Anthem - wook413

#tryhackme #windows #easy ![[Pasted image 20250714235012.png]] --- # Information Gathering A TCP scan against all ports reveals 2 open ports ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ sudo nmap -sS $IP -Pn -n --open --min-rate 3000 -p- [sudo] password for parallels: Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-14 21:08 CDT Nmap scan report for 10.10.224.99 Host is up (0.12s latency). Not shown: 65533 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 80/tcp open http 3389/tcp open ms-wbt-server Nmap done: 1 IP address (1 host up) scanned in 43.99 seconds ``` Then I added `-sCV` flags to gather more information for those 2 open ports found. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sCV $IP -p 80,3389 -Pn Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-14 21:10 CDT Nmap scan report for 10.10.224.99 Host is up (0.12s latency). PORT STATE SERVICE VERSION 80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Anthem.com - Welcome to our blog | http-robots.txt: 4 disallowed entries |_/bin/ /config/ /umbraco/ /umbraco_client/ 3389/tcp open ms-wbt-server Microsoft Terminal Services | ssl-cert: Subject: commonName=WIN-LU09299160F | Not valid before: 2025-07-14T02:01:12 |_Not valid after: 2026-01-13T02:01:12 |_ssl-date: 2025-07-15T02:10:28+00:00; 0s from scanner time. | rdp-ntlm-info: | Target_Name: WIN-LU09299160F | NetBIOS_Domain_Name: WIN-LU09299160F | NetBIOS_Computer_Name: WIN-LU09299160F | DNS_Domain_Name: WIN-LU09299160F | DNS_Computer_Name: WIN-LU09299160F | Product_Version: 10.0.17763 |_ System_Time: 2025-07-15T02:10:23+00:00 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.23 seconds ``` A UDP scan against top 10 ports ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sU $IP --min-rate 3000 --top-ports 10 -Pn Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-14 21:11 CDT Nmap scan report for 10.10.224.99 Host is up. PORT STATE SERVICE 53/udp open|filtered domain 67/udp open|filtered dhcps 123/udp open|filtered ntp 135/udp open|filtered msrpc 137/udp open|filtered netbios-ns 138/udp open|filtered netbios-dgm 161/udp open|filtered snmp 445/udp open|filtered microsoft-ds 631/udp open|filtered ipp 1434/udp open|filtered ms-sql-m Nmap done: 1 IP address (1 host up) scanned in 2.19 seconds ``` --- # Enumeration ##### Port 80 - HTTP I navigated to the target IP address in a browser and was presented with the following site. ![[Pasted image 20250714211238.png]] `/robots.txt` reveals some directories I can explore to gather more information. ![[Pasted image 20250714211529.png]] `/umbraco` has a page that contains a login form. I haven't found any set of credentials to try. I have an idea for the password but let's keep looking around the site and enumerate. ![[Pasted image 20250714211817.png]] ![[Pasted image 20250714220658.png]] `/author` reveals an author named `Jane Doe` and a flag at the bottom. ![[Pasted image 20250714220903.png]] One of the posts on the website included this email `[email protected]` and the placeholder of the login form saying "Your username is usually your email" almost made me feel certain this was the username. ![[Pasted image 20250714221256.png]] The password is from the `/robots.txt`. However this combination failed! ![[Pasted image 20250714212450.png]] On the website, there was another post and the author of the post wrote this poem about their admin -- clearly a hint pointing to the admin. ![[Pasted image 20250714221544.png]] I looked up the poem on Google and found the original version. The last line, which was missing on the website, appears to be the name of the admin. ![[Pasted image 20250714221753.png]] I used the email format I had discovered earlier, combined it with the name, and used the password I found before -- and I was able to log in! ![[Pasted image 20250714222704.png]] # Exploitation - Initial Access I don't know why but not long I logged in, the server became so slow it was hard for me to do anything on the website. However, It's okay. We do not need to stay on this website any longer because I'm pretty sure I can use the credentials found against the RDP login. ![[Pasted image 20250714231155.png]] Successfully logged into RDP and found `user.txt` file on the Desktop ![[Pasted image 20250714231417.png]] # Privilege Escalation I spent a quite amount of time enumerating the system but couldn't find much. I came back to `C:\` and again listed all directories and files but this time including hidden ones. It revealed `backup` directory. ![[Pasted image 20250714233201.png]] Inside the directory, there was only one file named `resotre.txt` but we don't have access to it. ![[Pasted image 20250714233339.png]] `icacls` shows the permissions of the current directory `bakcup` but it doesn't show anything for `resotore.rxt` which is very strange. ![[Pasted image 20250714233927.png]] I navigated to the directory using GUI and right click on the file and select `Properties` ![[Pasted image 20250714234123.png]] The `Security` tab shows that no groups or users have permission to access this file. That might explain why we couldn't see anything using the `icacls` command, but I might be wrong. ![[Pasted image 20250714234533.png]] Anyways, I was able to enter the current user `SG` ![[Pasted image 20250714234614.png]] And grant `Read & Execute` permissions to the file. ![[Pasted image 20250714234631.png]] After applied the changes, I was now able to open up the file! This was the password of `Administrator` ![[Pasted image 20250714234700.png]] I quit my current CMD, opened up a new one as Administrator and entered the newly found password. ![[Pasted image 20250714234831.png]] I got in! In `C:\Users\Administrator\Desktop`, I found `root.txt` ![[Pasted image 20250714234931.png]]