Initially I ran a Nmap scan which showed port 80 and 22 to be open.

The web server seemed to be just hosting the standard Apache site. However, I could not find any other attack vectors, so I looked at the source code and searched for "pokemon" and found this:

<pokemon>:<hack_the_pokemon>
        	<!--(Check console for extra surprise!)-->

That looks like credentials and surely enough they work.

After login in with SSH, I simply looked a bit around and found the file /home/pokemon/Desktop/P0kEmOn.zip. If we unzip the file we see a file name grass-type.txt. The file contains a hex string. Simply, convert it back to normal text to obtain the flag.

To locate the other files I tried searching for files similar to grass-type.txt and found the location of the two other files.

pokemon@root:~/Desktop/P0kEmOn$ find / -name 'water-type.txt' -type f 2>/dev/null
/var/www/html/water-type.txt
pokemon@root:~/Desktop/P0kEmOn$ find / -name 'fire-type.txt' -type f 2>/dev/null
/etc/why_am_i_here?/fire-type.txt

The file /etc/why_am_i_here?/fire-type.txt contains base64 encode text. Decode and get the flag.

However, we do not have permission to read the other file. I looked through the rest of the folder in /home/pokemon and found /Videos/Gotta/Catch/Them/ALL!/Could_this_be_what_Im_looking_for?.cplusplus which contains credentials for the user ash.

Swift to the user ash and do sudo -L to see that ash can run all commands as root. Then we do sudo su and open the file.

That last answer is in the /home/roots-pokemon.txt file.