A write up covering steps taken to solve Beginner level CTF : Anthem room in TryHackMe platform.
This blog is written as part of task of Masters Certification in Red Team Program from HackerU.
Step 1 : Connect to TryHackMe and start target machine.
- Download OpenVPN configuration setting from TryHackMe platform
- Connect to TryHackMe by running the command in kali terminal:
sudo openvpn /pathtoOVPNfile.ovpn
3. Start machine in ‘anthem’ room — target ip address will be displayed in a minute.
Step 2 : Information gathering using Nmap
- Start nmap scan of the target ip:
nmap -A -O <target ip>
2. Running dirbuster on target ip http://10.10.xx.xxx with /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Step 3: Detailed Findings
80 : http
3389 : ms-wbt-server
- Accessing port 80
Navigating to different directories found below flags:
- Navigating robots.txt
2. Navigate to: http://10.10.69.225/umbraco
3. Click on categories tab, View source code Found a flag 1
4. Click on IT department, View source code found a flag 2
5. Navigate to http://10.10.69.225/archive/we-are-hiring/ > View source code, found 3rd flag
6. Navigate to http://10.10.69.225/authors/jane-doe/ > found 4th flag
7. Navigating to http://10.10.69.225/archive/a-cheers-to-our-it-department/ > got a poem
8. Upon google searching the poem found as site suggest that author is admin > found admin name
9. Navigate to /umbraco login page is displayed > Try to login as admin user found
So, email id of solomon grundy will be SG@anthem.com and password found in robots.txt
10. Login to RDP as port 3389 is open, with above credentials
rdesktop -u SG -p UmbracoIsTheBest! <targetIP>
11. Found User.txt on desktop
12. Search for windows> run> Recent files
13. found recet.txt file, Change permission for the file recent.txt > Right click > properties > security > edit > add WIN-LU09229160F\Users > apply > ok.
14. Go to command prompt and access backup> restore.txt
Found, Administrator password:
15. Navigate to Administrator folder under C:/Users/Administrator > Users is asked enter password, entered password found in restore.txt
16. After successful login, navigate to Administrator/Desktop > found root.txt
With these steps, I was able to answer all the questions posted in Anthem room on TryHackMe.
Thank you for reading this blog..