Anthem — TryHackMe WriteUp
We embark on a beginner-friendly challenge presented by TryHackMe, where the room Anthem Windows machine awaits our exploration.
Challenge Description
Exploit a Windows machine in this beginner level challenge.
This task involves you, paying attention to details and finding the ‘keys to the castle.This room is designed for beginners, however, everyone is welcomed to try it out!
Enjoy the Anthem.
In this room, you don’t need to brute force any login page. Just your preferred browser and Remote Desktop.
Started an Nmap scan. I found 2 open ports
└─$ nmap --min-rate 1000 -p- 10.10.42.105
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-18 19:34 EAT
Nmap scan report for 10.10.42.105
Host is up (0.29s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
3389/tcp open ms-wbt-server
Nmap done: 1 IP address (1 host up) scanned in 201.99 secondsNext was a service scan on the ports open.
└─$ nmap -p80,3389 -A 10.10.42.105
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-18 19:39 EAT
Nmap scan report for 10.10.42.105
Host is up (0.30s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: WIN-LU09299160F
| NetBIOS_Domain_Name: WIN-LU09299160F
| NetBIOS_Computer_Name: WIN-LU09299160F
| DNS_Domain_Name: WIN-LU09299160F
| DNS_Computer_Name: WIN-LU09299160F
| Product_Version: 10.0.17763
|_ System_Time: 2023-08-18T16:39:22+00:00
| ssl-cert: Subject: commonName=WIN-LU09299160F
| Not valid before: 2023-08-17T16:31:39
|_Not valid after: 2024-02-16T16:31:39
|_ssl-date: 2023-08-18T16:40:41+00:00; 0s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsStarted Enumeration and Exploitation
- HTTP(Port 80)
I accessed the IP on a browser. It is a blog site
I checked for /robots.txt and found useful information. UmbracoIsTheBest! Which was one of the passwords and answer to a task on web crawlers. From this we can also see the site CMS is boot Umbraco
On viewing the page source I find a flag. THM{G!T_G00D}
On reading the articles I find an email address (JD@anthem.com) and an author (Jane Doe)
Clicking on Jane Doe I found another flag (THM{L0L_WH0_D15})
There was a flag in the We Are Hiring Source Page (THM{L0L_WH0_US3S_M3T4})
Checking the page source for each article I located more flags
The second article is a poem. It has some information for us
Took me a while to get around the site to locate the name of the Administrator. So I copied the poem to a search engine and found that it is an English nursery rhyme. The administrator is Solomon Grundy
I did a directory scan using Gobuster and found an interesting directory (/install (Status: 302) [Size: 126] [ → /umbraco/])
└─$ gobuster dir -u http://10.10.154.218 --wordlist=/usr/share/wordlists/dirb/big.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.154.218
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Timeout: 10s
===============================================================
2023/08/18 20:41:42 Starting gobuster in directory enumeration mode
===============================================================
/Archive (Status: 301) [Size: 118] [--> /]
/Blog (Status: 200) [Size: 5399]
/RSS (Status: 200) [Size: 1877]
/Search (Status: 200) [Size: 3472]
/SiteMap (Status: 200) [Size: 1047]
/archive (Status: 301) [Size: 123] [--> /blog/]
/authors (Status: 200) [Size: 4120]
/blog (Status: 200) [Size: 5399]
/categories (Status: 200) [Size: 3546]
/install (Status: 302) [Size: 126] [--> /umbraco/]
/rss (Status: 200) [Size: 1867]
/search (Status: 200) [Size: 3422]
/sitemap (Status: 200) [Size: 1042]
/tags (Status: 200) [Size: 3549]
===============================================================
2023/08/18 22:06:28 Finished
===============================================================On accessing it redirected me to a login page. So from Solomon Grundy I could easily tell the format of email address which was GJ@anthem.com as my email address and the password we found earlier in the /robots.txt directory
ms-wbt-server (Port 3389)
We had our admin username SG:UmbracoIsTheBest! I tried using the admin email address(SG@anthem.com) but it kept failing so I removed the domain part of them mail) So logged into to the machine via rdp using rdesktop and it was successful.
On the desktop I found a user file (THM{REDACTED}). Our user flag.
I jumped onto the hint we were given on getting the admin password so I went to Control Panel to allow hidden folders and files be visible
In the C:/ drive there was a file named backup. I had a file restore
I had no permission to open so I had to go to the file settings
On the security tab, I used Advanced then added the user name SG in the add section, clicked on Check names and it added my account
On viewing the contents which was my admin password(****e***1Mo***Time)
I used the new credentials to log in. I had issues using rdesktop so I jumped to remmina
On the admin desktop I found a root file which was my root flag (THM{REDACTED})
About the author
Wilklins Nyatteng is a cyber security enthusiast with interest in penetration testing & vulnerability assessments, OSINT, cloud security. Certified Cyber Security professional by Trend Micro, 9x Microsoft Certified, CEH Master and AWS Solutions Architect — Associate.
Follow me on:
