8.4 KiB
TryHackMe-Anthem
NMAP
tats: 0:01:37 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 97.50% done; ETC: 20:14 (0:00:00 remaining)
Nmap scan report for 10.10.109.113
Host is up (0.19s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: WIN-LU09299160F
| NetBIOS_Domain_Name: WIN-LU09299160F
| NetBIOS_Computer_Name: WIN-LU09299160F
| DNS_Domain_Name: WIN-LU09299160F
| DNS_Computer_Name: WIN-LU09299160F
| Product_Version: 10.0.17763
|_ System_Time: 2020-10-25T15:13:32+00:00
| ssl-cert: Subject: commonName=WIN-LU09299160F
| Not valid before: 2020-10-24T15:12:24
|_Not valid after: 2021-04-25T15:12:24
|_ssl-date: 2020-10-25T15:14:42+00:00; 0s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-10-25T15:13:32
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 97.59 seconds
SMB
smbclient -L \\\\10.10.109.113\\
Enter WORKGROUP\root's password:
session setup failed: NT_STATUS_ACCESS_DENIED
That's dead end
PORT 80
On the page source we can find a flag of some sort
UmbracoIsTheBest! potential password
JD@anthem.com email address at http://10.10.109.113/archive/we-are-hiring/
Gobuster
=============================================================== [9/21]
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.109.113
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/10/25 20:20:30 Starting gobuster
===============================================================
/search (Status: 200)
/blog (Status: 200)
/sitemap (Status: 200)
/rss (Status: 200)
/archive (Status: 301)
/categories (Status: 200)
/authors (Status: 200)
/Search (Status: 200)
/tags (Status: 200)
/install (Status: 302)
/RSS (Status: 200)
/Blog (Status: 200)
/Archive (Status: 301)
/SiteMap (Status: 200)
/siteMap (Status: 200)
/INSTALL (Status: 302)
/Sitemap (Status: 200)
/1073 (Status: 200)
/Rss (Status: 200)
/Categories (Status: 200)
CMS
For getting the name of admin visit the page there is a poem written , search on goolge to find who wrote this poem
We peviously found JD@anthem.com the hint says that There is another email address on the website that should help us figuring out the email pattern used by the administrator.
So admin is Solomon Grundy and carfting the email like the pattern above sg@anthem.com will let us login with the credentials UmbracoIsTheBest!
PORT 3389 (RDP)
Launch Remmina with the credentials username as sg and passowrd UmbracoIsTheBest!
User Flag
Root Flag
Turn on the option for show hidden files as the hints says that admin's password is hidden.
You can find a folder named backup and in thier restore.txt but you don't have rights to view this file.
What you could do is right click on properites and change but I'll show how you can do this with cmd.
When try to view it will show you that you don't have permissions so,
ChangeMeBaby1MoreTime
s
Flags
Flag 1 THM{L0L_WH0_US3S_M3T4} On html boiler plate http://10.10.109.113/archive/we-are-hiring/
Flag 2 THM{G!T_G00D} in body of html http://10.10.109.113
Flag 3 THM{L0L_WH0_D15} http://10.10.109.113/authors
Flag 4 THM{AN0TH3R_M3TA} http://10.10.109.113/archive/a-cheers-to-our-it-department/