# TryHackMe-Anthem
## NMAP
```
tats: 0:01:37 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 97.50% done; ETC: 20:14 (0:00:00 remaining)
Nmap scan report for 10.10.109.113
Host is up (0.19s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: WIN-LU09299160F
| NetBIOS_Domain_Name: WIN-LU09299160F
| NetBIOS_Computer_Name: WIN-LU09299160F
| DNS_Domain_Name: WIN-LU09299160F
| DNS_Computer_Name: WIN-LU09299160F
| Product_Version: 10.0.17763
|_ System_Time: 2020-10-25T15:13:32+00:00
| ssl-cert: Subject: commonName=WIN-LU09299160F
| Not valid before: 2020-10-24T15:12:24
|_Not valid after: 2021-04-25T15:12:24
|_ssl-date: 2020-10-25T15:14:42+00:00; 0s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-10-25T15:13:32
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 97.59 seconds
```
## SMB
```
smbclient -L \\\\10.10.109.113\\
Enter WORKGROUP\root's password:
session setup failed: NT_STATUS_ACCESS_DENIED
```
That's dead end
## PORT 80
On the page source we can find a flag of some sort
`UmbracoIsTheBest!` potential password
`JD@anthem.com` email address at `http://10.10.109.113/archive/we-are-hiring/`
## Gobuster
```
=============================================================== [9/21]
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.109.113
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/10/25 20:20:30 Starting gobuster
===============================================================
/search (Status: 200)
/blog (Status: 200)
/sitemap (Status: 200)
/rss (Status: 200)
/archive (Status: 301)
/categories (Status: 200)
/authors (Status: 200)
/Search (Status: 200)
/tags (Status: 200)
/install (Status: 302)
/RSS (Status: 200)
/Blog (Status: 200)
/Archive (Status: 301)
/SiteMap (Status: 200)
/siteMap (Status: 200)
/INSTALL (Status: 302)
/Sitemap (Status: 200)
/1073 (Status: 200)
/Rss (Status: 200)
/Categories (Status: 200)
```
## CMS
For getting the name of admin visit the page there is a poem written , search on goolge to find who wrote this poem
We peviously found `JD@anthem.com` the hint says that `There is another email address on the website that should help us figuring out the email pattern used by the administrator.`
So admin is Solomon Grundy and carfting the email like the pattern above `sg@anthem.com` will let us login with the credentials `UmbracoIsTheBest!`
## PORT 3389 (RDP)
Launch `Remmina` with the credentials username as `sg` and passowrd `UmbracoIsTheBest!`
### User Flag
### Root Flag
Turn on the option for `show hidden files` as the hints says that admin's password is hidden.
You can find a folder named `backup` and in thier `restore.txt` but you don't have rights to view this file.
What you could do is right click on properites and change but I'll show how you can do this with cmd.
When try to view it will show you that you don't have permissions so,
`ChangeMeBaby1MoreTime`
s
## Flags
Flag 1 `THM{L0L_WH0_US3S_M3T4}` On html boiler plate `http://10.10.109.113/archive/we-are-hiring/`
Flag 2 `THM{G!T_G00D}` in body of html `http://10.10.109.113`
Flag 3 `THM{L0L_WH0_D15`} `http://10.10.109.113/authors`
Flag 4 `THM{AN0TH3R_M3TA}` `http://10.10.109.113/archive/a-cheers-to-our-it-department/`