diff --git a/TryHackMe/Anthem.md b/TryHackMe/Anthem.md new file mode 100644 index 0000000..466e39b --- /dev/null +++ b/TryHackMe/Anthem.md @@ -0,0 +1,161 @@ +# TryHackMe-Anthem + +## NMAP + +``` +tats: 0:01:37 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan +NSE Timing: About 97.50% done; ETC: 20:14 (0:00:00 remaining) +Nmap scan report for 10.10.109.113 +Host is up (0.19s latency). +Not shown: 995 closed ports +PORT STATE SERVICE VERSION +80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) +135/tcp open msrpc Microsoft Windows RPC +139/tcp open netbios-ssn Microsoft Windows netbios-ssn +445/tcp open microsoft-ds? +3389/tcp open ms-wbt-server Microsoft Terminal Services +| rdp-ntlm-info: +| Target_Name: WIN-LU09299160F +| NetBIOS_Domain_Name: WIN-LU09299160F +| NetBIOS_Computer_Name: WIN-LU09299160F +| DNS_Domain_Name: WIN-LU09299160F +| DNS_Computer_Name: WIN-LU09299160F +| Product_Version: 10.0.17763 +|_ System_Time: 2020-10-25T15:13:32+00:00 +| ssl-cert: Subject: commonName=WIN-LU09299160F +| Not valid before: 2020-10-24T15:12:24 +|_Not valid after: 2021-04-25T15:12:24 +|_ssl-date: 2020-10-25T15:14:42+00:00; 0s from scanner time. +Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows + +Host script results: +| smb2-security-mode: +| 2.02: +|_ Message signing enabled but not required +| smb2-time: +| date: 2020-10-25T15:13:32 +|_ start_date: N/A +Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . +Nmap done: 1 IP address (1 host up) scanned in 97.59 seconds +``` + +## SMB + +``` +smbclient -L \\\\10.10.109.113\\ +Enter WORKGROUP\root's password: +session setup failed: NT_STATUS_ACCESS_DENIED +``` + +That's dead end + +## PORT 80 + + + +On the page source we can find a flag of some sort + + + + + +`UmbracoIsTheBest!` potential password +`JD@anthem.com` email address at `http://10.10.109.113/archive/we-are-hiring/` + +## Gobuster + +``` +=============================================================== [9/21] +Gobuster v3.0.1 +by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) +=============================================================== +[+] Url: http://10.10.109.113 +[+] Threads: 10 +[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt +[+] Status codes: 200,204,301,302,307,401,403 +[+] User Agent: gobuster/3.0.1 +[+] Timeout: 10s +=============================================================== +2020/10/25 20:20:30 Starting gobuster +=============================================================== +/search (Status: 200) +/blog (Status: 200) +/sitemap (Status: 200) +/rss (Status: 200) +/archive (Status: 301) +/categories (Status: 200) +/authors (Status: 200) +/Search (Status: 200) +/tags (Status: 200) +/install (Status: 302) +/RSS (Status: 200) +/Blog (Status: 200) +/Archive (Status: 301) +/SiteMap (Status: 200) +/siteMap (Status: 200) +/INSTALL (Status: 302) +/Sitemap (Status: 200) +/1073 (Status: 200) +/Rss (Status: 200) +/Categories (Status: 200) + +``` +## CMS + + + +For getting the name of admin visit the page there is a poem written , search on goolge to find who wrote this poem + + + + + +We peviously found `JD@anthem.com` the hint says that `There is another email address on the website that should help us figuring out the email pattern used by the administrator.` + + + + +So admin is Solomon Grundy and carfting the email like the pattern above `sg@anthem.com` will let us login with the credentials `UmbracoIsTheBest!` + +## PORT 3389 (RDP) + +Launch `Remmina` with the credentials username as `sg` and passowrd `UmbracoIsTheBest!` + + +### User Flag + + +### Root Flag + +Turn on the option for `show hidden files` as the hints says that admin's password is hidden. + + + +You can find a folder named `backup` and in thier `restore.txt` but you don't have rights to view this file. + + + +What you could do is right click on properites and change but I'll show how you can do this with cmd. + + + +When try to view it will show you that you don't have permissions so, + + + +`ChangeMeBaby1MoreTime` + + + + +s + +## Flags + +Flag 1 `THM{L0L_WH0_US3S_M3T4}` On html boiler plate `http://10.10.109.113/archive/we-are-hiring/` + +Flag 2 `THM{G!T_G00D}` in body of html `http://10.10.109.113` + +Flag 3 `THM{L0L_WH0_D15`} `http://10.10.109.113/authors` + +Flag 4 `THM{AN0TH3R_M3TA}` `http://10.10.109.113/archive/a-cheers-to-our-it-department/` \ No newline at end of file