Exploit a Windows machine in this beginner level challenge.
This task involves you, paying attention to details and finding the 'keys to the castle'. This room is designed for beginners, however, everyone is welcomed to try it out! Enjoy the Anthem.
In this room, you don't need to brute force any login page. Just your preferred browser and Remote Desktop.
Enumeration shows
What port is for the web server? 80
What port is for remote desktop service? 3389
Here's the website we're working with:
Looking at the source, let's take note of this possible flag
Let's pop through a gobuster scan
gobuster dir -u http://10.10.10.173 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php,htm,htmlOkay gobuster didn't work for me 'cause it kept timing out so I switched over to dirb and got the robots.txt file
What is a possible password in one of the pages web crawlers check for? UmbracoIsTheBest!
From our dirb, we get a few folder to access and if we put that together with our nmap, we can see the CMS is called
What CMS is the website using? umbraco
For the domain name, we can get that from the NMAP we did at the start.
What is the domain of the website? Anthem.com
For the name of the admin, we visit a blog post about the IT dept and then do a quick search for the poem that was written about them. Turns out that poem was about Solomon Grundy.
What's the name of the Administrator Solomon Grundy
To find the email, we know that it's a two letter initial then @anthem.com
We know the admin's name is Solomon Grundy so we put those initials in there and get our answer
Can we find find the email address of the administrator? SG@anthem.com
As we poked around, there were flags we saw so let's just plop them in. Most of them were on the page sources.
What is flag 1? THM{L0L_WH0_US3S_M3T4}
What is flag 2? THM{G!T_G00D}
What is flag 3? THM{L0L_WH0_D15}
What is flag 4? THM{AN0TH3R_M3TA}
For the login, I first thought that we could brute force the login page with hydra but then I remembered the intro says we don't need to brute force anything...
Let's get access now! We can login with the information we found above
sg:UmbracoIsTheBest!
The desktop has the first flag file
Gain initial access to the machine, what is the contents of user.txt? THM{N00T_NO0T}
The next question gives us a hint of 'it's hidden'. Looking around for hidden files and folders, We find a hidden backup folder with a restore.txt file. We can't read it out of the box but we are able to right click and change the security to give sg full permissions and read the file.
Can we spot the admin password? ChangeMeBaby1MoreTime
Now that we have the password, the last part is getting the "root" flag. For this, we COULD just log out and back in as admin but I'm lazy so we'll just run a command window as admin, pass the password we just found and then write that file to the screen.
Escalate your privileges to root, what is the contents of root.txt? THM{Y0U_4R3_1337}
Comments