Anthem

Introduction

Hello Folks!!!

This task involves paying attention to details and finding the keys to the castle.

This room is designed for beginners, however, everyone is welcomed to try it out!

Deploy

TASK 1 :- Website Analysis

1. Let’s run nmap and check what ports are open

#nmap -Pn 10.10.151.13

Recon

2. What port is for the web server?

From the nmap scan result we understand that port 80 is for web server

3 .What port is for remote desktop service?

From the scan result, we understand that Port 3389 is running on remote desktop service

4.. What is a possible password in one of the pages web crawlers check for?

Since port 80 is open, we will search for robots.txt in the server to find any useful information

robots.txt

With populated details in robots.txt, we will try to check the password

UmbracoIs TheBest!

5. What CMS is the website using?

The above image displays the content of the website is umbraco.

6. What is the domain of the website?

web server

7. What’s the name of the Administrator

After a continuous search in the web server, we see some dialects of a poem

webserver

We will copy & paste it in the search engine. As per the tryhackme hint

google search

The name of the Administrator is Solomon Grundy

8.Can we find find the email address of the administrator?

Since, the author of anthem blog is Jane Doe & the mail id is JD@anthem.com

The name of the admin is Solomon Grundy so the email id of admin will be SG@anthem.com

TASK 2 :- Spot the flags

1. What is flag 1?

As per the hint, we have to inspect the pages

web-server

We will check the page source of the first article

page-source

We got a flag which will be checked

THM{L0L_WH0_US3S_M3T4}

2. What is flag 2?

As per hint, will search again for the page source of the first article

page-source

We got flag2

THM{G!T_G00D}

3. What is flag 3?

As per the hint, we have to search in the profile

By clicking on the author name,we got flag3

Author page

THM{L0L_WH0_D15}

4.What is flag 4?

According to the hint, we will search the page source of the second article

page-source

THM{AN0TH3R_M3TA}

TASK 3 :- Final Stage

1. Let’s figure out the username and password to log in to the box.(The box is not on a domain)
2. Gain initial access to the machine, what is the contents of user.txt?

As we already know the user name & password, lets login with rdesktop

#rdesktop -u SG -p UmbracoIsTheBest! 10.10.151.13

Remote Desktop

Open the user file in the desktop of a user SG.

Remote desktop of SG

We got an user flag

user flag

2.Can we spot the admin password?

Go to C drive. Select the option view →hidden files

It will show u the backup file

Inside the backup folder open the restore file

Since, the restore file needs the permission

Give the full control permission for the SG user

Open the restore file after applying the permissions.

admin password

3. Escalate your privileges to root, what is the contents of root.txt?

Hence, we got the password for admin. We will run the cmd as administrator

Root flag

In this blog we learned about a new technique of windows privilege escalation technique.

I hope you found this blog informative and interesting