Anthem (Tryhackme) Room Writeup By Jonty Bhardwaj
Hello Reader, I am Jonty Bhardwaj currently enrolled in Master Certificate in Cyber Security HackerU program. Today I am here to share a writeup on a Tryhackme machine called Anthem.
Now first of all we will navigate to the Room URL and join it.
After starting the Machine we will first connect through Open VPN and ping the machine through the IP we are given to see if the connection is established. After we are successful in pinging the machine, we will start the fun part which is Pentesting and getting root privilege.
Now first we will start a Nmap scan to see what are the ports and services open on the machine.
nmap -sV -sT -Pn -T4 -A 10.10.25.241
Now we can see that 2 ports are open and the most promising port we can gather info looks to be port 80. Lets see what’s on the website there.
From Nmap results we saw that on port 80 , there is a file named robots.txt. Lets search what information is in there .
Here we found a random text which looks like to be a Username or Password — UmbracoIsTheBest!
From robots.txt we tried all the webpages which were there and found this webpage to be active .
Now lets find more information form the home webpage . After searching for some time we found that there are 2 blogs written on the home webpage . The first blog contain information to apply for hiring.
Important Info we found
The credentials given are JD@anthem.com — Where JD stands for Jane Doe , the person who has posted this and most likely she is HR.
This means the email convention in this company is short form of the name and then added to @anthem.com.
We started searching the home webpage source code and found the first flag in the meta content .
Inspecting the home webpage source code more thoroughly we found our second flag.
Searching the website more , when we searched more info on Author John Doe , we found Third first flag.
Finally after checking the source code the second blog we got our last flag
Now lets try to search more information on getting credentials so that we can login into the system as administrator through RDP.
In the second blog , its is stated that an admin redesigned the website and the song is written about him. Lets search the song to find more about the admin who redesigned the webpage to see if we can found any info like his name .
We tried searching for Information on this song and what this means and found that the song is written by Author Solomon Grundy which may be the admin who redesigned the website.
Here we found the name of the admin to be -
Name — Solomon Grundy
Email — SG@anthem.com
Password — UmbracoIsTheBest!
We guessed the email from the naming convention we found out earlier from the first blog.
Now lets login into /umbraco login page with the credentials .
And here we go , we have successfully login into the webpage.
Lets use these credentials to login through RDP.
We failed with the username SG@anthem.com . We then removed the domain name from the username and tried with SG as username only. And there you go it worked.
rdesktop -u SG -p UmbracoIsTheBest! 10.10.75.52
On the Desktop itself we found the user flag
Lets search for more information to get Admin password for Admin Access.
We first set the file permissions to show all the hidden files .
After searching we found backup folder in C Drive . Inside the backup folder we found a file named Restore .
On opening the file we encountered the error that we do not have permission to open the file.
Lets change the permission of the file in the file properties > security.
We successfully added the user SG for permissions to view and modify the file.
Now lets try to open the restore file again and see what’s in the File .
Looks like we have found some sort of password and it might be Admin Password. Lets try to use it and access the Administrator Folder.
After using the password we have successfully entered the administrator folder . Now lets find the last root Flag.
On the Administrator Desktop we found a file named root. After opening the file we found the last root flag.
Here we have successfully escalated to root shell and found the root flag in the administrator folder.
Proof of Completion
Congratulations on completing the room and reading the blog . Hope my blog helped you in your journey and made you learn something new .
Happy Hacking !!