TL;DR Walkthrough of the THM Anthem room found here.
A full list of our TryHackMe walkthroughs and cheatsheets is here.
Background
THM’s Anthem room is good, beginner friendly webapp practice with a really good twist at the end. We will kinda blow through the webapp stuff and just show the quickest way to find the answers, then discuss the end a bit. It’s actually a really good topic to be aware of if you manage, audit, or secure Windows systems. As always, THM makes the topic fun and entertaining.
Task 1 basic enumeration
As always we start out with
Nmap -sV -O 10.10.162.13
And find out that the system won’t respond to this. Hence we run
nmap -Pn 10.10.162.13
We see that the system is likely Windows, is running a webserver on port 80, and has RDP open on port 3389.
Naturally the next thing is to crawl the site and look for interesting stuff.
dirb http://10.10.179.6 common.txt
We immediately see that the system has a robots.txt file, some interesting directories listed in it, and what looks like a password; “UmbracoIsTheBest!”. Nice, we have already answered the first couple of questions in this room.
If we visit the webpage that his VM is hosting we immediately find the email address “JD@anthem.com” and a poem. Anyone who has seen the movie The Accountant will recognize the poem immediately, but if you haven’t seen it just Google the poem, and we have the Administrator’s name.
We now have the strong suspicion that we can login to the website’s configuration page that dirb found via sg@anthem.com\ UmbracoIsTheBest! . Try this, and it’s confirmed. We now know that the website is using Umbraco 7.15.4
Task 2 Find the flags
This part is actually really easy. I didn’t feel like digging through webpages, viewing the source, and trying to find flags, so I just pulled the site and then grepped it.
wget -r -np -k http://10.10.179.6
cd 10.10.179.6
grep -nri "THM"
I didn’t know which flag was supposed to be which number, so I just copy/pasted them into all the flag numbers until THM told me I was right. This whole part took about 30 seconds.
Task 3 gaining access
THM lets us know that the system is a standalone, so we can just use the username & password we found.
xfreerdp /v:10.10.179.6 /u:sg /p:UmbracoIsTheBest!
The first file is on SG’s desktop, so no real challenge there.
The interesting clue is in a hidden folder on the C:\ drive. Now we could use the GUI and just check the option to show hidden items, but where’s the fun in that?
If we run ‘Get-ChildItem C:\ -Hidden’ side by side checking without showing hidden items then the backup folder jumps out at us.
There’s one text file in there and we can’t read it. Digging deeper we see that the DACL (Discretionary Access Control List) is blank. This means that no one has any privileges on the file except for one entity; the owner. The owner has implicit ChangePermissions.
This means that we can simply give ourselves rights. We could do this in the GUI, but where’s the sport in that? Besides, what if we had CLI only access to a system, like via a reverse shell for example. Hence it’s good to know how to do this without the GUI.
Normally we’d use ‘Set-ACL’ in PowerShell, however because we don’t yet have explicit ChangePermissions this will throw an error. The fix is an old CLI tool in Windows known as icacls.
icacls “C:\backup\restore.txt” /grant SG:F
We can then confirm that we are the owner, confirm that we have FullControl, and read the file.
(Get-Acl "C:\backup\restore.txt").Owner
Get-Acl –Path "C:\backup\restore.txt" | Format-Table
Get-Content C:\backup\restore.txt
We can now run PowerShell as the Administrator using the password we found and grab the last flag.
Start-Process PowerShell_ISE -Verb RunAs
Get-Content C:\Users\Administrator\Desktop\root.txt
Of course now we have a certain song and image stuck in our head. Maybe they should have named the room Rehab.
Summary
I suck at webapps, so any practice there is good. The room ended with a really good lesson on NTFS privileges, owner’s implicit rights, and modifying DACLs.
References
Pull a website: https://apple.stackexchange.com/questions/100570/getting-all-files-from-a-web-page-using-curl
NTFS rights via CLI: https://stackoverflow.com/questions/2928738/how-to-grant-permission-to-users-for-a-directory-using-command-line-in-windows
icacls: https://ss64.com/nt/icacls.html
takeown: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/takeown
Get-Acl & NTFS rights cheatsheet: https://happycamper84.medium.com/get-acl-cheatsheet-f7871edf247f
Ownership of AD objects & NTFS files/folders and why it trumps DACLs: https://happycamper84.medium.com/back-to-the-basics-ownership-matters-321764791dff