Anthem (THM)
TryHackMe – Anthem Write-Up
topics: Web application security, control pannel (hidden files) Windows Privilege Escalation
Plan
Enumeration
Local Privilege Escalation (Exploitation)
Administrator Privilege Escalation
new tools:
tools: nmapAutomator, dirsearch, remmina
Plan
Room description: "This task involves you, paying attention to details and finding the 'keys to the castle'"
Enumeration
Initial nmap scan ./nmapAutomator.sh $ip Basic
We have five ports open, 80 (HTTP), 135 (MSRPC), 135/445 (SMB/SAMBA), and 3389 (RDP). Lets enumerate the webserver.
python3 dirsearch.py -u $ip -e php,html,txt
There are many subdirectories to find, lets start with the homepage and the yellow directories. /authors, /blog, /categories, /robots.txt, /rss, /search, /sitemap, /tags, /umbraco (CMS Version)
The Blog Posts
The first post mentions that the company, Anthem, is hiring. We also get a potential email jd@anthem.com
There are four flags on the machine so hopefully we can find each in one of these.
Flag 1
Navigating to the source code of the blog post: "We are hiring"
Flag 2
Also on the source code of both blog posts: "A cheers to our IT department" and "We are hiring"
Flag 3
Navigating to /authors
Flag 4
Also on the source code of blog post: "A cheers to our IT department"
Local Privilege Escalation
The second post is interesting and contains a critical clue. It mentions an admin has saved the business by redesigning the website. It then proceeds to share a poem that is written about the admin. It is listed below.
This poem was familiar to me (thank you Justice League), it is a reference to Solomon Grundy. I'm unsure of the exact details but we can assure that the admin is solomon grundy and more than likely follows the syntax of the previous email address, sg@anthem.com
/robots.txt
/robots.txt is usually used for quick notes about a server, anything from restricted directories, to credentials. The file seems to contain a very specific message, UmbracoIsTheBest!