Anthem Walkthrough — TryHackme

Anthem !!!!

Enumeration

nmap scan :

scan results

We could see that is windows machine and windows server running and RemoteDesktop protocol running

Next step enumerated the robots.txt

web blog running

ROBOTS.TXT

We could see the disallow entries so umbraco is the cms so i thought it will be the foothold to enter the server

Lets enumerate further in the blogs to get usernames and flags because we dint find any exploit that is working on umbraco

Found a first flag inside first page source

Second flag found with a user exist as janedoe and found a email as JD@anthem.com ( thats a short form of janedoe )

We found a password UmbracoIsTheBest! as password in robot.txt but that didn't work for that jane doe email.

Further enumerated the blog

The was poem

I copied the poem and pasted in google search i got repeated name solomon grundy. So that was a two name SG so thought of using SG@anthem.com for the password found in the robots.txt

I was able to login to the umbraco !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Lets try the same creds for the remote desktop

HURRAAY I WAS ABLE TO LOGIN TO THE SYSTEM

PRIVILIDGE ESCALATION

After all enumeration i found some hidden directories in the Local disk C

But i was not able read restore.txt and checked his permission i was not the user added in it so i can edit it and can add to the permission group

Added to the group

Then i was able to read the restore.txt

Password for administrator

Got ROOT

I was able to login as Administrator