First of all I ran an
nmap scan on first 1000 ports, let's do
We see that there are two ports open. So lets try going to the webpage on port 80.
Looks like a default webpage, I tried running
gobuster but got nothing special out of it.
So lets try checking Page Source, from there we can find the password at the very bottom of the page which can be used later for ssh.
Now let's ssh into the system with the credentials we found.
Q1:Find the Grass-Type Pokemon
After logging in, hunt for the flags started, in first directory I found a zip file. Let's
unzip that and we got our encrypted grass-type flag:
Q2:Find the Water-Type Pokemon
Now we go into the
/var/www/html/ folder and found our next flag:
Q3:Find the Fire-Type Pokemon
Judging by the other two flag names I just guessed that the other flag name could be
fire-type.txt so lets search for that and get our flag
Now in our
Videos folder there are sub folders and from where we find a file containing password for another user:
Q4:Who is Root's Favorite Pokemon?
As we can see our user ash can run all the commands without passwords and we can grab our root flag as well