TryHackMe - Anthem

Alrighty, this is my second beginner TryHackMe challenge which gets us to try and exploit a windows machine. Lets do this.

First I startup the target machine and connect to TryHackMe via openvpn. My target IP address is 10.10.105.81.

Website Analysis

Let's run nmap and check what ports are open.

Open a new terminal and run command nmap -v -A 10.10.105.81. Once complete the output shows there are 2 open ports, port 3389 and port 80. Both of which are TCP ports.

What port is for the web server?

From the previous commands output we can see that the web servers open port is 80.

What port is for remote desktop service?

Again, from the previous output we can see that port 3389 is the open port for remote desktop services (and is also the default port).

What is a possible password in one of the pages web crawlers check for?

OK first off here I'm just going to browse the web server from an internet browser. Just a basic website. Some information I'll manually observe by browsing the site and note down:

• Domain: anthem.com

• Author: Jane Doe

• Email: [email protected]

• Author: James Orchard Halliwell

Then I'll have a look at the source code of the website.

• THM{G!T_G00D}

• THM{L0L_WH0_D15}

• THM{AN0TH3R_M3TA}

• THM{L0L_WH0_US3S_M3T4}

Now if we run gobuster to enumerate directories using the command gobuster dir -u http://10.10.105.81 -w /usr/share/wordlists/dirb/common.txt we get the following output.

So now after those tangents, there is a hint for the question that we are looking for a txt file. In the above output we can see a robot.txt file and in the question it asks for what webcrawlers look for so its definitely this. Lets open that in the browser by browsing to http://10.10.105.81/robots.txt. And here is what it contains:

That string at the top looks like a potential password doesn't it. Lets add it to the answer - that's the ticket.

What CMS is the website using?

I dont know much about CMS types but looking at the folders I can see umbraco sticks out. A quick google on that shows me that umbraco is a CMS. Add that to the answer and we have a winner.

What is the domain of the website?

During my initial browsing of the website I found references to the domain anthem.com which indeed is the answer.

What's the name of the Administrator

The hint for this question tells us to consult a search engine. Lets do a search for the default administrator name for umbraco CMS. Results show that the default username is admin and default password is test. Lets try admin as the answer - nope.

Thinking a bit more about it there is a blog by someone in the IT department named James Orchard Halliwell which we wrote down his name earlier. Lets try entering his full name as the administrator - nope. How about just entering James Halliwell - wrong again.

Honestly, I had to check out someone else's post on this one to answer this question. It seems I needed to google the poem as that was written for the admin. When we do we find the name Solomon Grundy. Enter that and we can continue. So random but guess its to get you thinking about all aspects of finding information.

Can we find find the email address of the administrator?

Now that we know the admins name we can simply try the email format of Jane Does that we found on the web site. So lets try [email protected] as the answer - and we are correct.

Spot the flags

What is flag 1? Hint: Have we inspected the pages yet?

I answered flag 2 & 3 first as they were a bit more specific. Tried the two remaining strings I found in web pages source codes to which THM{L0L_WH0_US3S_M3T4} is the answer.

What is flag 2? Hint: Search for it

For this one the string we found earlier THM{G!T_G00D} was in the source code referring to search. Dump that in the answer and lets go.

What is flag 3? Hint: Profile

As part of Jane Does profile we see the string THM{L0L_WH0_D15}. Enter that and lets move on.

What is flag 4? Hint: Have we inspected the pages yet?

Last one left, THM{AN0TH3R_M3TA} is the correct answer here.

Final Stage

Let's figure out the username and password to log in to the box.(The box is not on a domain)

For this one you don't have to answer a question, however I'm going to go ahead and guess that its the same login details as it is for CMS which I successfully logged in with. So SG for the username (no domain as specified) and UmbracoIsTheBest! as the password which was found in robot.txt file.

Gain initial access to the machine, what is the contents of user.txt?

From Kali ran the command xfreerdp /u:SG /p:UmbracoIsTheBest! /v:10.10.105.81 /dynamic-resolution to attempt an RDP connection. Looks like it worked!.

User.txt is on the desktop of the computer and contains the following text: THM{N00T_NO0T}

Can we spot the admin password?

Lets now have a look for the admin password. The hint says that it's hidden. First thing I'll do is open file explorer and show hidden files & folders. On c: drive I see a hidden folder called backup with a file named restore.txt - needs administrator password for that.

Lets try and add ourselves to the permissions for that file. Oh wow we got access and can now read whats in the file: ChangeMeBaby1MoreTime

Now I know I should probably use command line here but I'll look at that another time.

Escalate your privileges to root, what is the contents of root.txt?

Opened up a PowerShell as Administrator and used the password I found successfully. Did a little googling to find how to search using powershell and ran Get-Childitem -Path C:\ -Include root.txt? -Recurse -ErrorAction SilentlyContinue. Nothing.

Lets jump into file explorer and open up C:\Users\Administrator to see whats in there. I can see root.txt on Administrators desktop and in the file is THM{Y0U_4R3_1337}. Nice.

I am sure there are better ways of achieving the same results but hey we got there in the end and down the track I will no doubt learn the better methods.