THM — Anthem

7 min readNov 23, 2020

TryHackMe | Anthem

TryHackMe is an online platform for learning cyber security, using hands-on exercises and labs!

tryhackme.com

Nmap

kali@kali:~$ sudo nmap -sC -sV -O 10.10.133.102
[sudo] password for kali: 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-22 02:41 EST
Nmap scan report for 10.10.133.102
Host is up (0.35s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE       VERSION
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: WIN-LU09299160F
|   NetBIOS_Domain_Name: WIN-LU09299160F
|   NetBIOS_Computer_Name: WIN-LU09299160F
|   DNS_Domain_Name: WIN-LU09299160F
|   DNS_Computer_Name: WIN-LU09299160F
|   Product_Version: 10.0.17763
|_  System_Time: 2020-11-22T07:41:53+00:00
| ssl-cert: Subject: commonName=WIN-LU09299160F
| Not valid before: 2020-11-21T07:41:05
|_Not valid after:  2021-05-23T07:41:05
|_ssl-date: 2020-11-22T07:42:05+00:00; 0s from scanner time.
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=11/22%OT=135%CT=1%CU=38829%PV=Y%DS=4%DC=I%G=Y%TM=5FBA1
OS:64E%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10B%TI=I%CI=I%II=I%SS=S%T
OS:S=U)OPS(O1=M508NW8NNS%O2=M508NW8NNS%O3=M508NW8%O4=M508NW8NNS%O5=M508NW8N
OS:NS%O6=M508NNS)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=
OS:Y%DF=Y%T=80%W=FFFF%O=M508NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%R
OS:D=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0
OS:%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(
OS:R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%
OS:F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N
OS:%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%C
OS:D=Z)Network Distance: 4 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
|_smb2-security-mode: SMB: Couldn't find a NetBIOS name that works for the server. Sorry!
|_smb2-time: ERROR: Script execution failed (use -d to debug)OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 62.35 seconds

nmap scan 2

Not sure why port 80 never show up in the previous scan.

kali@kali:~$ nmap -T4 -p- -A 10.10.133.102
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-22 02:45 EST
Nmap scan report for 10.10.133.102
Host is up (0.36s latency).
Not shown: 65521 closed ports
PORT      STATE SERVICE       VERSION
80/tcp    open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-robots.txt: 4 disallowed entries 
|_/bin/ /config/ /umbraco/ /umbraco_client/
|_http-title: Anthem.com - Welcome to our blog
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: WIN-LU09299160F
|   NetBIOS_Domain_Name: WIN-LU09299160F
|   NetBIOS_Computer_Name: WIN-LU09299160F
|   DNS_Domain_Name: WIN-LU09299160F
|   DNS_Computer_Name: WIN-LU09299160F
|   Product_Version: 10.0.17763
|_  System_Time: 2020-11-22T07:59:59+00:00
| ssl-cert: Subject: commonName=WIN-LU09299160F
| Not valid before: 2020-11-21T07:41:05
|_Not valid after:  2021-05-23T07:41:05
|_ssl-date: 2020-11-22T08:00:14+00:00; 0s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC
49671/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-11-22T08:00:00
|_  start_date: N/AService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 909.40 seconds

Explore 10.10.133.102

What is the domain of the website?

While looking through the website, found a “We are hiring” page.

It is written by Jane Doe.

Take note of the email: JD@anthem.com

When to click on the author and found a flag looking link. (Not sure for now if it is a flag.) But upon clicking the link, it goes back to the main blog page.

What is a possible password in one of the pages web crawlers check for?

/robots.txt

From below we can see there are a few websites that they disallowed for crawlers to crawl.

What CMS is the website using?

/umbraco

redirects me to a login page.

Looks like Umbraco is an open-source CMS.

What’s the name of the Administrator

While looking through the website, there is a poem that is written about the admin.

A simple google search on the poem reveals a name.

Can we find find the email address of the administrator?

Recall earlier that the author Jane Doe’s email is: JD@anthem.com

So the Administrator should have a similar email format: SG@anhtem.com

Next, we have to spot the flags.

Our beloved admin left some flags behind that we require to gather before we proceed to the next task..

Find the flags!

What is flag 1?

What is flag 2?

By inspecting the source code

We found the flag, hidden in the placeholder attribute of the search bar.

What is flag 3?

Recall earlier we found a flag looking link:

What is flag 4?

Let’s figure out the username and password to log in to the box.(The box is not on a domain)

Through our nmap scan there is the port 3389 open.

Recall we had earlier gotten a password from robots.txt file which we could try to log in with it.

I will be using remina to do a remote desktop connection into the target’s machine.

Hit yes.

I wasn’t able to get connected, and realised the username is wrong. After a few tries, I got connected with the username SG

Click the user file and get the first flag.

The hint for the root flag is: “It is hidden”

In C:\ directory, let’s try to view hidden files on the target’s desktop.

You could see backup and programData folder is shown. Let’s look into backup folder.

Let’s click on the restore file.

Looks like we do not have permission to open this file.

By checking the properties of the file, it mentions that the owner of the object can assign permissions.

If we check on details, the owner of the file is SG, which is the user we log in with.

Go back to the security section and click edit. Type in sg and click on Check Names.

You should see it change to the correct name of the user.

Set full control over the remote file and click ok.

You should be able to see some text now in the file.

Use that as the password to get administrative rights to access the Administrator folder.

Head to desktop.

You should be able to see the root file.

You will get the root flag to solve this machine.