Anthem

Task 1: Website Analysis

What port is for the web server?

Let's scan the target using nmap.

$ nmap -sC -sV 10.10.5.238 
Starting Nmap 7.92 ( https://nmap.org ) at 2023-12-07 19:48 IST
Nmap scan report for 10.10.5.238
Host is up (0.14s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=WIN-LU09299160F
| Not valid before: 2023-12-06T14:18:23
|_Not valid after:  2024-06-06T14:18:23
|_ssl-date: 2023-12-07T14:20:35+00:00; +2s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: WIN-LU09299160F
|   NetBIOS_Domain_Name: WIN-LU09299160F
|   NetBIOS_Computer_Name: WIN-LU09299160F
|   DNS_Domain_Name: WIN-LU09299160F
|   DNS_Computer_Name: WIN-LU09299160F
|   Product_Version: 10.0.17763
|_  System_Time: 2023-12-07T14:19:28+00:00
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1s, deviation: 0s, median: 1s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 103.08 seconds

As we can see there are two open ports:

Port	Service
80	http
3389	ms-wbt-server

Answer

80

What port is for remote desktop service?

ms-wbt-server is the remote desktop service that runs on port 3389.

Answer

3389

What is a possible password in one of the pages web crawlers check for?

The page that web crawlers check for is robots.txt. Let's see if that has something of importance.

The password is mentioned along with the disallowed pages.

Answer

UmbracoIsTheBest!

What CMS is the website using?

We can find this answer on the /robots.txt page as well.

The /umbraco/ page tells us that the CMS is Umbraco.

Answer

Umbraco

What is the domain of the website?

Let's visit the webpage of the target machine.

Nothing really important here.

Answer

anthem.com

What's the name of the Administrator

Let's check out the first blog post.

We can see that there is a poem written about the admin. This poem is actually a real one written about Solomon Grundy.

Answer

Solomon Grundy

Can we find find the email address of the administrator?

If we check out the second post, we can find the email format.

Now that we know the email of Jane Doe is JD@anthem.com we can guess Solomon Grundy's email address.

Answer

SG@anthem.com

Task 2: Spot the Flags

What is flag 1?

We can find the first flag in the source page of the second post.

Answer

THM{L0L_WH0_US3S_M3T4}

What is flag 2?

We can find the second flag in the source page of the main web page.

Answer

THM{G!T_G00D}

What is flag 3?

We can find the third flag on viewing Jane Doe's profile

Answer

THM{L0L_WH0_D15}

What is flag 4?

We can find the fourth flag on the source page of the first post.

Answer

THM{AN0TH3R_M3TA}

Task 3: Final stage

Gain initial access to the machine, what is the contents of user.txt?

We know that there is a user sg and a password UmbracoIsTheBest!.

Using the credentials we can connect to the target through RDP.

$ xfreerdp /v:10.10.5.238 /u:sg /p:UmbracoIsTheBest! /cert:ignore +clipboard /dynamic-resolution

Answer

THM{N00T_NO0T}

Can we spot the admin password?

After changing the View to Show hidden items we can go to C\backup.

There is file there which we don't have the permissions to read.

Let's see if we can change the permissions.

After changing the permissions, we can read the file.

Answer

ChangeMeBaby1MoreTime

Escalate your privileges to root, what is the contents of root.txt?

Let's end the current RDP session and login again as Administrator with the password as ChangeMeBaby1MoreTime.

$ xfreerdp /v:10.10.5.238 /u:Administrator /p:ChangeMeBaby1MoreTime /cert:ignore +clipboard /dynamic-resolution

Answer

THM{Y0U_4R3_1337}