Tryhackme - Anthem

Tryhackme – Anthem

In this walk through, we will be going through the Anthem room from Tryhackme. This room is rated as Easy on the platform and consist exploitation of a Windows machine using web enumeration, source code review and Privilege Escalation. So, let’s get started without any delay.

Anthem

Machine Info:

TitleAnthem VM
IPaddress10.10.175.171
DifficultyEasy
ObjectiveThis task involves you, paying attention to details and finding the ‘keys to the castle’.

Task 1 – Website Analysis

Question 1 – Let’s run nmap and check what ports are open.

Done

sudo nmap -Pn -sS -sV 10.10.175.171 

nmap scan

Question 2 – What port is for the web server?

80

Question 3 – What port is for remote desktop service?

3389

Question 4 – What is a possible password in one of the pages web crawlers check for?

robots.txt

UmbracoIsTheBest!

Question 5 – What CMS is the website using?

wh1terose@fsociety:~$ gobuster dir -u http://10.10.175.171/ -w ~/Desktop/Wordlist/common.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.175.171/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/wh1terose/Desktop/Wordlist/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2023/05/19 23:13:13 Starting gobuster in directory enumeration mode
===============================================================
/Archive              (Status: 301) [Size: 118] [--> /]
/Blog                 (Status: 200) [Size: 5399]       
/RSS                  (Status: 200) [Size: 1877]       
/Search               (Status: 200) [Size: 3472]       
/SiteMap              (Status: 200) [Size: 1047]       
/archive              (Status: 301) [Size: 123] [--> /blog/]
/authors              (Status: 200) [Size: 4120]            
/blog                 (Status: 200) [Size: 5399]            
/categories           (Status: 200) [Size: 3546]            
/install              (Status: 302) [Size: 126] [--> /umbraco/]

gobuster scan

umbraco

Question 6 – What is the domain of the website?

domain name

anthem.com

Question 7 – What’s the name of the Administrator

  • Google the poem in the following post – http://10.10.175.171/archive/a-cheers-to-our-it-department/. It reveals the admin name.

Poem

Solomon Grundy

Solomon Grundy

Question 8 – Can we find find the email address of the administrator?

  • Navigate to the following post, which has a email address in it. The email address constitutes of the user’s name first and last syllable.

admin email address

[email protected]

Task 1 - Website Analysis

Task 2 – Spot the flags

Our beloved admin left some flags behind that we require to gather before we proceed to the next task..

Question 1 – What is flag 1?

  • View the source code of “We are hiring” article. There, search for “meta”. You will find your flag.

Flag 1

THM{L0L_WH0_US3S_M3T4}

Question 2 – What is flag 2?

  • View Source on the webiste home page.

Flag 2

THM{G!T_G00D}

Question 3 – What is flag 3?

  • Navigate to the following directory which was revealed at the directory bruteforing section – http://10.10.175.171/authors

Flag 3

THM{L0L_WH0_D15}

Question 4 – What is flag 4?

  • View the source code of “A cheers to our IT department” article. There, search for “meta”. You will find your flag.

Flag 4

THM{AN0TH3R_M3TA}

Task 2 - Spot the flags

Task 3 – Final stage

Let’s get into the box using the intel we gathered.

Question 1 – Let’s figure out the username and password to log in to the box.(The box is not on a domain)

Done

  • Use Reminna and following credentials to RDP into the server.

Username: SG

Password: UmbracoIsTheBest!

Reminna

Question 2 – Gain initial access to the machine, what is the contents of user.txt?

user flag

THM{N00T_NO0T}

Question 3 – Can we spot the admin password?

  • Found a folder named backup in C:\backup. Tried to open the file restore but faced a permission error. Let’s troubleshoot it.

restore.txt

  • First right click on the file and got to properties. Then select the security tab. Further, click on Edit and search our username -SG. Click apply and confirm the changes.

Permissions for restore add

Permissions for restore

  • Open up the file gives us the admin password.

admin password

ChangeMeBaby1MoreTime

Question 4 – Escalate your privileges to root, what is the contents of root.txt?

  • Use the following credentials to RDP into the server as an admin.

root flag

THM{Y0U_4R3_1337}

Task 3 - Final stage

Also Read: Tryhackme – Wonderland

Conclusion:

Conclusion

So that was “Anthem” for you. We started off with a regular nmap scan and found two ports opened – 80 (HTTP) and 3389 (RDP). Next, found a potential password in robots.txt. Following that, performed a gobuster scan to reveal some directories. The result consist of /install directory which confirms umbraco CMS running on the system. Got the domain name in the page footer and used Google to figure out the admin name and email address. Moving on to the next section, captured 4 flags that was hidden in the page source codes of various part of the website. At last, got into the machine using RDP and then escalated the privileges by exploiting permissions in the backup folder which gives us our user and root flag. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top