May 31, 2021
Anthem (Try Hack Me)
A beginner level easy Capture The Flag(CTF) that challenges beginners to solve variety of tasks using available tools and hacking into a server to steal data. In this post, a course task from HackerU : RED Team Pentester, I will show the steps followed to get the flag.
Basic Checks to be performed before attacking the machine.
1.Power on the Target Machine and make a note of the IP address.
2.Start your Kali Virtual Machine.
3.Connect to TRY HACK ME OPEN VPN
4.Check connectivity to the target machine from attacker pc (Kali VM).
The ping command returns 100% packet loss. There is a possibility the ICMP is blocked by Firewall. We will not be able to check if the system is up. Moving ahead, let us try “nmap” scan and discover what ports are open.
NMAP (NETWORK MAP) -Enumeration
Process of extracting machine names, network resources , shares , services from a system. NMAP scan is the first step I use to scan the target machine most of the time.
Let us try the ping command using nmap
# nmap -PS <Target Machine IP>
- PS does a TCP Port Scan (Ping Scan). The output shows that the host is up and the discovered open ports.
One would think why I have written a paragraph on ICMP packets. While we try to check connectivity using the traditional approach (#ping), we should have an open mindset to try alternate methods. nmap is a powerful tool and knowing all the options in nmap will be very useful while solving boxes.
You can also try using -PO option.
# nmap -PO <Target Machine IP>
- PO stands for IP Protocol Ping.
- We get a response “blocking the probes”.
From -PS command we know that the host is up.
Now, we will perform standard nmap screen , discover open ports , operating system and other information to enumerate further.
- v stands for verbose
- -Pn skip host discovery and treat all hosts are up
- -p0{sometimes port 0 might be open} so have given the range of ports to be scanned.
- The reason flag is used to understand the reason why the port is open , closed or filtered and why the host is marked alive.
After the scan result , discovered open ports
- Port 80 (HTTP)
- Port 3389 (Terminal Services)
Also discovered that the host is running on Windows.
We know that port 80 is open and I generally try the browse the <Target Machine IP> using browser and any information is available in the source code or any other information to enumerate and gain access.
It is a blog site. We can see some articles written. The page does not offer any other information . At the bottom of the page we can identify the domain of the website (ANTHEM.COM). We can answer the question
What is the domain of the website?
Before enumerating more, we can answer the other two questions based on nmap scan.
What port is for the web server?
What port is for remote desktop service?
Let us read the blog articles and also checkout the page source which should be the standard practice. In the section “We are Hiring” we can find the email address of the author “xx@anthem.com”. xx needs to be replaced with the author’s initials. I made a note of the email address if it can be useful in any enumerations.
Next step is to scan the source code. I spent a good time reading each line so that I do not miss anything useful which will help me to gain root access. As you read through the first few lines under meta content you will find a flag. Lets scan rest of the page and then I noticed another flag in the form method.
I can now answer two questions under the section “Spot the Flag”
What is flag 1?
What is flag 2?
Now I will read the second article “A cheers to our IT department” The author James Orchard Halliwell has written a poem. Before enumerating further, let us look at the page source code. As you read through the first few lines under meta content you will find a flag.
You will find the flag for question 2 and since it is already answered it can be ignored.
Now I can answer the question
What is flag 4?
In one of the articles we came across a poem for the admin and if you relate to an question hint “Use your favorite search engine” . Copy the poem, paste in the search bar. It is a nursery rhyme “Solomon Grundy”. With than we can answer the question.
What’s the name of the Administrator ?
We can guess the email address of the administrator. Remember earlier we identified the email address of Jane (xx@anthem.com) and for the administrator it would be similar(yy@anthem.com). yy needs to be replaced with the initials.
Can we find find the email address of the administrator?
We have the answer from the Nursery Rhyme.
Though I did not follow the sequence of answering the questions , I followed the above approach for Anthem THM Box and it varies machine to machine.
DIRECTORY SEARCH ENUMERATION (GOBUSTER)
I will perform a directory search using gobuster using the below command
#gobuster dir -u http://<Target Machine IP>/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt — timeout 60s
In case you get a timeout error “exceeded while awaiting headers” , increase the timeout. The default is 10s. Add another option(lower case L) “-l” along with threads(-t 60) to speed up the directory scan. Compared to the earlier scan without timeout , there seems to be a good response with timeout. It is good to know the options available within gobuster. The -L(lowercase l) is a good way to know the length of the directory and anything with “Zero” there is no need to look at it.
With just 10% completion, identified 21 directories with different lengths. Let the gobuster run in parallel and we will move on to the next questions.
The question I would like to answer
What is a possible password in one of the pages web crawlers check for?
with a hint (.txt). The immediate thing that comes to mind is “robots.txt” and let us see what is in it. -s indicates “Silent Mode”
If you look at top most line in robots.txt , you can find the password for the above question. The next question
What CMS is the website using?
becomes easier to answer. It says “Umbracoisthebest”. Search using google and you will find that it is an alternative to CMS.
Going back to directory search it was taking a lot of time, wondering if it is a “rabbit hole”. I discontinued the directory search and decided to check some of the directories with reasonable length. Sort by descending and check all those directories. It was time consuming however worth the effort. One of the directory I got the flag for the third(3rd question).
What is flag 3?
Final Stage:
We know the administrator initials as username for the domain Anthem.com and password from “R****.txt”.
Before entering the username and password , select the keyboard based on your regional settings. You can find the answer for the question ?
Gain initial access to the machine, what is the contents of user.txt?
The next question to answer is . A hint is provided and says it is hidden.
Can we spot the admin password?
You can see a folder called backup which is shown after the hidden checkbox is enabled. We will not be able to view the contents in the backup folder because username does not have the required permission.
We can see that the username we used to login does not have any permissions. Click on Edit and add the user name and enable full control permissions.
Disconnect from the earlier remote desktop session. Now remote desktop , enter as “administrator” and the root password. You will get the last flag.
Alternative within the same rdp session, you can right click on command prompt , select run as administrator. Enter the “Administrator” password. Navigate to the Desktop and you will get the root flag.
Escalate your privileges to root, what is the contents of root.txt?
