Anthem | TryHackMe Walkthrough
Task 1
Nmap Scan
nmap -sC -sV -Av -oN nmap/anthem 10.10.139.243
-sC — run all the default scripts
-sV — find the version of all the services running on the target
-A — run the scan in aggressive mode
-v — show output in verbose mode
-On — output to a file in Nmap format
Output
# Nmap 7.80 scan initiated Sun May 17 19:47:35 2020 as: nmap -sC -sV -Av -oA nmap/anthem 10.10.139.243
Nmap scan report for 10.10.139.243
Host is up (0.50s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 4 disallowed entries
|_/bin/ /config/ /umbraco/ /umbraco_client/
|_http-title: Anthem.com - Welcome to our blog
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: WIN-LU09299160F
| NetBIOS_Domain_Name: WIN-LU09299160F
| NetBIOS_Computer_Name: WIN-LU09299160F
| DNS_Domain_Name: WIN-LU09299160F
| DNS_Computer_Name: WIN-LU09299160F
| Product_Version: 10.0.17763
|_ System_Time: 2020-05-17T14:19:26+00:00
| ssl-cert: Subject: commonName=WIN-LU09299160F
| Issuer: commonName=WIN-LU09299160F
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-04-04T22:56:38
| Not valid after: 2020-10-04T22:56:38
| MD5: 2814 61de 95b7 e9b5 4789 3027 7f1f 60d2
|_SHA-1: d47d 2a8f 6143 b820 936e 4120 cdd1 9ddc 5385 d285
|_ssl-date: 2020-05-17T14:19:36+00:00; 0s from scanner time.
8701/tcp filtered unknown
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-05-17T14:19:26
|_ start_date: N/ARead data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun May 17 19:49:38 2020 -- 1 IP address (1 host up) scanned in 123.08 seconds
We get a lot of information about the target from the above scan. Such as which service is running on which port. It also tells us about the domain name of the target. And it also finds that there is a robots.txt file on the website.
Web Analysis
The website is a blogging website that has 2 blog posts.
first let's visit the /robots.txt file that we found on the nmap scan.
it looks like we found a text which looks like a possible password for something, the nmap scan does not find that.Nmap scan shows us the four directories, lets's try to go to the /Umbraco one.
It looks like the login page is for some kind of CMS for posting content to the webpage we found on homepage.But we don’t have the credential to log in. So we must look at it after we find the credentials.
Let's try to find a Potential user for this CMS login. If you look at the second blog post on the website, It's a poem about the admin of the site.
If you check the hints it says search on your favorite search engine, So let's just copy the whole poem and search it on google (my favorite search engine) and we get the name of admin.
But the login page demands the email of the user. So let's find the email address of the admin. If you check on the hints then it says there is another email on the website which follows the pattern of the admin’s email. And if you look at the first blog post on the website, it has an email address of the author of the post which has the pattern of initials of the user’s name the domain name of the site.
By following the above pattern we should get the email address of the admin. To check that you can try to log in on the CMS with the email address and password we found on the /robots.txt file.
Task 2
In task 2 we have to find all the flags that are hidden on the website. If you look at the page source of each link that has references on the website, you will find all the flags. The question and flag don’t have a connection to each other so you have to try to submit flags for all questions and which one accepts it as the correct question for that flag.
Flag 1
Flag 2
Flag 3
Flag 4
Task 3
On task 3, we have to connect to the RDP service (Microsoft Terminal Service) running on the target machine by the credential we already found on task 1. But the question says that the box is not on the domain so exclude the domain name from the username.
User Flag
Once we get on the box, we got the user.txt on the desktop of the user.
Administrator’s Password
For getting the administrator privilege we have to find the administrator’s password. If check on hints it says it is hidden. So we have to enable the hidden option on the file explorer to find it. After doing that we found a backup folder on the C: drive which contains a restore file, if we try to open it, we get permission denied.
So we have to add our user group to the file’s property and grant all the permission over the file.
Now, we get to open the file to read it. And we got the administrator’s password.
Root Flag
Open the CMD with the administrator’s privilege and get the root.txt on the desktop of the administrator.
Connect me on LinkedIn
Connect me on GitHub
Follow my portfolio