top of page

Anthem - THM

  • aldern00b
  • Jul 1, 2022
  • 2 min read

Exploit a Windows machine in this beginner level challenge.

This task involves you, paying attention to details and finding the 'keys to the castle'. This room is designed for beginners, however, everyone is welcomed to try it out! Enjoy the Anthem.

In this room, you don't need to brute force any login page. Just your preferred browser and Remote Desktop.


Enumeration shows

What port is for the web server? 80
What port is for remote desktop service? 3389

ree

Here's the website we're working with:

ree

Looking at the source, let's take note of this possible flag

ree

Let's pop through a gobuster scan

gobuster dir -u http://10.10.10.173 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php,htm,html

Okay gobuster didn't work for me 'cause it kept timing out so I switched over to dirb and got the robots.txt file

ree
What is a possible password in one of the pages web crawlers check for? UmbracoIsTheBest!

From our dirb, we get a few folder to access and if we put that together with our nmap, we can see the CMS is called

What CMS is the website using? umbraco
ree

For the domain name, we can get that from the NMAP we did at the start.

What is the domain of the website? Anthem.com

For the name of the admin, we visit a blog post about the IT dept and then do a quick search for the poem that was written about them. Turns out that poem was about Solomon Grundy.

What's the name of the Administrator Solomon Grundy
ree

To find the email, we know that it's a two letter initial then @anthem.com

ree

We know the admin's name is Solomon Grundy so we put those initials in there and get our answer

Can we find find the email address of the administrator? SG@anthem.com

As we poked around, there were flags we saw so let's just plop them in. Most of them were on the page sources.


What is flag 1? THM{L0L_WH0_US3S_M3T4}
What is flag 2? THM{G!T_G00D}
What is flag 3? THM{L0L_WH0_D15}
What is flag 4? THM{AN0TH3R_M3TA}

For the login, I first thought that we could brute force the login page with hydra but then I remembered the intro says we don't need to brute force anything...


Let's get access now! We can login with the information we found above

sg:UmbracoIsTheBest!


The desktop has the first flag file

ree
Gain initial access to the machine, what is the contents of user.txt? THM{N00T_NO0T}

The next question gives us a hint of 'it's hidden'. Looking around for hidden files and folders, We find a hidden backup folder with a restore.txt file. We can't read it out of the box but we are able to right click and change the security to give sg full permissions and read the file.

ree
Can we spot the admin password? ChangeMeBaby1MoreTime

Now that we have the password, the last part is getting the "root" flag. For this, we COULD just log out and back in as admin but I'm lazy so we'll just run a command window as admin, pass the password we just found and then write that file to the screen.

Escalate your privileges to root, what is the contents of root.txt? THM{Y0U_4R3_1337}
ree

Recent Posts

See All

Comments


AlderN00b

I.T. Admin    |    Hacking    |    Learning

©2022 by AlderN00b. Proudly created with Wix.com

bottom of page