Security
  • IT Security Knowledge Base
  • Blue team
    • Linux System Hardening
    • Phishing Analysis
    • Snort
    • Yara
  • Capture the Flag
    • OverTheWire
      • Bandit
        • Bandit Level 0
        • Bandit Level 0 → Level 1
        • Bandit Level 1 → Level 2
        • Bandit Level 2 → Level 3
        • Bandit Level 3 → Level 4
        • Bandit Level 4 → Level 5
        • Bandit Level 5 → Level 6
        • Bandit Level 6 → Level 7
        • Bandit Level 7 → Level 8
        • Bandit Level 8 → Level 9
        • Bandit Level 9 → Level 10
        • Bandit Level 10 → Level 11
        • Bandit Level 11 → Level 12
        • Bandit Level 12 → Level 13
        • Bandit Level 13 → Level 14
        • Bandit Level 14 → Level 15
        • Bandit Level 15 → Level 16
        • Bandit Level 16 → Level 17
        • Bandit Level 17 → Level 18
        • Bandit Level 18 → Level 19
        • Bandit Level 19 → Level 20
        • Bandit Level 20→ Level 21
        • Bandit Level 21→ Level 22
        • Bandit Level 22 → Level 23
        • Bandit Level 23 → Level 24
        • Bandit Level 24 → Level 25
        • Bandit Level 25 → Level 26
        • Bandit Level 26 → Level 27
        • Bandit Level 27 → Level 28
        • Bandit Level 28 → Level 29
        • Bandit Level 29 → Level 30
        • Bandit Level 30 → Level 31
        • Bandit Level 31 → Level 32
        • Bandit Level 32 → Level 33
    • OWASP Juice Shop
      • Installation
      • Level 1 - Challenges
      • Level 2 - Challenges
    • TryHackMe Rooms
      • Anthem
      • Capture!
      • Corridor
      • Gotta Catch'em All!
      • Mustacchio
      • Neighbour
      • Opacity
      • Source
    • CEH v12 practical resources
  • Cryptology
    • CryptoHack
      • Course: Introduction to CryptoHack
        • Introduction - Challenges
        • General - Encoding
        • General - XOR
      • Course: Modular Arithmetic
        • General - Mathematics
        • Mathematics - Modular Math
        • Mathematics - Brainteasers Part 1
      • Course: Symmetric Cryptography
        • How AES Works
        • Symmetric Starter
        • Block Ciphers
        • Stream Ciphers
  • Red Team
    • Reconnaissance
      • Foot-printing
      • Scanning (Nmap)
      • Enumeration
    • Vulnerability Analysis
    • Initial Access
      • Obtaining credentials
      • Vulnerability Exploitation
        • Buffer Overflow
        • Metasploit and Armitage
        • Ninja Jonin
    • Active Directory
      • Connect to AD
      • AD Explore
      • CMD and PowerShell enumeration
      • Certificates in AD
      • LDAP Pass-back Attacks
      • Cracking NetNTLM Challenge with Responder
      • Exploring Configuration Files for AD Credentials
      • Pass the hash with evil WinRM
      • Understanding Runas
    • Malware
    • Sniffing
      • Intercept HTTP traffic - Hetty
      • Intercept HTTP traffic - Bettercap
      • Wireshark
    • Social Engineering
    • Denial of Service
    • Web Hacking
      • Burp Suite
      • OWASP ZAP
      • Web servers
      • Web Server Footprinting
      • Directory Enumeration
      • Session Hijacking
      • Web Shells
      • Web vulnerability scanners
      • SQL Injection
    • Cloud
    • Wireless Networks
      • Attacking WEP
      • Attacking WPA/WPA2
    • Mobile Devices
    • Network Security Evasion
    • Privileges Escalation
    • Maintain Access and Hide Malicious Activity
      • Backdooring
    • Cover your Tracks
  • Internet of Things
    • IoT in general
    • Common IoT Protocols
      • CoAP
      • MQTT
      • ZIGBEE
      • Bluetooth
    • Scapy
      • Sniffing and spoofing
      • ARP cache Poisoning
  • Projects
    • Cybersecurity Roadshow
Powered by GitBook
On this page
  • Enumeration
  • Flags
  • Login and escalated to admin
  1. Capture the Flag
  2. TryHackMe Rooms

Anthem

https://tryhackme.com/room/anthem#

First of all, this room seemed very unstable, so I had to restart it several times and my RDP connection keep dropping. Anyway, we get a lot of help along the way.

Enumeration

The first thing we are asked to is to run a Nmap scan and then answer the port of the web server and the remote desktop protocol. Theses are the usual ports 80 and 3389.

Next we check the robots.txt file. This gives us the possible password UmbracoIsTheBest! and a sub page umbraco. If we head to that page we see that it is the CMS login page and we therefore know that the CMS used is Umbraco.

Now we take a look at the website it self to answer the remaining questions.

Looking at the posts, we see a post by Jane Doe and her email jd@anthem.com. We also find a poem attributed to the administrator. If we google this poem we find that it by Solomon Grundy.

By looking at Jane Doe's email we can see how Anthem emails are constructed, so the admins email must be sg@anthem.com.

The domain of the website is written at the end of the blog posts, not surprisingly anthem.com

Flags

We are told that several flags have been hidden. These can all be found in the source code of websites the pages. Search for "THM" at these pages:

/
/archive/we-are-hiring/
/authors/jane-doe/
/archive/a-cheers-to-our-it-department/

Login and escalated to admin

We can login at the CMS page with the credentials found (admin email and password), but this does not help us much. However, if we RDP into the machine rdesktop $IP we can login with the username sg and the password we found.

Once logged in we see the user.txt file on the Desktop which contains the first flag.

We are then asked to find the administrator's password which is "hidden". With that hint I open file explore and enabled show hidden files. Starting from C:/ I notice a hidden folder called "backup". In the folder we find a file "restore.txt". However, we can not view the content because we lack permissions. But it turned out that we could just add permissions to the User group and then read the file. The password is ChangeMeBaby1MoreTime

Login as administrator and locate the final flag at the Desktop.

PreviousTryHackMe RoomsNextCapture!

Last updated 1 year ago