Exploring the TryHackMe Anthem Room: A Cybersecurity Journey
Written on
Chapter 1: Introduction to the Anthem Challenge
In this section, we will delve into the TryHackMe room named Anthem, which invites participants to engage in a beginner-level challenge focused on exploiting a Windows machine. With the blessing of Yaron Brook, the experience is designed to sharpen reconnaissance skills and encourage hackers to gather open-source intelligence.
Anthem, dubbed "Chevalier" in 2020, pushes users to utilize non-technical hacking methods alongside traditional penetration testing techniques. This article outlines my journey through the room, detailing the steps taken to uncover flags and the lessons learned along the way.
Section 1.1: Objectives and Initial Setup
Before embarking on the challenge, I established a clear goal: to collect flags from the target system. Flags are essentially strings of text that signify successful hacking attempts. In this scenario, two main flags were identified: one named user.txt, which requires standard user access, and another called root.txt that necessitates Administrator privileges.
To kick off the process, I clicked the green "[s]tart [m]achine" button to initiate the virtual machine. Following this, I modified the /etc/hosts file to direct a pseudo-domain to the target machine's dynamic IP address, setting the stage for further exploration.
Probing the Target System
I began my investigation by checking if a website was operational on the target system, leading me to the URL anthem.com. The frontend of the website is illustrated in the figure below:
To gather more information, I employed nmap to scan the target system. The command executed was as follows:
┌──(dna㉿deniers)-[~/anthem]
└─$ sudo nmap -sT -A -v -Pn -p- -O -sC -oX tcp_scan.xml --max-scan-delay=5s -T4 anthem.com
This scan revealed two active services: a Microsoft HTTP Server API on port 80 and Microsoft's Remote Desktop Services on port 3389.
Next, I opted to investigate the web service further using gobuster to identify hidden directories:
┌──(dna㉿deniers)-[~/anthem]
└─$ gobuster dir -u http://anthem.com -w ~/directory-list-lowercase-2.3-medium.txt -x php,bak,htm,html -t 40 -k
While gobuster was running, I scrutinized the HTML source of the homepage and stumbled upon an "Easter-egg" flag embedded in the code. I also explored various URLs on the site, gathering additional flags along the way.
Section 1.2: Gaining Initial Access
Armed with the information gathered, I focused on the email address [email protected], which hinted at a potential user account. While searching for the password, I discovered the string UmbracoIsTheBest! in the robots.txt file, which I attempted to use for login with both the JD and SG usernames.
After some trial and error, I successfully logged in using the credentials [email protected] and the password UmbracoIsTheBest! This allowed me to access the administrator interface of the Umbra CMS.
The video titled "TryHackMe Anthem Walkthrough - YouTube" provides a comprehensive guide to navigating through the Anthem challenge, showcasing various techniques used to exploit the system.
Post-Exploitation Strategies
After gaining access, I discovered the user.txt file on the desktop, which contained a normal-user level flag. My next objective was to retrieve the Administrator password, which I expected to find hidden in the system's directories.
To achieve this, I replicated methods from prior writeups to modify file permissions, eventually uncovering the password within a backup file. I subsequently logged into the Remote Desktop Service using the Administrator account, granting me full access to the target system.
The "TryHackMe - Anthem - Walkthrough - YouTube" video elaborates on the post-exploitation phase, illustrating how to leverage the information obtained for privilege escalation.
Chapter 2: Reflection on the Experience
This room, while not technically demanding, emphasizes the importance of context when understanding target systems. It prompts participants to think creatively and utilize various strategies to uncover vulnerabilities.
Through this journey, I learned that seemingly trivial information, such as peculiar strings found in source code, can play a critical role in penetration testing. This experience serves as a reminder of the value of thorough reconnaissance and innovative thinking in the field of cybersecurity.
Acknowledgments
I extend my gratitude to Ian (2020) for their insights and guidance throughout this challenge, which aided in my understanding of various concepts and techniques.
Calls to Action
Readers are encouraged to support organizations dedicated to cybersecurity and the ethical hacking community.
References
- Attrition.org (2010). Trusting Security Experts: A Cautionary Tale.
- Boston University (n.d.). AD FAQs — Terminal Services.
- Marvel & DC Comics Wiki (n.d.). Solomon Grundy.
- TryHackMe (2020). Anthem Room Overview.