mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-25 05:10:23 +00:00
Add files via upload
This commit is contained in:
parent
b84f8be9d6
commit
61417b7fe9
1 changed files with 161 additions and 0 deletions
161
TryHackMe/Anthem.md
Normal file
161
TryHackMe/Anthem.md
Normal file
|
@ -0,0 +1,161 @@
|
|||
# TryHackMe-Anthem
|
||||
|
||||
## NMAP
|
||||
|
||||
```
|
||||
tats: 0:01:37 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
|
||||
NSE Timing: About 97.50% done; ETC: 20:14 (0:00:00 remaining)
|
||||
Nmap scan report for 10.10.109.113
|
||||
Host is up (0.19s latency).
|
||||
Not shown: 995 closed ports
|
||||
PORT STATE SERVICE VERSION
|
||||
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|
||||
135/tcp open msrpc Microsoft Windows RPC
|
||||
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
|
||||
445/tcp open microsoft-ds?
|
||||
3389/tcp open ms-wbt-server Microsoft Terminal Services
|
||||
| rdp-ntlm-info:
|
||||
| Target_Name: WIN-LU09299160F
|
||||
| NetBIOS_Domain_Name: WIN-LU09299160F
|
||||
| NetBIOS_Computer_Name: WIN-LU09299160F
|
||||
| DNS_Domain_Name: WIN-LU09299160F
|
||||
| DNS_Computer_Name: WIN-LU09299160F
|
||||
| Product_Version: 10.0.17763
|
||||
|_ System_Time: 2020-10-25T15:13:32+00:00
|
||||
| ssl-cert: Subject: commonName=WIN-LU09299160F
|
||||
| Not valid before: 2020-10-24T15:12:24
|
||||
|_Not valid after: 2021-04-25T15:12:24
|
||||
|_ssl-date: 2020-10-25T15:14:42+00:00; 0s from scanner time.
|
||||
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
|
||||
|
||||
Host script results:
|
||||
| smb2-security-mode:
|
||||
| 2.02:
|
||||
|_ Message signing enabled but not required
|
||||
| smb2-time:
|
||||
| date: 2020-10-25T15:13:32
|
||||
|_ start_date: N/A
|
||||
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
|
||||
Nmap done: 1 IP address (1 host up) scanned in 97.59 seconds
|
||||
```
|
||||
|
||||
## SMB
|
||||
|
||||
```
|
||||
smbclient -L \\\\10.10.109.113\\
|
||||
Enter WORKGROUP\root's password:
|
||||
session setup failed: NT_STATUS_ACCESS_DENIED
|
||||
```
|
||||
|
||||
That's dead end
|
||||
|
||||
## PORT 80
|
||||
|
||||
<img src="https://imgur.com/6MSUuT8.png"/>
|
||||
|
||||
On the page source we can find a flag of some sort
|
||||
<img src="https://imgur.com/rcMo4ig.png"/>
|
||||
|
||||
<img src="https://imgur.com/4S7GBX8.png"/>
|
||||
|
||||
|
||||
`UmbracoIsTheBest!` potential password
|
||||
`JD@anthem.com` email address at `http://10.10.109.113/archive/we-are-hiring/`
|
||||
|
||||
## Gobuster
|
||||
|
||||
```
|
||||
=============================================================== [9/21]
|
||||
Gobuster v3.0.1
|
||||
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
|
||||
===============================================================
|
||||
[+] Url: http://10.10.109.113
|
||||
[+] Threads: 10
|
||||
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
|
||||
[+] Status codes: 200,204,301,302,307,401,403
|
||||
[+] User Agent: gobuster/3.0.1
|
||||
[+] Timeout: 10s
|
||||
===============================================================
|
||||
2020/10/25 20:20:30 Starting gobuster
|
||||
===============================================================
|
||||
/search (Status: 200)
|
||||
/blog (Status: 200)
|
||||
/sitemap (Status: 200)
|
||||
/rss (Status: 200)
|
||||
/archive (Status: 301)
|
||||
/categories (Status: 200)
|
||||
/authors (Status: 200)
|
||||
/Search (Status: 200)
|
||||
/tags (Status: 200)
|
||||
/install (Status: 302)
|
||||
/RSS (Status: 200)
|
||||
/Blog (Status: 200)
|
||||
/Archive (Status: 301)
|
||||
/SiteMap (Status: 200)
|
||||
/siteMap (Status: 200)
|
||||
/INSTALL (Status: 302)
|
||||
/Sitemap (Status: 200)
|
||||
/1073 (Status: 200)
|
||||
/Rss (Status: 200)
|
||||
/Categories (Status: 200)
|
||||
|
||||
```
|
||||
## CMS
|
||||
|
||||
<img src="https://imgur.com/lsGPuhu.png"/>
|
||||
|
||||
For getting the name of admin visit the page there is a poem written , search on goolge to find who wrote this poem
|
||||
|
||||
<img src="https://imgur.com/5DjsIBe.png"/>
|
||||
|
||||
<img src="https://imgur.com/DyFe1Kr.png"/>
|
||||
|
||||
We peviously found `JD@anthem.com` the hint says that `There is another email address on the website that should help us figuring out the email pattern used by the administrator.`
|
||||
|
||||
<img src="https://imgur.com/wRKtDx5.png"/>
|
||||
|
||||
|
||||
So admin is Solomon Grundy and carfting the email like the pattern above `sg@anthem.com` will let us login with the credentials `UmbracoIsTheBest!`
|
||||
|
||||
## PORT 3389 (RDP)
|
||||
|
||||
Launch `Remmina` with the credentials username as `sg` and passowrd `UmbracoIsTheBest!`
|
||||
|
||||
|
||||
### User Flag
|
||||
<img src="https://imgur.com/QdV7VKa.png"/>
|
||||
|
||||
### Root Flag
|
||||
|
||||
Turn on the option for `show hidden files` as the hints says that admin's password is hidden.
|
||||
|
||||
<img src="https://imgur.com/CKnN3Dh.png"/>
|
||||
|
||||
You can find a folder named `backup` and in thier `restore.txt` but you don't have rights to view this file.
|
||||
<img src="https://imgur.com/tGcOFjY.png"/>
|
||||
|
||||
|
||||
What you could do is right click on properites and change but I'll show how you can do this with cmd.
|
||||
|
||||
<img src="https://imgur.com/l0SvZgT.png"/>
|
||||
|
||||
When try to view it will show you that you don't have permissions so,
|
||||
|
||||
<img src="https://imgur.com/qmMge2x.png"/>
|
||||
|
||||
`ChangeMeBaby1MoreTime`
|
||||
|
||||
|
||||
<img src="https://imgur.com/mAvxb4j.png"/>
|
||||
|
||||
<img src="https://imgur.com/XIweE75.png"/>s
|
||||
|
||||
## Flags
|
||||
|
||||
Flag 1 `THM{L0L_WH0_US3S_M3T4}` On html boiler plate `http://10.10.109.113/archive/we-are-hiring/`
|
||||
|
||||
Flag 2 `THM{G!T_G00D}` in body of html `http://10.10.109.113`
|
||||
|
||||
Flag 3 `THM{L0L_WH0_D15`} `http://10.10.109.113/authors`
|
||||
|
||||
Flag 4 `THM{AN0TH3R_M3TA}` `http://10.10.109.113/archive/a-cheers-to-our-it-department/`
|
Loading…
Reference in a new issue