TryHackMe – Anthem

Room link: tryhackme.com/room/anthem
In this writeup, we are going to solve a CTF room called “Anthem” created by Chevalier. I’ve taken a hint-only approach so you can enjoy this room as much as I did, but I am sure that this would be enough to eliminate any of your questions and difficulties.

Task 1 – Website Analysis

Questions 1-3
As being said in the task, we need to run a nmap scan and identify open ports.
Since it’s a CTF room, a really quick scan of all ports would be enough here.
nmap -p- -vv 10.10.151.122 -Pn
-p- = scan all ports
-vv = verbose scan
-Pn = do not ping the target (since it’s a windows box)

Given Nmap command gives us enough information to answer these questions.

Questions 4-5
There’s a hint in the question 4 itself!
A simple google search leads us to robots.txt which is a simple text file placed on a web server that tells web crawlers like Googlebot if they should access a file or not.
Simple open IP/robots.txt and retrieve both password and CMS name.

Question 6
Answer for questions six is located on the webserver port (see question two). Navigate to IP:PORT and you’ll see the domain!

Questions 7-8
It gets a bit trickier here as the room is gaining more and more CTF tasks. In this case, admin’s name is not directly stated on the website, but it contains enough information to get it.

Use the search bar to look for anything related to admin. We found an article in archives! IP/archive/a-cheers-to-our-it-department/
We can see a strange poem in the article. Let’s google it!

Bingo! We got the name!

Now, in order to guess the format of his email, we need to read another article on the main page and see if we find an email there.

Task 2 – Spot the flags

The only hints we got on this task are:

  • Have we inspected the pages yet?
  • Search for it

So, why don’t we combine them!
Launch your burpsuite and configure your browser to pass traffic through proxy. Disable intercept and simply browse all pages on the website. Blog posts, profiles, links, archives, everything!
Now, go to the http history tab and simply search for flags using the search bar. As we might guess, the flag format is THM{}, so placing THM{ in the search would be enough.
Good luck with hunting!

Task 3 – Final stage

User flag
Be aware that task 3 can only be done after task 1, so if you have unfinished questions, please come back and complete them.
CTF format of this room suggests that there’s no need to actually exploit anything. As I mentioned above, Task 1 can help us to gain remote access to the box.
Come back there and note down the admin username and password. Launch your RDP application (I recommend Remmina) and plug in your know data:

  • IP:port
  • Username
  • Password

Now, as we got remote access, we can see a user.txt file on the Desktop. Open it and get the first flag.

Finding the root password

It is hidden.

This hint gives a direct approach to what we need to do. Use the search bar to find Control Panel and open File Explorer Options. Turn on Show Hidden Files and save your settings.
As you might have guessed, we can see some hidden files and folders now.
Go to the C:\ drive and look if you see anything strange. Folder backup looks promising. We can see a file called ‘restore’ in there.
Here we got to the most interesting part. We can’t read or write on this file, but for some reason, we can edit the permissions on it. Simply add yourself (username) to the permissions tab, therefore allowing yourself to access the file. Finally, open it up and read the password.

Root Flag
The root flag is located in a very obvious place. Go to drive C:\ -> Users -> Administrator -> Desktop and you’ll see it!

Afterwords

This room was a lot of fun! The root password part took me some time to solve it but trying harder certainly helped.
I hope you enjoyed this writeup and I was able to help!