Anthem-CTF Walkthrough
Hello Everyone! Welcome to the new blog in this blog we are going to cover step by step challenge of a box named Anthem on tryhackme. This machine is windows based with beginner level exploitation challenge.
Before starting make sure that you are connected to the tryhackme VPN and machine is deployed successfully.
After deploying the machine wait for 2–3 minutes and then ping the machine to confirm that it is working properly.
Target IP : 10.10.6.163
Attacker IP/Client: 10.9.178.153
Now start the nmap scan to find out the ports open and services running on the machine.
Command : nmap -sS -sS -sV -A -O 10.10.6.163
There are two ports open.
As port 80 is open we will check the webpage in the browser.
URL: http://10.10.6.163
This is are few blogs in the anthem website.
Further we scan for directories using gobuster.
command :gobuster dir -u http://10.10.6.163 -t 100 -e -w /usr/share/wordlists/dirb/common.txt
And we found multiple directories, while enumerating the directories we found a directory ‘robots.txt’ while enumerating it we found a string ‘UmbracoIsTheBest!’. This means that the web is using Umbraco CMS.
While going through the web pages we found a poem.
On googling we found that the poem was written by Solomon Grundy
Now, we have to find the email of the administrator.
We found that the email of the another user ‘Jane Doe’ was ‘JD@anthem.com’. So the email of ‘Solomon Grundy’ will ‘SG@anthem.com’. Now we enumerate the web page and try to find all the flags.
We have credentials for login.
email: SG@anthem.com
password: UmbracoIsTheBest!
Flag 1
And we found our last flag in the Inspect element of the blog page ‘A cheers to our IT department’. Now moving on to the further challenge. To complete further challenge we have to use RDP(Remote Desktop Protocol) to find the remaining flag. Let’s start RDP with the credentials that we found.
command: rdesktop -U SG -p UmbracoIsTheBest!
We are successfully connected to the machine and on the desktop we found our user flag.
On desktop we found the user flag.
We found a backup folder on trying to open it was not passible.
So we changed the permission of the file to the current users in the properties.
And now we found a password in the backup folder
Now we will login to RDP as administrator using the password ‘ChangeMeBaby1MoreTime’
On the desk top we found the root flag.
We have successfully completed the task. Hope you all enjoyed it.
Kindly follow my blog.
Thank you.
