# Anthem ![](/files/-MczweEtN8yPqljjEhL1) ## Website Analysis Lets run nmap scans to find open pots and services ![](/files/-Mczy08nIblWqrhLKZPj) ![](/files/-MczxZR8oiUTFU1AxL4M) Lets visit the webserver ![](/files/-Mczy6kOiZH5YvIikdte) Looking at the articles, we have a poem and it looks like the admin wrote this, so lets see who wrote this poem ![](/files/-Mczyz6svwhdBPqQ3sMm) ![](/files/-Mczz1lt8OrenPNWG77s) We have a username. Lets check `robots.txt` as we some interesting information in the nmap scan ![](/files/-MczzDT9boRahZMORu8g) Looks like a password, lets save it for later. Looking through the directories, There is a login page on `/umbraco` ![](/files/-Md-Fojzdxn565be6Gqf) We do not have credentials. We also know that the CMS version this page is using is `Umbraco`. The domain is on the home page of the webserver. We can find the email of the admin on the `We are hiring` article. ![](/files/-Md--tKwpLU9eatGePCF) With this email, we can assume the email format of the admin ![](/files/-Md-0JNgS3PO7iF3HGOp) ## Spot The Flags The first flag can be found on the source code of the `We are hiring` page. ![](/files/-Md-13GYiKsUfpMrvG9I) Now we know that the flag format for the flags are THM{} so we can use `Ctrl + F` to find flags on a page, lets check if there are any other flags on this page. ![](/files/-Md-1RPu4iHTcSyCa80w) We have another file The third flag can be found in the link that we can click in the source code that will take us to `/authors/jane-doe` ![](/files/-Md-1oSdl5Hqv01A7dkC) We can find the fourth flag in the source code of the `A cheers to our IT department` page. ![](/files/-Md-2NKpKeT5baaZ5Ww2) Now that we have credentials we can login through the login portal that we found earlier ![](/files/-Md-GTB2CLUKsHd6v9Dr) ![](/files/-Md-HQOCOAccqRJCi9HA) ## Final Stage We have nothing of interest so lets login into the Windows machine using `remmina`. Lets first install the app. ![](/files/-Md-HpArUE2qntVi3GG6) Lets login ![](/files/-Md-IFFX-9VmORMboUzn) ![](/files/-Md-IL-x3mVyO9dnwf8i) ![](/files/-Md-J9EhPpw86Wz61LVs) ![](/files/-Md-JTMOLeZXK4dfqVGL) We are logged in, lets see the user file on the desktop ![](/files/-Md-J_qmsDyEcOrqBwKp) Lets open the command prompt ![](/files/-Md-JsT5RXNgmQIrH-Eg) We are not admin on the machine yet, so we need to privesc to admin. ![](/files/-Md-KuFR-mF5IiZuXuE-) Looking at the hint they gave us, it is supposed to be a hidden file. Lets select the options to look at hidden `files/folders` on the machine ![](/files/-Md-M6Y6ZSAsPDhobSZg) Now we see a `backup` folder, which is interesting ![](/files/-Md-MExjzcFkTMs6z6jN) Lets check what the folder has ![](/files/-Md-MLdBnBssldF_BlDh) There is a `restore.txt` file, lets try to read it. ![](/files/-Md-MTP6bp6oYhAA6uUE) So we do not have permissions. Lets go to Properties > Security > Add and then lets add users so that we can read the file ![](/files/-Md-R5EPbAkkF3TRTk6s) Now we can read the file ![](/files/-Md-RE_EmLum1lKgzjDh) Now lets login as administrator as I think this is the password for admin, lets read the root flag ![](/files/-Md-SMQLsfyTO-t4Z3ZE) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://writeups.adityadindi.com/tryhackme/untitled/anthem.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.