Anthem Walkthrough TryHackMe

Hello guys back again with another walkthrough this time am going to be doing anthem a box released by tryhackme. If you are learning or preparing for OSCP this is not the box i could recommend especially for the user part since scenarios like that will NEVER happen in real life. I did two weeks ago but I’ve been hesitant on making a walk through about it since there really isn’t much to learn especially for the user part though the thing i really liked about this box is that it forces you to think out of the box because not everything you need is in the box. When we do a nmap scan we find port 80 is open and it’s running umbraco CMS (content management system) on digging a little bit deeper we get how the “organization” running the server creates username is by using first name and last name initials and there are hint on getting a users password. After finding the credentials we log into the box using RDP (Remote Desktop Protocol) and we go to files that have been recently modified and we find a file that gives us Administrator’s credentials. Without much say let’s jump in

As always we start of with a nmap scan this gives us a clear idea of services that the box is running and we might get lucky and find one that is exploitable

And we get five ports are open and three of them are really interesting

  1. Port 80 (HTTP) generally i like attacking web server since the vulnerabilities that they have are endless

I decided to enumerate samba share first

I tried see if null authentication is allowed in Samba

And we get an access denied

We can’t enumerate the samba shares since null authentication isn’t allowed that seemed to be a dead end next i decided to look at port 80 since for remote desktop we need valid credentials. On opening the web we get a simple webpage and a potential hostname of the box Anthem.com

Looking at the webpage i decided to see if default files exist on the web server like robots.txt exists on the web server

And we get some information that might lead to exploitation of the box. A potential password “UmbracoIsTheBest!” and information that proves that the server is running umbraco CMS. This isn’t the first box that i have done and found credential hidden in the robots.txt (i did pickle Rick another box on TryHackMe that had creds in the robots.txt i’ve left a link) if you look at the file hence always check

/umbraco leads us to a administrator’s login page but we still don’t have credentials to log into the page

So i decided to run gobuster. A tool used for web directory brute forcing. But unlike any other of my videos i didn’t use the common wordlist that i usually use since Seclists has a word list specifically dedicate to umbraco CMS

After doing a gobuster a lot of results came up

I went through all the link’s but nothing really interesting came up but none of them had any vector we could exploit

So i decided to do manual enumeration of the web app

First i decided to spider the website using zap maybe we’ll find interesting links

And then while the spidering was being done in the background i decided to look at the individual post

Looking at the “we are hiring post” we see that the author of that post is Jane Doe and we find the way naming is probably done by the use of an email

I decided to follow the author’s like and it lead me to the first flag (Some part is blurred out am sure you understand why)

I knew that the flags were in HTML entities the easiest way to extract the flags was to use ZAP. Navigate to the search bar and type the words common in all the flag and do a search

We get our second flag

Third Flag

Fourth and Final Flag

And we have all the flags we can submit and earn the point That is the simple way i got the flags rather than digging through the source code

But still we don’t have the username

Looking at the Second post we get some interesting information a poem about admin i spend some time here trying to figure things out but finally i got the username. I copied the whole poem and did a google search on it

I did a google search of the poem and the first result was a username

And since we know how naming is done on the organization we have a username and a password. Since we have a username and password why don’t we try to log into the box using remote Desktop

The default client app i like to use is Remmina it has always worked for me. Trying to log into the box using IP address

We get an error that remmina couldn’t find the address for the RDP server

and i tried to debug the application to find what might be wrong with it but i had no luck until recently when i discovered that it prefers a host name or domain name

So what i did was to add the IP address to my hosts file and navigate to the IP address via host names

Then i used the hostname in the server portion

And voila we get into the box using remote desktop

And we see a user.txt flag we can submit it and get the point

Now it’s time for privilege escalation. So i decided to look at files that had been modified recently using the run program

And we get a few files and a backup directory called backup

The file called restore. Trying to open it

A prompt pops up saying we don’t have permissions to view the files but what seemed funny was that we can change the ownership permissions that it has

Right clicking on the folder we get then clicking on properties

Then after a window opens click on the security TAB, Click on Edit then Add

Add your username to as you see have done below the click OK

On the Allow column Check (✓) the box called Full Control and Click on Apply

Now again double Clicking the file again to see if we have the permissions to view it and voila we have permissions to view the contents of the file

And we have the Administrator’s password. Now i logged out of the box and tried logging back in as admin

And we get into the box as administrator

And to confirm i used command prompt

Now we can submit the flag and get the points

And we have the root flag

And that was it for the box. Hope you learnt something new.

I have a walkthrough coming up on Remote a box on HackTheBox platform that will be centered around Umbraco CMS. Idid about 2 months ago and the box is really interesting given the fact that you have to exploit an authenticated remote code vulnerability on the Umbraco CMS. A really nice walktrough which i will release after the box gets retired but that’s it for now guys till next time take care

I you liked the walkthrough you can clap for me bellow

Penetration Tester/Analytical Chemist who Loves Cybersecurity. GitHub(https://github.com/musyoka101), ExploitDB(https://www.exploit-db.com/?author=10517)