Contents

Anthem

Updated on 2020-07-19

Exploit a Windows machine in this beginner level challenge.

Difficulty: Easy

Room: Anthem

Created by: Chevalier

Standard nmap scan for all ports. We can assume this is a windows machine based on the title.


nmap -p- -T4 -sC -sV -vvv $IP

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
PORT      STATE SERVICE       REASON          VERSION
80/tcp    open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 4 disallowed entries
|_/bin/ /config/ /umbraco/ /umbraco_client/
|_http-title: Anthem.com - Welcome to our blog
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds? syn-ack ttl 127
3389/tcp  open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
| rdp-ntlm-info:
|   Target_Name: WIN-LU09299160F
|   NetBIOS_Domain_Name: WIN-LU09299160F
|   NetBIOS_Computer_Name: WIN-LU09299160F
|   DNS_Domain_Name: WIN-LU09299160F
|   DNS_Computer_Name: WIN-LU09299160F
|   Product_Version: 10.0.17763
|_  System_Time: 2020-05-19T18:07:55+00:00
| ssl-cert: Subject: commonName=WIN-LU09299160F
| Issuer: commonName=WIN-LU09299160F
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-04-04T22:56:38
| Not valid after:  2020-10-04T22:56:38
| MD5:   2814 61de 95b7 e9b5 4789 3027 7f1f 60d2
| SHA-1: d47d 2a8f 6143 b820 936e 4120 cdd1 9ddc 5385 d285
| -----BEGIN CERTIFICATE-----
| MIIC4jCCAcqgAwIBAgIQObhN9c8QnIVGx+ZslzEOmzANBgkqhkiG9w0BAQsFADAa
| MRgwFgYDVQQDEw9XSU4tTFUwOTI5OTE2MEYwHhcNMjAwNDA0MjI1NjM4WhcNMjAx
| MDA0MjI1NjM4WjAaMRgwFgYDVQQDEw9XSU4tTFUwOTI5OTE2MEYwggEiMA0GCSqG
| SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA4MPIi4yCYJlBv6vwXF5lu5NbQCPQxk4q
| 7lJsJSvTRSIFi2fVl3l+rWTr69mutnVqo+bMilJorN2B6DqsCJBV+7pITFSICM6b
| +G/sOEblVust2tUU8NLbAiBH9oXhF0P5dIhMzRC4pcZjhCRR+IcOjnABTCkdAchD
| Mf4XQJx6GZOXBCBMXGW/vCKZ0q8gti7Hxs36W1ctbj8/i5obd0k0BonMlvRwKxvi
| 7SS+3NrBpc4XivD23YIqCNzErOB19DV3JqZMvbE+NhLEQA51Au2svYwgoJcIIyEC
| HBuINXeFBB+p5dMwp4wppkHN0CuquUyCBZvIPlDW8SAOAc5tgUOJAgMBAAGjJDAi
| MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIEMDANBgkqhkiG9w0BAQsF
| AAOCAQEAAziR6P3nN9/EKLhZqJKgkWP9FyNr9CusD78wem1C5fn9h7SjS1PQEhn1
| Gi50rlcUmII4E8Bnv6g/1QZnZIsPtVzO3bokQfbhTEzWOQ8RScB3ZQ+Tg7xM4duA
| NZdzR1/hjOOmPBV4ih3+AKmbEZ63V3PuJOn2+0/NsGXzGKhaNhlAof58lXkXrt9x
| DvmpyfER7oq/3+kPQhXlNK7VZ/dp26BLFQT12be1yyeVck2n/90pXTxV/COaIdsF
| q7RJPVO+4FCua77sUUSV9E5CL3oOFJT5MjkAMEkoKsU9InWHhA5w+ndQqDgXIb40
| 7b3pD6AiS/ZEvSpzCyeVnDprZxVIaQ==
|_-----END CERTIFICATE-----
|_ssl-date: 2020-05-19T18:08:04+00:00; +8s from scanner time.
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49670/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49672/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 7s, deviation: 0s, median: 6s
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 35850/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 21690/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 3652/udp): CLEAN (Failed to receive data)
|   Check 4 (port 53626/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2020-05-19T18:07:58
|_  start_date: N/A
#1 What port is for the web server?
Look at the nmap scan
#2 What port is for remote desktop service?
Look at the nmap scan
#3 What is a possible password in one of the pages web crawlers check for?

Check robots.txt

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


# Use for all search robots
User-agent: *

# Define the directories not to crawl
Disallow: /bin/
Disallow: /config/
Disallow: /umbraco/
Disallow: /umbraco_client/

/robots.txt

#4 What CMS is the website using?
Enumerate the site. Check robots.txt and source
#6 What is the domain of the website?
Look at the website source
#7 What's the name of the Administrator?

Google is your friend. /archive/a-cheers-to-our-it-department/ to get the username.

1
2
3
4
5
6
7
8
Born on a Monday,
Christened on Tuesday,
Married on Wednesday,
Took ill on Thursday,
Grew worse on Friday,
Died on Saturday,
Buried on Sunday.
That was the end…
#8 Can we find find the email address of the administrator?
Looking at Jane Doe’s post here /archive/we-are-hiring/ gives us their email address naming convention.

We’re able to login to the umbraco instance with the username we enumerated and the password we found in robots.txt. Clicking the help icon gives us the version of umbraco.

/images/anthem/version.png
7.15.4
/images/anthem/searchsploit.png

It looks like the version is fairly new and not susceptible to the RCE found in searchsploit. Going back to our nmap scan we see 3389 RDP is open and we can try rdping with the username and password we’ve found.


I’ll be using my favorite linux remote desktop client for this challenge. Feel free to use rdesktop if that’s your jam. apt install remmina

Immediately after connecting there’s user.txt

/images/anthem/user.png

We have a hint that the flag is hidden. First thing we’ll want to do is enable hidden items in file explorer or if you’re in powershell you can run ls -Force to show hidden files and directories. /images/anthem/hidden.png

Looking around we find C:\backup\restore.txt. The file doesn’t have any permissions setup. (No groups or users have permission to access this object.)

Let’s set Full control permissions for our user.

/images/anthem/perms.png/images/anthem/admin.png

The root flag can be found in it’s normal home.

/images/anthem/root.png

I plan on creating a few articles on notetaking, tmux, and zsh soon that will contain some workflows that I use. If you have any questions, comments, suggestions, etc feel free to send me a message on the THM discord server.