Nmap

nmap scan 2

Not sure why port 80 never show up in the previous scan.

Explore 10.10.133.102

What is the domain of the website?

While looking through the website, found a “We are hiring” page.

It is written by Jane Doe.

Take note of the email: JD@anthem.com

When to click on the author and found a flag looking link. (Not sure for now if it is a flag.) But upon clicking the link, it goes back to the main blog page.

What is a possible password in one of the pages web crawlers check for?

/robots.txt

From below we can see there are a few websites that they disallowed for crawlers to crawl.

What CMS is the website using?

/umbraco

redirects me to a login page.

Looks like Umbraco is an open-source CMS.

What’s the name of the Administrator

While looking through the website, there is a poem that is written about the admin.

A simple google search on the poem reveals a name.

Can we find find the email address of the administrator?

Recall earlier that the author Jane Doe’s email is: JD@anthem.com

So the Administrator should have a similar email format: SG@anhtem.com

Next, we have to spot the flags.

Our beloved admin left some flags behind that we require to gather before we proceed to the next task..

Find the flags!

What is flag 1?

What is flag 2?

By inspecting the source code

We found the flag, hidden in the placeholder attribute of the search bar.

What is flag 3?

Recall earlier we found a flag looking link:

What is flag 4?

Let’s figure out the username and password to log in to the box.(The box is not on a domain)

Through our nmap scan there is the port 3389 open.

Recall we had earlier gotten a password from robots.txt file which we could try to log in with it.

I will be using remina to do a remote desktop connection into the target’s machine.

Hit yes.

I wasn’t able to get connected, and realised the username is wrong. After a few tries, I got connected with the username SG

Click the user file and get the first flag.

The hint for the root flag is: “It is hidden”

In C:\ directory, let’s try to view hidden files on the target’s desktop.

You could see backup and programData folder is shown. Let’s look into backup folder.

Let’s click on the restore file.

Looks like we do not have permission to open this file.

By checking the properties of the file, it mentions that the owner of the object can assign permissions.

If we check on details, the owner of the file is SG, which is the user we log in with.

Go back to the security section and click edit. Type in sg and click on Check Names.

You should see it change to the correct name of the user.

Set full control over the remote file and click ok.

You should be able to see some text now in the file.

Use that as the password to get administrative rights to access the Administrator folder.

Head to desktop.

You should be able to see the root file.

You will get the root flag to solve this machine.

Started my journey in cybersecurity on September 2020. This blog is used mainly to record my learning journey.