Anthem
This is my write-up for the TryHackMe box known as Anthem located at: https://tryhackme.com/room/anthem.
Website Analysis
The firs thing I did was ran nmap onto the IP address. I did this with the following command:
I then got the following as the result:
What port is for the web server? 80
What port is for remote desktop service? 3389
From this point, I went to browsing the webpage to see if there is anything suspicious or standing out for me to use. After browsing around and not finding anything, I decided to run DirBuster on the website:
Although I was getting a lot of information from the DirBuster search, it was the hint for the question which got me further:
My first thought after looking at this was robots.txt, and sure enough when I went to that webpage, I found this:
What is a possible password in one of the pages web crawlers check for? UmbracoIsTheBest!
What CMS is the website using? Umbraco
For the previous question, I took a look at this writeup, which made me realize that Umbraco was a CMS all along. As for the next question, a quick glance at the main page can show you what the domain name is:
What is the domain of the website? Anthem.com
I was having a hard time trying to find the admin of the website. I looked around all around the website looking though the JavaScript and HTML, and was not able to find anything. I then viewed this write-up to see where I went wrong. I had to look more closely at the "poem" on one of the pages:
Instead of searching about this online, I realized that I might have heard this before in reference to Solomon Grundy (maybe in regards to Comics?). I tried it and it worked as the answer!
What's the name of the Administrator? Solomon Grundy
Using the hint from TryHackMe, I realized that I had to find the naming scheme for the email. I then found this:
Can we find the email address of the administrator? SG@anthem.com
Spot the flags
I had to use the hint for the first flag. The hint was "Have we inspected the pages yet?", and then I tried to go off of that, and got nowhere. I then viewed the same write-up and noticed that the author used burpsuite. I realized that I will try to do the same. I then found the flag:
For Flag 2, I just found it on source of the main page:
For Flag 3, I was looking around on different pages, and ended up finding it on the site: <IP_adress>/authors/jane-doe:
For Flag 4, I then found it following the same steps as Flag 1:
Final Stage
We have to figure out the username and password for the box. My first thought was to make a name list based on the names I saw on the website. I looked at the other port, other than 80, and it was 3389. Port 3389 was used for RDP, also knowing as Remote Desktop Protocol. I then had to find a software to get access to the desktop of the machine. I find out about rdesktop, and used it. As for the username, I viewed this write up and realized that the username would be SG. It took me a while to get the password, which was from the first section of the machine: UmbracoIsTheBest! I then used that information to log in using the command:
After I entered the password, I then saw the following:
I opened the user.txt file, and got the following:
Gain initial access to the machine, what is the contents of user.txt? THM{N00T_NO0T}
After I was lost for a while trying to find an answer to the next question, I viewed this write-up, and noticed that a folder was hidden in the C:\ drive. In order to view it, you had to change the settings to view the hidden folder:
I was then able to see the hidden folder:
I was unable to view the file, because I did not have permissions. I then changed the permissions to be for SG:
I was then able to view the file:
Can we spot the admin password? ChangeMeBaby1MoreTime
I did not have any idea about how to get root on a Windows machine. I then viewed the same previous write-up and noticed that we have the admin password. So we can use PowerShell at an admin level. I then got into the Desktop folder of the root and got the flag:
Lessons Learned
This is one of my first 5 Windows machines that I have learned to work on. I did learn a lot about, such as making sure to looking for hidden folders to how to spot flags using BurpSuite. It was a great box. It took me about 3 hours to complete. A lot of that had to do with my lack of knowledge in Windows exploitation. In addition, enumerating for me took a while, since some searches were taking a long time so I had to go find an alternative.
Last updated