Anthem

d3387857fc40a19afd406e7034e0bfa0.gif|300

Info about Anthem

Exploit a Windows machine in this beginner level challenge.

This task involves you, paying attention to details and finding the 'keys to the castle'.
This room is designed for beginners, however, everyone is welcomed to try it out!

Enjoy the Anthem.

Hints

In this room, you don't need to brute force any login page. Just your preferred browser and Remote Desktop.

Active reconnaissance

Port scan

Perform a quick general scan on all ports.

sudo nmap TARGET_IP -n -p- -sS -Pn -vvv --open --min-rate 5000 -oN nmap_scan

PORT     STATE SERVICE       REASON
80/tcp   open  http          syn-ack ttl 125
3389/tcp open  ms-wbt-server syn-ack ttl 125

What port is for the web server?

What port is for remote desktop service?

3389

Enumeration

Perform a deep scan with common scripts only on ports we are interested in.

sudo nmap TARGET_IP -sCV -p 22,80 -oN nmap_enum

OS

Windows; CPE: cpe:/o:microsoft:windows

Port 80 - Umbraco

tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

|http-title: Anthem.com - Welcome to our blog
| http-robots.txt: 4 disallowed entries
|/bin/ /config/ /umbraco/ /umbraco_client/

What is the domain of the website?

Anthem.com

What is a possible password in one of the pages web crawlers check for?

Pasted image 20250107121712.png

Pasted image 20250107114105.png

bin

Its empty

config

The same main page

umbraco_client

The same main page

Umbraco

We have a login page
Pasted image 20250107114248.png|500

What CMS is the website using?

Umbraco

What's the name of the Administrator

It's the author of the poem
Pasted image 20250107150044.png

Can we find find the email address of the administrator?

According to the pattern of Jane Doe and its email jd@anthem.com
The email will be sg@anthem.com

Port 3389 - RDP

Exploitation

Port 80 - Umbraco

Dashboard

After login with credentials
We have:
Pasted image 20250107150414.png

What is flag 1?

Pasted image 20250107153528.png

What is flag 2?

Pasted image 20250107153005.png

What is flag 3?

Pasted image 20250107153143.png

What is flag 4?

Pasted image 20250107153357.png

Port 3389 - RDP

Let's figure out the username and password to log in to the box.(The box is not on a domain)

xfreerdp /u:sg /p:UmbracoIsTheBest! /v:10.10.233.117 /shell:cmd.exe

Gain initial access to the machine, what is the contents of user.txt?

Pasted image 20250107160402.png

Can we spot the admin password?

In the hidden folder
Pasted image 20250107165559.png
Click on setting of restore file and add our user to the permissions file.
Pasted image 20250107165939.png
And open the file:
Pasted image 20250107170052.png

Privilege escalation

xfreerdp /u:Administrator /p:ChangeMeBaby1MoreTime /v:10.10.233.117

Escalate your privileges to root, what is the contents of root.txt?

Pasted image 20250107170456.png