# Gotta Catch'em All ![](/files/-Mcel3TkueeW77NHnGkk) ## Scanning Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (**-Pn**) ``` nmap -Pn 10.10.19.228 ``` ![](/files/-McaWahiVzuql3XI9UcV) Detailed Nmap Scan : ``` nmap -sV -sC -p 22,80 -oN nmap 10.10.19.228 ``` ![](/files/-Mcelk1SDYChlAM5Au4F) ## Enumeration Lets check the website on Port 80 ![](/files/-McemNCO7RCtnCZJCQuR) Its a Apache 2 page, lets run a `gobuster` scan to find hidden directories. ``` gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.19.228/ ``` After the scan finished, we did not find any hidden directories Looking at the source code of the page, we find something interesting ![](/files/-McemlVPuUtgE8jWd9Tc) They look like `credentials` , lets login through `ssh`. ![](/files/-McepXtAs0J8dXD5s7ie) While exploring the system, we find the answer to the first question in the room ![](/files/-MceqIV2zk-JaAGS1I7k) ## Privilege Escalation Looking through the machine, we see something interesting in the `Videos` directory ![](/files/-MceqyLMVr7GNXGnWhdy) Lets check the file in the directory ![](/files/-McerEmFEb8JNhgU7Ofl) Looks like we have credentials, lets switch users. ![](/files/-McerLwQtonqcgRYT6AT) Looking at the permissions of the files in the `/home` directory, we can see that we can now read the file that we couldn't before. ![](/files/-Mcerr67DMoSH2pDBJFX) This is the answer for the fourth question of this room ![](/files/-Mces617aV-86hfwxEit) Lets run `sudo -l` to see what we can run as other users. ![](/files/-McetSBjxsFIGDN8BVWB) Looks like we can run `ALL`, so lets switch users to root ![](/files/-McetZ1ZsZDxH0TVTxR0) We are now root, lets look for all the files that we did not find yet ![](/files/-Mceu1rKJwUag0idbEzb) The files are encrypted, so lets crack them. ![](/files/-MceuR4gzYGIosArWnVN) ![](/files/-MceudHyIQMea-m2lPbt) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://writeups.adityadindi.com/tryhackme/untitled/gotta-catchem-all.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.