TryHackMe | Anthem Box

This box will be a little different, due to it being a Windows box. Now, given that like 98% of business infrastructure runs on Windows, I’m starting to think it’s due time for me to start branching out. I’ve got a couple more write ups coming soon, they are just very very long, so I haven’t gotten around to creating them yet.

But for this box, let’s start off with a little nmap scan.

So, we’ve got a lot of ports open. I’m going to look into the importance of each of these ports real quick, just for review:

  • Port 80 – HTTP: The port that the server expects to receive data from a web client. It can be configured differently, but this is the default.
  • Port 135 – MSRPC: This is a modified version of DCE/RPC. Stands for “Microsoft Remote Procedure Call”. It is a protocol that uses the client-server model in order to allow one program to request service from a program on another computer without having to understand the details of that computer’s network.
  • Port 139 – NetBIOS-SSN: Stands for “NETBIOS Session Service”. TCP NetBIOS connections are made over this port, usually by Windows machines, but can also be any other system running Samba (SMB). These sessions support “connection oriented file sharing activities”.
  • Port 445 – Microsoft-DS: This port is usually used for file sharing, with something like Samba. It stands for “Microsoft Directory Services”. It is the preferred port for carrying Windows file sharing and “numerous other services”.
  • Port 3389 – MS-WBT-Server: So, from the port number, we can already guess that this is an RDP instance. Also known as “msrdp” or “Microsoft Remote Display Protocol”, it sets up a terminal server that can be remoted into.

Let’s take a crack at the website first.

So, there wasn’t anything important on the main page, and robots.txt is always a great place to check when crawling directories. So if you’re feeling lazy and don’t want to start up and configure dirbuster, just add that “/robots.txt” to the end of the URL and see if it pulls up anything important. In our case it did, multiple directories to check out, and a potential password.

This just shows what the site’s URL is supposed to be. It answers one of the questions for the box.

Another question was to find out the name of the SysAdmin, which I considered this one a bit dumb, just because the whole concept of this question is flawed. You need to Google this poem that this employee wrote about the sysadmin, and it gives you the author of the original poem, which is what the sysadmin’s name is. Why this bears any relevance, how anyone was actually supposed to connect those dots, I’ll never know. I’m just glad I didn’t do the foot work on this bit of the box (haha).

^Name of the sysadmin^

This was to identify how the company creates its emails. So we have a first and last name, and we have an example email. Now we can create the sysadmin’s email, and it looks like we have his password from the robots.txt file too.

The challenge here was to just find three (maybe four? I don’t remember exactly) flags that were hidden in/on the site. Most of them were in the source code, so I just went to each page, opened the source code, and ctrl+f’d for “THM{“, which is the standard format for TryHackMe flags.

I didn’t spend too much time looking, but I feel like there should be a tool to crawl a specific website and all the links/pages it has on it and be able to look for certain parameters with the source code. I couldn’t find a tool like that, but maybe I should make one as a challenge. Could use Python + Beautiful Soup or something.

Final flag for this section was on a profile page.

I also broke into the website manager using the email and password for the sysadmin. Didn’t find anything, but it was fun to try.

So RDPing into the box works using the sysadmin and the password that we found. So now we just have to root around a bit (hehe…get it?), and then escalate our privilege to full admin to find the final text file.

First text file found just sitting on the desktop.

Interesting folders that were hidden. If going back through this box, you’ll want to check on those.

So, all we really had to do was add ourselves as owners to a hidden file, so that we now have full control.

Opening the file provides us with the administrator’s password.

Now, let’s log out, and attempt to login as admin.

And we’re in! The final flag was sitting on the desktop as well. Great box to get your feet wet with Windows and RDP, but I’m definitely looking forward to more!