Jasper Alblas

 

TryHackMe: Anthem – Walkthrough

It is time to look at the Anthem box on TryHackMe, a beginner level box containing a Windows machine that is asking to be exploited.

Anthem Room Banner
Anthem Room Banner

Box URL: https://tryhackme.com/r/room/anthem

I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

Task 1: Website Analysis

Alright, let’s get started!

Questions

Let’s run nmap and check what ports are open.

Once more into the fray. Let’s start up your AttackBox or if you prefer connect to the machine by using OpenVPN, using the following command:

sudo openvpn <file_name>.ovpn

As always, to find out the open ports we can use Nmap. Use the following command:

nmap -sV -sC -v <target ip>

The argument –sV does version detection, –sC runs some basic scripts, while -v adds some more logging. This should be enough to get started.

Nmap results showing a web server and remote desktop service
Nmap results showing a web server and remote desktop service

We found two open ports, but no answer is needed here, so let’s move on!

Answer: No answer needed

What port is for the web server?

One of the open ports is port 80, which is the default port used to send and receive unencrypted web pages.

Answer: 80

What port is for remote desktop service?

The other open port is port 3389, which is the default port used for Windows Remote Desktop and Remote Assistance connections.

Answer: 3389

What is a possible password in one of the pages web crawlers check for?

Let’s start by looking around on the website. Open the site in your favorite browser. We will be met by a blog called Anthem:

Blog homepage
Blog homepage

It seems like a pretty standard default blog.

The blog page
The blog page

But if we click on the author we find the author page which shows a flag:

First flag found?
First flag found?

If you move to flag 3, you can “hand in” this flag as flag number 3.

The source code looks regular as well, but let’s have a look at the sitemap.xml file and robots.txt file, files which often can show us hidden files and folders.

The sitemap.xml file does not give us much:

sitemap.xml file
sitemap.xml file

Let’s have a look at the robots.txt file:

Robots.txt file
Robots.txt file

We hit the jackpot here! Not only do we find some additional paths to explore, but we also get a hint about the kind of CMS used (Umbraco) and something sounds like a password!

Answer: UmbracoIsTheBest!

What CMS is the website using??

The next one is easy to anwer as well. We figure out that the CMS running on the webpage is Umbraco.

We did find info on the CMS in a very uncommon way. Normally this would be found by using a directory enumeration tool such as gobuster, or we could use a tools such as Wappalyzer to find information:

Wappalyzer results
Wappalyzer results

Here we found that the server is IIS on a Windows host.

But anyway, the answer is as follows:

Answer: umbraco

What is the domain of the website??

These next couple of questions are quick to answer. We found the domain earlier as part of the title of the page, and by looking at the email account as well.

Answer: anthem.com

7. What’s the name of the Administrator

Remember the previously found author page?

Jane Doe is the name
Jane Doe is perhaps the name?

Surely, the name must be Jane Doe. But no! Surely we must find another name.

I found another page with a poem:

A poem found in a post
A poem found in a post

I tried entering James Orchard Halliwell, but this also did not work. After some searching around I have to give up and had to use the hint here. You apparently have to find the name of the poem above.

https://en.wikipedia.org/wiki/Solomon_Grundy_(nursery_rhyme)

This did not make much sense to me, but hey, we can move on.

Answer: Solomon Grundy

Can we find find the email address of the administrator?

Now that we know Solomon Grundy is the admin, we can take a guess at the email address. Since Jane Doe’s email address was JD@anthem.com, we could try SG@anthem.com. Yay, it worked!

Answer: SG@anthem.com

— Spot the flags —

What is flag 1?

Let’s move on. It is time to start hunting for some flags!

Let’s look at that Umbraco subdirectory we found earlier:

Umbraco login screen
Umbraco login screen

We could try logging in now with the found info. We know the administrator email address now, as well as a possible password.

Let’s try with SG@anthem.com and UmbracoIsTheBest! as password.

And sure enough, we got into the Umbraco backend:

Umbraco backend
Umbraco backend

I looked around for a while, and finally found a flag on the Content menu, in the content manager of the “We are hiring” post. Look at the “Meta Tags” tab:

Found a flag in the meta tags
Found a flag in the meta tags

Answer: THM{L0L_WH0_US3S_M3T4}

What is flag 2?

This is getting difficult to find. The hints says we can search for it. Sohave a look at the search field in the menu.

First I thought about searching for THM{ but that did not work. Actually, it is a part of the placeholder value on the HTML input element:

Investigating the input HTML element
Investigating the input HTML element

Answer: THM{G!T_G00D}

What is flag 3?

We found this earlier, on the We are hiring frontend page.

Answer: THM{L0L_WH0_D15}

What is flag 4?

The hint asks us if we have looked at all pages yet. So, we have to take another look around. I finally found it in the meta tags section of the other blog post:

We found the fourth flag
We found the fourth flag

Answer: THM{AN0TH3R_M3TA}

— Final stage —

We are in the endgame now. Let’s battle on!

Let’s figure out the username and password to log in to the box. (The box is not on a domain)

We should try to login on the system. We ca nuse Remmina for this. Let’s try logging on with the previously found credentials:

Logging on through RDP
Logging on through RDP

We got in!

We got RDP access
We got RDP access

Gain initial access to the machine, what is the contents of user.txt??

The user.txt file is right there on the desktop. Open it and you will find the flag.

The user flag!
The user flag!

Answer: THM{N00T_NO0T}

Can we spot the admin password??

Now, all we need it the root flag. The hint mentions that we should have a look at hidden files/folders, so open the View tab and check “Hidden Items”.

Showing hidden items
Showing hidden items

After some exploring I found an interesting backup folder on the C drive.

We found a backup folder!
We found a backup folder!

But darn it, we do not have the right permissions.

We cannot open restore.txt file
We cannot open restore.txt file

Let’s have a look at the security settings. Do so by right clicking the file, pressing Properties, and go into the Security tab.

restore.txt file properties
restore.txt file properties

Press edit to change permissions.

Permissions menu
Permissions menu

Press add to add a user. Let’s try and add permissions the SG user. Write SG in the text field, and press Check Names.

Selecting our SG user
Selecting our SG user

Press OK.

Giving ourselves read permissions on the restore.txt file
Giving ourselves read permissions on the restore.txt file

And finally press Apply.

Now we should be able to open the text file and find the password:

Found the administrator password
Found the administrator password

Answer: ChangeMeBaby1MoreTime

Escalate your privileges to root, what is the contents of root.txt?

Now we could choose to switch user, but we can just as well enter the Administrator credentials when trying to open its home directory (C:/Users/Administrator). Do so when prompted:

Entering Administrator credentials
Entering Administrator credentials

Take a look at the Desktop, and you will find the final flag:

We found the root flag!
We found the root flag!

Just open it 🙂

We read the root flag!
We read the root flag!

Answer: THM{Y0U_4R3_1337}

We are done!

Thanks for reading this walkthrough on the TryHackMe: Anthem room!

This was a quick and easy box. It was quite fun in my opinion, although I did not like finding the SG username part. But hey, we got through it! See you next time!

Like my articles?

You are welcome to comment on this article, and please share with friends!
I would be even more grateful if you support me by buying me a cup of coffee:

Buy me a coffee
Buy me a coffee

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

https://referral.hackthebox.com/mzwwXlg

Happy Hacking!

Tags

Newsletter Updates

Enter your email address below and subscribe to our newsletter

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending now

Snort Logo
TryHackMe: Snort Walkthrough (SOC Level 1)
Snort Logo
TryHackMe: Snort Challenge – The Basics Walkthrough (SOC Level 1)
TryHackMe: Intro to Cyber Threat Intel Walkthrough (SOC Level 1)
TryHackMe: Metasploit: Exploitation - Walkthrough