Anthem
Task 1: Website Analysis
What port is for the web server?
Let's scan the target using nmap
.
As we can see there are two open ports:
Answer
What port is for remote desktop service?
ms-wbt-server
is the remote desktop service that runs on port 3389.
Answer
What is a possible password in one of the pages web crawlers check for?
The page that web crawlers check for is robots.txt
. Let's see if that has something of importance.
The password is mentioned along with the disallowed pages.
Answer
What CMS is the website using?
We can find this answer on the /robots.txt
page as well.
The /umbraco/
page tells us that the CMS is Umbraco.
Answer
What is the domain of the website?
Let's visit the webpage of the target machine.
Nothing really important here.
Answer
What's the name of the Administrator
Let's check out the first blog post.
We can see that there is a poem written about the admin. This poem is actually a real one written about Solomon Grundy.
Answer
Can we find find the email address of the administrator?
If we check out the second post, we can find the email format.
Now that we know the email of Jane Doe is JD@anthem.com
we can guess Solomon Grundy's email address.
Answer
Task 2: Spot the Flags
What is flag 1?
We can find the first flag in the source page of the second post.
Answer
What is flag 2?
We can find the second flag in the source page of the main web page.
Answer
What is flag 3?
We can find the third flag on viewing Jane Doe's profile
Answer
What is flag 4?
We can find the fourth flag on the source page of the first post.
Answer
Task 3: Final stage
Gain initial access to the machine, what is the contents of user.txt?
We know that there is a user sg
and a password UmbracoIsTheBest!
.
Using the credentials we can connect to the target through RDP.
Answer
Can we spot the admin password?
After changing the View
to Show hidden items
we can go to C\backup
.
There is file there which we don't have the permissions to read.
Let's see if we can change the permissions.
After changing the permissions, we can read the file.
Answer
Escalate your privileges to root, what is the contents of root.txt?
Let's end the current RDP session and login again as Administrator
with the password as ChangeMeBaby1MoreTime
.
Answer
Last updated