TryHackMe Anthem
Hello Everyone! Today we are going to solve the TryHackMe machine Anthem
Firstly, connect to the THM machine using VPN and start the machine
Start with Nmap scan to find out the open ports and services running on the machine
Note: If you are running as root, you don’t need to use sudo command
nmap -Pn 10.10.219.81
Perform the advance scan to find out the service versions running on the system
nmap -sC -sV -A 10.10.153.130
Start the go buster to find any directories or hidden files present in the website
gobuster dir -u http://10.10.153.130/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html
Let’s check the IP-address in the browser to find the details in webpage
We common search the robots.txt to find any interesting information available in the /robots.txt
It gave us the clue “UmbracoIsTheBest” and some other directories which are in the name of umbraco. We can see there are two articles written on the page
Open the first article “We are hiring” and search for the any flags we can find in the article and it also shows the email format of the author
We can see the Author name as “Jane Doe” and some other information. Try to see the page source if we can find any information
In the line 13 we can see the flag. It is our first flag and if you click on the Jane Doe profile it will redirect to another page and we can find our third flag
Now go to the second article and we can see some poem written in here and just google it we can see the hidden meaning in the poem and they also mentioned that it is for the admin
Just google the first line and see the name we get on the query, it says “Solomon Grundy” and it is our admin
Now check the page source and try to see for the another flag and in line-13 we can see our flag
Since we already know that port 3389 is open and we have the admin name and the password we will try to login using the RDP
xfreerdp /u:sg /p:UmbracoIsTheBest! /v:10.10.153.130
Now, we successfully logged in using RDP and in the desktop itself we can see the user flag
Now open the user flag
For the admin flag they gave the hint that “It is hidden”
Now enable the hidden items option to see all the hidden files in the system
In the backup folder there is a restore.txt flag is present and we don’t have permissions to open it
Change the permissions to get access to that file
Now after changing the permissions try to open the flag and we can see some text and we will consider it as the admin password
Now using the RDP login using the administrator account and with the given password
xfreerdp /u:administrator /p:ChangMeBaby1MoreTime /v:10.10.153.130
We successfully logged in and got our root flag, but we still didn’t get our flag-2 it is actually present in our home page source code
Finally we successfully submitted all our flags and completed our machine
This concludes the room and all the flags have been captured!
