Anthem (THM)

TryHackMeAnthem Write-Up

topics: Web application security, control pannel (hidden files) Windows Privilege Escalation

  1. Plan

  2. Enumeration

  3. Local Privilege Escalation (Exploitation)

  4. Administrator Privilege Escalation

new tools:

tools: nmapAutomator, dirsearch, remmina

Plan

Room description: "This task involves you, paying attention to details and finding the 'keys to the castle'"

Enumeration

Initial nmap scan ./nmapAutomator.sh $ip Basic

We have five ports open, 80 (HTTP), 135 (MSRPC), 135/445 (SMB/SAMBA), and 3389 (RDP). Lets enumerate the webserver.

python3 dirsearch.py -u $ip -e php,html,txt

There are many subdirectories to find, lets start with the homepage and the yellow directories. /authors, /blog, /categories, /robots.txt, /rss, /search, /sitemap, /tags, /umbraco (CMS Version)

The Blog Posts

The first post mentions that the company, Anthem, is hiring. We also get a potential email jd@anthem.com

There are four flags on the machine so hopefully we can find each in one of these.

Flag 1

Navigating to the source code of the blog post: "We are hiring"

Flag 2

Also on the source code of both blog posts: "A cheers to our IT department" and "We are hiring"

Flag 3

Navigating to /authors

Flag 4

Also on the source code of blog post: "A cheers to our IT department"

Local Privilege Escalation

The second post is interesting and contains a critical clue. It mentions an admin has saved the business by redesigning the website. It then proceeds to share a poem that is written about the admin. It is listed below.

This poem was familiar to me (thank you Justice League), it is a reference to Solomon Grundy. I'm unsure of the exact details but we can assure that the admin is solomon grundy and more than likely follows the syntax of the previous email address, sg@anthem.com

/robots.txt

/robots.txt is usually used for quick notes about a server, anything from restricted directories, to credentials. The file seems to contain a very specific message, UmbracoIsTheBest!, written in camel case. Passwords are commonly writen with camel case and we have a username as well. RDP is open so we can assume the credentials sg:UmbracoIsTheBest! will give us local acces. Using remmina

Administrator Privilege Escalation

I'm still developing my own methodology for attacking Windows boxes, it would be wise to assume a repetitive first check of something akin to sudo -l in linux.

In Windows, if any user can access the control panel, they can change permissions to see all hidden files, some of which are executable, can be modified by (A)ll and are owned by NT AUTHORIY\SYSTEM

Open control panel and change the option to view hidden files

Navigating back to the C:\ drive, a hidden directory backup is revealed

Attempting to open a file, restore.txt reveals that we do not have permissions. Lets attempt to see who does have permissions.

It appears that we do not have any permissions specified. However, there is nothing stopping us from adding ourselves to the group of owners

Click apply and we can now view this file

Hmm, very particular wording. Again, most things found with camel case syntax are passwords, lets see if this is the admin password, as they did own this file. Lets use remmina

Last updated