TryHackMe Walkthrough :- Anthem

Aditya Kumar
5 min readJun 18, 2021

--

Exploit a Windows machine in this beginner level challenge. This is A beginner-level windows CTF challenge.

You can access the machine from here.

Prerequisites

Before deploying the machine make sure you have you VPN ready.

Now deploy the machine after the VPN is ready.

Reconnaissance

I started by gathering some information and checking what all ports are open by doing a basic nmap scan.

nmap -sS -sV -A -Pn <Target Machine IP>

There are 2 ports open 80 and 3389. Port 80 is hosting a web-page and port 3389 is hosting a rdesktop service.

Check the webpage you can find many things there.

I found the first couple of flags just by looking through the pages and checking the page source.

Along with that sets run dirbuster to find the web directories.

Check /robots.txt

So you can say that UmbracoIsTheBest! is a possible password for some login.

On the A cheers to our IT department page, I saw this poem.

On googling, I found that the author of this poem is Solomon Grundy.

The page said that the poem is about the admin so the admin name might be Solomon Grundy so I entered that in the task question page and it Accepted.

On one of the pages, we saw the email id of Author Jane Doe as

JD@anthem.com

So it made sense that the email id for Solomon Grundy would be also

SG@anthem.com

1st Flag

Checking the source code of this current page i.e We are Hiring.

http://<IP>/archive/we-are hiring/ > view source code

The first flag has been found.

FLAG :- THM{L0L_WH0_US3S_M3T4}

2nd Flag

Checking the source code of A cheers to our IT department page.

http://<IP>/archive/a-cheers-to-our-itdepartments/ > view source code

Second Flag :- THM{G!T_G00D}

3rd Flag

Now to find the 3rd flag we have to go the authors page.

http://<IP>/authors/

Third Flag :- THM{L0L_WH0_D15}

4th Flag

After Searching for quite a while I discovered that the 4th flag is hidden in the source code of A cheers to our IT department page.

http://<IP>/archive/a-cheers-to-our-itdepartments/ > view source code

Fourth Flag :- THM{AN0TH3R_M3TA}

Now Finding the Main Flags

As we already know that we have a rdesktop port 3389 open, we use the already found credentials to log in.

Username — SG

Password — UmbracoIsTheBest!

rdesktop -u SG -p UmbracoIsTheBest! <IP>

We Found our 1st Main Flag.

1st Main Flag :- THM{N00T_NO0T}

Now the root flag is hidden inside the Administrator Folder But we dont have access to that folder.

When clicked on continue it is asking for password.

Which I will have to find in-order to get access in that folder and find the 2nd root flag.

There is a backup folder in C:// Drive that has the password required to access the Administrator folder. Enable hidden items folder to view it.

Inside the backup folder there is a restore.txt folder but our user doesn’t have permission to access that file we will have to change permission on this file.

select restore.txt > Right click > properties > security > edit >type SG and click check nanes> ok> apply.

Now you can open the file and see the admin password.

Admin Password :- ChangeMeBaby1MoreTime

Using this access the Administrator folder and get the root flag.

Final Root Flag :- THM{Y0U_4R3_1337}

And the room is completed, leaves some claps if you found this helpful.

--

--

Aditya Kumar
Aditya Kumar

Written by Aditya Kumar

B.Sc IT Graduate with C.E.H certification currently pursuing Offensive Security (Red Team). Passion for MMA and Kick-boxing & Automobile Enthusiast.

No responses yet