# Anthem ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MczwOddix5Fz2ABny71%2F-MczweEtN8yPqljjEhL1%2Fimage.png?alt=media\&token=45f32a0f-dd04-491c-b256-d9a00e7d16a3) ## Website Analysis Lets run nmap scans to find open pots and services ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MczwOddix5Fz2ABny71%2F-Mczy08nIblWqrhLKZPj%2Fimage.png?alt=media\&token=8f72a7bd-499f-4ce8-9e21-99fcc85abd65) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MczwOddix5Fz2ABny71%2F-MczxZR8oiUTFU1AxL4M%2Fimage.png?alt=media\&token=96639720-a50a-4333-ad68-4344ed78c95f) Lets visit the webserver ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MczwOddix5Fz2ABny71%2F-Mczy6kOiZH5YvIikdte%2Fimage.png?alt=media\&token=020ed813-864f-4b4d-ba9c-afcdc0dc7a43) Looking at the articles, we have a poem and it looks like the admin wrote this, so lets see who wrote this poem ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MczwOddix5Fz2ABny71%2F-Mczyz6svwhdBPqQ3sMm%2Fimage.png?alt=media\&token=18b59086-9654-4f04-9275-fd536c0252ae) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MczwOddix5Fz2ABny71%2F-Mczz1lt8OrenPNWG77s%2Fimage.png?alt=media\&token=5c99f2b6-ee2e-4b27-9554-2087ca52515b) We have a username. Lets check `robots.txt` as we some interesting information in the nmap scan ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MczwOddix5Fz2ABny71%2F-MczzDT9boRahZMORu8g%2Fimage.png?alt=media\&token=8c7fe906-84ae-4e37-820f-ce68dd1c6f04) Looks like a password, lets save it for later. Looking through the directories, There is a login page on `/umbraco` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md-2SNsNG_8mY5LM15l%2F-Md-Fojzdxn565be6Gqf%2Fimage.png?alt=media\&token=736bf97a-9948-40af-90ca-18b73e96629f) We do not have credentials. We also know that the CMS version this page is using is `Umbraco`. The domain is on the home page of the webserver. We can find the email of the admin on the `We are hiring` article. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MczwOddix5Fz2ABny71%2F-Md--tKwpLU9eatGePCF%2Fimage.png?alt=media\&token=0670e3f3-00d6-461d-a86f-898b697d65e2) With this email, we can assume the email format of the admin ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MczwOddix5Fz2ABny71%2F-Md-0JNgS3PO7iF3HGOp%2Fimage.png?alt=media\&token=2932df41-a8bc-4454-990c-83e410f588e9) ## Spot The Flags The first flag can be found on the source code of the `We are hiring` page. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MczwOddix5Fz2ABny71%2F-Md-13GYiKsUfpMrvG9I%2Fimage.png?alt=media\&token=428db550-a36a-440b-a9fa-435587547830) Now we know that the flag format for the flags are THM{} so we can use `Ctrl + F` to find flags on a page, lets check if there are any other flags on this page. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MczwOddix5Fz2ABny71%2F-Md-1RPu4iHTcSyCa80w%2Fimage.png?alt=media\&token=bcd51ef0-ea70-4792-9d0a-abbc4a65f63e) We have another file The third flag can be found in the link that we can click in the source code that will take us to `/authors/jane-doe` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MczwOddix5Fz2ABny71%2F-Md-1oSdl5Hqv01A7dkC%2Fimage.png?alt=media\&token=f5a580e1-9dd9-4e30-9613-b4806ec98182) We can find the fourth flag in the source code of the `A cheers to our IT department` page. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MczwOddix5Fz2ABny71%2F-Md-2NKpKeT5baaZ5Ww2%2Fimage.png?alt=media\&token=42c7e1b0-90f4-49f3-8526-177d5bc29a6f) Now that we have credentials we can login through the login portal that we found earlier ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md-2SNsNG_8mY5LM15l%2F-Md-GTB2CLUKsHd6v9Dr%2Fimage.png?alt=media\&token=f90f368e-385f-42d5-9e3a-c2c6297eb7ef) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md-2SNsNG_8mY5LM15l%2F-Md-HQOCOAccqRJCi9HA%2Fimage.png?alt=media\&token=8944ddfe-721e-4bd8-ac8d-7840762bfcbd) ## Final Stage We have nothing of interest so lets login into the Windows machine using `remmina`. Lets first install the app. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md-2SNsNG_8mY5LM15l%2F-Md-HpArUE2qntVi3GG6%2Fimage.png?alt=media\&token=b1ca2d11-0b92-4fd3-8c0a-ab171c6c9fd3) Lets login ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md-2SNsNG_8mY5LM15l%2F-Md-IFFX-9VmORMboUzn%2Fimage.png?alt=media\&token=80eebf6c-ab0f-4173-9758-e3b6a503a210) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md-2SNsNG_8mY5LM15l%2F-Md-IL-x3mVyO9dnwf8i%2Fimage.png?alt=media\&token=a60195a5-9c5c-4223-8246-1d9c99f9136e) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md-2SNsNG_8mY5LM15l%2F-Md-J9EhPpw86Wz61LVs%2Fimage.png?alt=media\&token=0d8c3a40-d29f-4847-96b6-9090af267fad) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md-2SNsNG_8mY5LM15l%2F-Md-JTMOLeZXK4dfqVGL%2Fimage.png?alt=media\&token=59ece477-600d-4517-9939-6075284ba80b) We are logged in, lets see the user file on the desktop ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md-2SNsNG_8mY5LM15l%2F-Md-J_qmsDyEcOrqBwKp%2Fimage.png?alt=media\&token=4416a6a8-38f1-4e81-a479-6ff2e3a54da5) Lets open the command prompt ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md-2SNsNG_8mY5LM15l%2F-Md-JsT5RXNgmQIrH-Eg%2Fimage.png?alt=media\&token=2f3fe3db-ef2e-4fa9-b793-f5043c7e2513) We are not admin on the machine yet, so we need to privesc to admin. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md-KbJrbfN7_r-uwxOO%2F-Md-KuFR-mF5IiZuXuE-%2Fimage.png?alt=media\&token=03e6cc7b-052e-4ba5-a275-97554005830a) Looking at the hint they gave us, it is supposed to be a hidden file. Lets select the options to look at hidden `files/folders` on the machine ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md-L57ZPyiZTG70I_Ds%2F-Md-M6Y6ZSAsPDhobSZg%2Fimage.png?alt=media\&token=9cc50322-10d2-47dc-8f2c-d5a5596d38bb) Now we see a `backup` folder, which is interesting ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md-L57ZPyiZTG70I_Ds%2F-Md-MExjzcFkTMs6z6jN%2Fimage.png?alt=media\&token=02185b4b-f99b-44f9-94c8-4964c6d2337a) Lets check what the folder has ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md-L57ZPyiZTG70I_Ds%2F-Md-MLdBnBssldF_BlDh%2Fimage.png?alt=media\&token=26db4c6f-30ec-47d1-8956-83c6d9be83fe) There is a `restore.txt` file, lets try to read it. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md-L57ZPyiZTG70I_Ds%2F-Md-MTP6bp6oYhAA6uUE%2Fimage.png?alt=media\&token=aaa72fa6-07ea-4b49-aaae-16e820d4dd56) So we do not have permissions. Lets go to Properties > Security > Add and then lets add users so that we can read the file ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md-L57ZPyiZTG70I_Ds%2F-Md-R5EPbAkkF3TRTk6s%2Fimage.png?alt=media\&token=ec87f303-21e6-48cf-99a0-550c3c3d6010) Now we can read the file ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md-L57ZPyiZTG70I_Ds%2F-Md-RE_EmLum1lKgzjDh%2Fimage.png?alt=media\&token=a4345d07-19a1-44fc-a354-0aebe7ac2184) Now lets login as administrator as I think this is the password for admin, lets read the root flag ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Md-L57ZPyiZTG70I_Ds%2F-Md-SMQLsfyTO-t4Z3ZE%2Fimage.png?alt=media\&token=fe80b876-3385-4f65-af87-63a9514a96de)