Anthem Walkthrough TryHackMe
Hello guys back again with another walkthrough this time am going to be doing anthem a box released by tryhackme. If you are learning or preparing for OSCP this is not the box i could recommend especially for the user part since scenarios like that will NEVER happen in real life. I did two weeks ago but I’ve been hesitant on making a walk through about it since there really isn’t much to learn especially for the user part though the thing i really liked about this box is that it forces you to think out of the box because not everything you need is in the box. When we do a nmap scan we find port 80 is open and it’s running umbraco CMS (content management system) on digging a little bit deeper we get how the “organization” running the server creates username is by using first name and last name initials and there are hint on getting a users password. After finding the credentials we log into the box using RDP (Remote Desktop Protocol) and we go to files that have been recently modified and we find a file that gives us Administrator’s credentials. Without much say let’s jump in
As always we start of with a nmap scan this gives us a clear idea of services that the box is running and we might get lucky and find one that is exploitable
And we get five ports are open and three of them are really interesting
- Port 80 (HTTP) generally i like attacking web server since the vulnerabilities that they have are endless
- port 445 (Samba) which are shares that might contain files with juicy information
- Port 3389 (RDP) if we have correct credentials we might log into the box using remote desktop
I decided to enumerate samba share first
I tried see if null authentication is allowed in Samba
And we get an access denied
We can’t enumerate the samba shares since null authentication isn’t allowed that seemed to be a dead end next i decided to look at port 80 since for remote desktop we need valid credentials. On opening the web we get a simple webpage and a potential hostname of the box Anthem.com
Looking at the webpage i decided to see if default files exist on the web server like robots.txt exists on the web server
And we get some information that might lead to exploitation of the box. A potential password “UmbracoIsTheBest!” and information that proves that the server is running umbraco CMS. This isn’t the first box that i have done and found credential hidden in the robots.txt (i did pickle Rick another box on TryHackMe that had creds in the robots.txt i’ve left a link) if you look at the file hence always check
/umbraco leads us to a administrator’s login page but we still don’t have credentials to log into the page
So i decided to run gobuster. A tool used for web directory brute forcing. But unlike any other of my videos i didn’t use the common wordlist that i usually use since Seclists has a word list specifically dedicate to umbraco CMS
After doing a gobuster a lot of results came up
I went through all the link’s but nothing really interesting came up but none of them had any vector we could exploit
So i decided to do manual enumeration of the web app
First i decided to spider the website using zap maybe we’ll find interesting links
And then while the spidering was being done in the background i decided to look at the individual post
Looking at the “we are hiring post” we see that the author of that post is Jane Doe and we find the way naming is probably done by the use of an email
I decided to follow the author’s like and it lead me to the first flag (Some part is blurred out am sure you understand why)
I knew that the flags were in HTML entities the easiest way to extract the flags was to use ZAP. Navigate to the search bar and type the words common in all the flag and do a search
We get our second flag
Third Flag
Fourth and Final Flag
And we have all the flags we can submit and earn the point That is the simple way i got the flags rather than digging through the source code
But still we don’t have the username
Looking at the Second post we get some interesting information a poem about admin i spend some time here trying to figure things out but finally i got the username. I copied the whole poem and did a google search on it
I did a google search of the poem and the first result was a username
And since we know how naming is done on the organization we have a username and a password. Since we have a username and password why don’t we try to log into the box using remote Desktop
The default client app i like to use is Remmina it has always worked for me. Trying to log into the box using IP address
We get an error that remmina couldn’t find the address for the RDP server
and i tried to debug the application to find what might be wrong with it but i had no luck until recently when i discovered that it prefers a host name or domain name
So what i did was to add the IP address to my hosts file and navigate to the IP address via host names
Then i used the hostname in the server portion
And voila we get into the box using remote desktop
And we see a user.txt flag we can submit it and get the point
Now it’s time for privilege escalation. So i decided to look at files that had been modified recently using the run program
And we get a few files and a backup directory called backup
The file called restore. Trying to open it
A prompt pops up saying we don’t have permissions to view the files but what seemed funny was that we can change the ownership permissions that it has
Right clicking on the folder we get then clicking on properties
Then after a window opens click on the security TAB, Click on Edit then Add
Add your username to as you see have done below the click OK
On the Allow column Check (✓) the box called Full Control and Click on Apply
Now again double Clicking the file again to see if we have the permissions to view it and voila we have permissions to view the contents of the file
And we have the Administrator’s password. Now i logged out of the box and tried logging back in as admin
And we get into the box as administrator
And to confirm i used command prompt
Now we can submit the flag and get the points
And we have the root flag
And that was it for the box. Hope you learnt something new.
I have a walkthrough coming up on Remote a box on HackTheBox platform that will be centered around Umbraco CMS. Idid about 2 months ago and the box is really interesting given the fact that you have to exploit an authenticated remote code vulnerability on the Umbraco CMS. A really nice walktrough which i will release after the box gets retired but that’s it for now guys till next time take care
I you liked the walkthrough you can clap for me bellow