In this blog post, I'll share my experience tackling the "Anthem" challenge on TryHackMe, a beginner-friendly Windows machine that emphasizes enumeration and exploitation techniques. The primary focus is on identifying sensitive information through thorough enumeration and leveraging it to gain administrative access.
The key vulnerabilities exploited in this challenge include:
Information Disclosure: Sensitive information, such as credentials, was exposed in publicly accessible files and directories, facilitating unauthorized access.
Weak Password Policies: The use of easily guessable passwords allowed unauthorized access to services.
Improper File Permissions: Accessible files containing sensitive information were not properly secured, allowing unauthorized users to read their contents.
These vulnerabilities exist due to poor security practices, such as inadequate password policies and improper handling of sensitive information, which can lead to unauthorized system access in real-world scenarios.
Using Nmap, I scanned for open ports and services. The scan revealed the following open ports:
Port 80 (HTTP): Microsoft HTTPAPI httpd 2.0
Port 3389 (RDP): Microsoft Terminal Services
With HTTP service running on port 80, I navigated to the web server in my browser and discovered a blog site.
Web Enumeration
I checked for a /robots.txt file and found several disallowed entries:
/bin/
/config/
/umbraco/
/umbraco_client/
Additionally, the file contained a comment:
# UmbracoIsTheBest!
This hinted that the site was using the Umbraco CMS and provided a potential password.
Exploring the blog posts and their source code, I found multiple flags and an email address: JD@anthem.com. The author of the posts was listed as "Jane Doe." One of the blog posts contained a poem. Researching the poem revealed it was about "Solomon Grundy," suggesting that the administrator's username might be SG.
I attempted to access the /umbraco/ directory and was redirected to a login page. Using the username SG and the password UmbracoIsTheBest!, I successfully logged in to the Umbraco admin panel.
With administrative credentials, I connected to the machine via Remote Desktop Protocol (RDP) using the same username and password. Upon logging in, I found the user flag on the desktop.
To escalate privileges, I navigated to the C:\ drive and found a backup folder containing a restore file. I adjusted the file's permissions to grant access and discovered it contained the administrator's password.
Using the new credentials, I logged in as the administrator via RDP and found the root flag on the administrator's desktop.