Anthem[THM]: Writeup

A write up covering steps taken to solve Beginner level CTF : Anthem room in TryHackMe platform.

This blog is written as part of task of Masters Certification in Red Team Program from HackerU.

Step 1 : Connect to TryHackMe and start target machine.

  1. Download OpenVPN configuration setting from TryHackMe platform
  2. Connect to TryHackMe by running the command in kali terminal:

sudo openvpn /pathtoOVPNfile.ovpn

3. Start machine in ‘anthem’ room — target ip address will be displayed in a minute.

https://tryhackme.com/room/anthem

Step 2 : Information gathering using Nmap

  1. Start nmap scan of the target ip:

nmap -A -O <target ip>

nmap result

2. Running dirbuster on target ip http://10.10.xx.xxx with /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Step 3: Detailed Findings

Open Ports:

80 : http

3389 : ms-wbt-server

  1. Accessing port 80

Navigating to different directories found below flags:

  1. Navigating robots.txt

2. Navigate to: http://10.10.69.225/umbraco

3. Click on categories tab, View source code Found a flag 1

4. Click on IT department, View source code found a flag 2

5. Navigate to http://10.10.69.225/archive/we-are-hiring/ > View source code, found 3rd flag

6. Navigate to http://10.10.69.225/authors/jane-doe/ > found 4th flag

7. Navigating to http://10.10.69.225/archive/a-cheers-to-our-it-department/ > got a poem

8. Upon google searching the poem found as site suggest that author is admin > found admin name

solomon grundy

9. Navigate to /umbraco login page is displayed > Try to login as admin user found

Mail id of jane doe is JD@anthem.com

So, email id of solomon grundy will be SG@anthem.com and password found in robots.txt

10. Login to RDP as port 3389 is open, with above credentials

rdesktop -u SG -p UmbracoIsTheBest! <targetIP>

11. Found User.txt on desktop

12. Search for windows> run> Recent files

13. found recet.txt file, Change permission for the file recent.txt > Right click > properties > security > edit > add WIN-LU09229160F\Users > apply > ok.

14. Go to command prompt and access backup> restore.txt

Found, Administrator password:

15. Navigate to Administrator folder under C:/Users/Administrator > Users is asked enter password, entered password found in restore.txt

16. After successful login, navigate to Administrator/Desktop > found root.txt

With these steps, I was able to answer all the questions posted in Anthem room on TryHackMe.

Thank you for reading this blog..

Software Tester