# Gotta Catch'em All ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MceaYpXWttRXXDEVegh%2F-Mcel3TkueeW77NHnGkk%2Fimage.png?alt=media\&token=3afd5a23-3290-4016-b818-5c0407d77c57) ## Scanning Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (**-Pn**) ``` nmap -Pn 10.10.19.228 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-McaWWwtrZqvWri3cbKB%2F-McaWahiVzuql3XI9UcV%2Fimage.png?alt=media\&token=96ceafe6-4ce0-45ee-9692-b6566fe6bdee) Detailed Nmap Scan : ``` nmap -sV -sC -p 22,80 -oN nmap 10.10.19.228 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MceaYpXWttRXXDEVegh%2F-Mcelk1SDYChlAM5Au4F%2Fimage.png?alt=media\&token=deec4405-62f1-468d-9e2c-c51d468aff40) ## Enumeration Lets check the website on Port 80 ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mcem8ylJIw931A1dn0O%2F-McemNCO7RCtnCZJCQuR%2Fimage.png?alt=media\&token=21d286f3-74cd-4e0c-b272-071488fafaad) Its a Apache 2 page, lets run a `gobuster` scan to find hidden directories. ``` gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.19.228/ ``` After the scan finished, we did not find any hidden directories Looking at the source code of the page, we find something interesting ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mcem8ylJIw931A1dn0O%2F-McemlVPuUtgE8jWd9Tc%2Fimage.png?alt=media\&token=12dcad09-8870-40fe-9166-c75430948107) They look like `credentials` , lets login through `ssh`. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mcemx_N4OX8HGWjqhk2%2F-McepXtAs0J8dXD5s7ie%2Fimage.png?alt=media\&token=29db4d90-ec3d-4b92-87b5-5b3f7d81c505) While exploring the system, we find the answer to the first question in the room ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mcemx_N4OX8HGWjqhk2%2F-MceqIV2zk-JaAGS1I7k%2Fimage.png?alt=media\&token=b44ee726-5b1a-4b77-84a1-1cc9a4467e96) ## Privilege Escalation Looking through the machine, we see something interesting in the `Videos` directory ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mcemx_N4OX8HGWjqhk2%2F-MceqyLMVr7GNXGnWhdy%2Fimage.png?alt=media\&token=5b83163f-de6a-423f-96dc-2986ecd2e983) Lets check the file in the directory ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mcemx_N4OX8HGWjqhk2%2F-McerEmFEb8JNhgU7Ofl%2Fimage.png?alt=media\&token=4297e79b-1227-450e-8a41-1b107718d82b) Looks like we have credentials, lets switch users. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mcemx_N4OX8HGWjqhk2%2F-McerLwQtonqcgRYT6AT%2Fimage.png?alt=media\&token=ed50c14a-87d2-4a7e-b4eb-e66f5007a7ae) Looking at the permissions of the files in the `/home` directory, we can see that we can now read the file that we couldn't before. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mcemx_N4OX8HGWjqhk2%2F-Mcerr67DMoSH2pDBJFX%2Fimage.png?alt=media\&token=578400e5-6f33-4f26-9f0b-20cb71a800f3) This is the answer for the fourth question of this room ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mcemx_N4OX8HGWjqhk2%2F-Mces617aV-86hfwxEit%2Fimage.png?alt=media\&token=87cd8838-261a-4b45-ad39-6b3b4490d469) Lets run `sudo -l` to see what we can run as other users. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mcemx_N4OX8HGWjqhk2%2F-McetSBjxsFIGDN8BVWB%2Fimage.png?alt=media\&token=ad1a6177-53b5-4d33-bc6e-86d1f318b490) Looks like we can run `ALL`, so lets switch users to root ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mcemx_N4OX8HGWjqhk2%2F-McetZ1ZsZDxH0TVTxR0%2Fimage.png?alt=media\&token=95ff610f-1efc-4824-b21c-c54aa34eb821) We are now root, lets look for all the files that we did not find yet ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mcemx_N4OX8HGWjqhk2%2F-Mceu1rKJwUag0idbEzb%2Fimage.png?alt=media\&token=17948f76-ba41-474e-9043-22b23b5a999d) The files are encrypted, so lets crack them. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mcemx_N4OX8HGWjqhk2%2F-MceuR4gzYGIosArWnVN%2Fimage.png?alt=media\&token=4007bb0d-3e50-45e1-9e96-3887e2a5e38b) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mcemx_N4OX8HGWjqhk2%2F-MceudHyIQMea-m2lPbt%2Fimage.png?alt=media\&token=c94020cb-5827-4818-a803-3f9b7abded54)