Introduction
Hello fellow hackers, today I’m going to show you the Windows operating system based exploitation challenge, Anthem is a beginner level room which requires you to answer eight questions, and find six flags. This task involves you, paying attention to details and finding the ‘keys to the castle’. I am going to walk you through all the tasks of this machine which is available in TryHackMe.
You can access this machine from this url: https://tryhackme.com/room/anthem
After hitting the deploy button we now have our IP address (before starting, check whether the IP is live by pinging ).
[Task 1] Website Analysis
#1 Let’s run nmap and check what ports are open.
From the nmap scan result we came to know that five ports are open and they are, 135/tcp msrpc, 139/tcp netbios-ssn, 445/tcp microsoft-ds, 3389/tcp ms-wbt-server and 80/tcp http.
Command used: nmap -sV <machine IP>
#2 What port is for the web server?
As we can see from nmap scan result, port 80 is for the web server. Let’s check it out in the browser.
#3 What port is for remote desktop service?
As we can see from nmap scan result, 3389/tcp ms-wbt-server
#4 What is a possible password in one of the pages web crawlers check for?
Well I didn’t find the password in the web page but, I used wig (Webapp Information gatherer) tool to dig deeper for the clues.
And I found that /robots.txt was available and found the possible password over there.
#5 What CMS is the website using?
I used wig (Webapp Information gatherer) tool to check the CMS also.
#6 What is the domain of the website?
When you access the browser with the machine IP, you’ll get the answer.
#7 What’s the name of the Administrator?
When you are looking around in the website, try to navigate and open the article cheers to the IT department. There will a poem in the article and the and the answer of this question is, name of the poet who wrote that poem.
#8 Can we find the email address of the administrator?
So, to find the email address of the administrator, there is a format mention in the webpage which acts like a hint.
[Task 2] Spot the flags
#1 What is flag 1?
Always check the Page Source of the Web Pages.
#2 What is flag 2?
Always check the Page Source of the Web Pages.
#3 What is flag 3?
When I clicked on the Author icon, I found the third flag.
#4 What is flag 4?
There was a hint provided by creator of this room and that is to inspect the webpage and I got the flag by inspecting cheers to our IT department article page.
[Task 3] Final stage
#1 Let’s figure out the username and password to log in to the box.(The box is not on a domain)
In our previous stages of enumeration, I have already got username and password to log in to the box.
#2 Gain initial access to the machine, what is the contents of user.txt?
To access the machine, command I used is,
rdesktop -u <username> <machine IP>
I found the user.txt on the desktop.
#3 Can we spot the admin password?
While exploring the Windows machine, I just found a folder called backup. In this folder, there will be a restore.txt file and when you open the txt file, you will get the admin password.
#4 Escalate your privileges to root, what is the contents of root.txt?
First we have check mark on the Hidden items just to see that any clue left behind.
To access the administrator folder, we need to add the existing user as shown below.
right click on administrator folder–> go to properties–> got to security tab–> configure and add the user.
When you get the access, there will be root.txt file and in that file we get final flag.
All the tasks and questions are answered and thank you for reading . Hope you liked the blog and as I always mention in my every blog, suggestions are always welcome and open for discussion so that we can discuss about other methods to complete the same task.
Happy Hacking…..