First of all I ran an nmap scan on first 1000 ports, let's do nmap <IP>

We see that there are two ports open. So lets try going to the webpage on port 80.

Looks like a default webpage, I tried running gobuster but got nothing special out of it.
So lets try checking Page Source, from there we can find the password at the very bottom of the page which can be used later for ssh.

Now let's ssh into the system with the credentials we found.

Q1:Find the Grass-Type Pokemon

After logging in, hunt for the flags started, in first directory I found a zip file. Let's unzip that and we got our encrypted grass-type flag:

Q2:Find the Water-Type Pokemon

Now we go into the /var/www/html/ folder and found our next flag:

Q3:Find the Fire-Type Pokemon

Judging by the other two flag names I just guessed that the other flag name could be fire-type.txt so lets search for that and get our flag

Now in our Videos folder there are sub folders and from where we find a file containing password for another user:

Q4:Who is Root's Favorite Pokemon?

As we can see our user ash can run all the commands without passwords and we can grab our root flag as well