Anthem

Website Analysis

Lets run nmap scans to find open pots and services

Lets visit the webserver

Looking at the articles, we have a poem and it looks like the admin wrote this, so lets see who wrote this poem

We have a username. Lets check robots.txt as we some interesting information in the nmap scan

Looks like a password, lets save it for later. Looking through the directories, There is a login page on /umbraco

We do not have credentials. We also know that the CMS version this page is using is Umbraco. The domain is on the home page of the webserver. We can find the email of the admin on the We are hiring article.

With this email, we can assume the email format of the admin

Spot The Flags

The first flag can be found on the source code of the We are hiring page.

Now we know that the flag format for the flags are THM{} so we can use Ctrl + F to find flags on a page, lets check if there are any other flags on this page.

We have another file

The third flag can be found in the link that we can click in the source code that will take us to /authors/jane-doe

We can find the fourth flag in the source code of the A cheers to our IT department page.

Now that we have credentials we can login through the login portal that we found earlier

Final Stage

We have nothing of interest so lets login into the Windows machine using remmina. Lets first install the app.

Lets login

We are logged in, lets see the user file on the desktop

Lets open the command prompt

We are not admin on the machine yet, so we need to privesc to admin.

Looking at the hint they gave us, it is supposed to be a hidden file. Lets select the options to look at hidden files/folders on the machine

Now we see a backup folder, which is interesting

Lets check what the folder has

There is a restore.txt file, lets try to read it.

So we do not have permissions. Lets go to Properties > Security > Add and then lets add users so that we can read the file

Now we can read the file

Now lets login as administrator as I think this is the password for admin, lets read the root flag

Last updated

Was this helpful?