Anthem-CTF Walkthrough

Hello Everyone! Welcome to the new blog in this blog we are going to cover step by step challenge of a box named Anthem on tryhackme. This machine is windows based with beginner level exploitation challenge.

Before starting make sure that you are connected to the tryhackme VPN and machine is deployed successfully.

After deploying the machine wait for 2–3 minutes and then ping the machine to confirm that it is working properly.

Target IP : 10.10.6.163

Attacker IP/Client: 10.9.178.153

Now start the nmap scan to find out the ports open and services running on the machine.

Command : nmap -sS -sS -sV -A -O 10.10.6.163

There are two ports open.

As port 80 is open we will check the webpage in the browser.

URL: http://10.10.6.163

This is are few blogs in the anthem website.

Further we scan for directories using gobuster.

command :gobuster dir -u http://10.10.6.163 -t 100 -e -w /usr/share/wordlists/dirb/common.txt

And we found multiple directories, while enumerating the directories we found a directory ‘robots.txt’ while enumerating it we found a string ‘UmbracoIsTheBest!’. This means that the web is using Umbraco CMS.

While going through the web pages we found a poem.

On googling we found that the poem was written by Solomon Grundy

Now, we have to find the email of the administrator.

We found that the email of the another user ‘Jane Doe’ was ‘JD@anthem.com’. So the email of ‘Solomon Grundy’ will ‘SG@anthem.com’. Now we enumerate the web page and try to find all the flags.

We have credentials for login.

email: SG@anthem.com

password: UmbracoIsTheBest!

Flag 1

And we found our last flag in the Inspect element of the blog page ‘A cheers to our IT department’. Now moving on to the further challenge. To complete further challenge we have to use RDP(Remote Desktop Protocol) to find the remaining flag. Let’s start RDP with the credentials that we found.

command: rdesktop -U SG -p UmbracoIsTheBest!

We are successfully connected to the machine and on the desktop we found our user flag.

On desktop we found the user flag.

We found a backup folder on trying to open it was not passible.

So we changed the permission of the file to the current users in the properties.

And now we found a password in the backup folder

Now we will login to RDP as administrator using the password ‘ChangeMeBaby1MoreTime’

On the desk top we found the root flag.

We have successfully completed the task. Hope you all enjoyed it.

Kindly follow my blog.

Thank you.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store