Challenges: Anthem (TryHackMe)

JebitokJebitok
4 min read

Table of contents

This beginner-friendly challenge focuses on attention to detail and passive information gathering, guiding you to uncover the “keys to the castle.” You don’t need brute force — just your browser, Remote Desktop, and observation skills. After initial reconnaissance with tools like nmap and gobuster, you’ll explore a web server running Umbraco CMS, hunt for hidden clues in source code and public files, and gather credentials needed to access the target system.

Website Analysis

This task involves you, paying attention to details and finding the 'keys to the castle'.

This room is designed for beginners, however, everyone is welcomed to try it out!

Enjoy the Anthem.

In this room, you don't need to brute force any login page. Just your preferred browser and Remote Desktop.

Please give the box up to 5 minutes to boot and configure.

Answer the questions below

  1. Let's run nmap and check what ports are open.

    nmap -sC -sV <IP_Address>

  2. What port is for the web server? 80

  3. What port is for remote desktop service? 3389

    Gobuster gives an hint of some paths we can check on the site:

    gobuster dir -u http:// -w /usr/share/wordlists/dirb/common.txt

  1. What is a possible password in one of the pages web crawlers check for? UmbracoIsTheBest!

    Checking https://<Target_IP>/robots.txt reveals the password

     UmbracoIsTheBest!

 # Use for all search robots
 User-agent: *

 # Define the directories not to crawl
 Disallow: /bin/
 Disallow: /config/
 Disallow: /umbraco/
 Disallow: /umbraco_client/

  2. What CMS is the website using? Umbraco - Umbraco, a .NET CMS

  3. What is the domain of the website? anthem.com

    the site http://<TARGET_IP> reveals the domain

  4. What's the name of the Administrator Solomon Grundy

    the “we are hiring” part of the site has a famous poem and the hint of the question is searching on browser.

  5. Can we find find the email address of the administrator? SG@anthem.com

    based on the hiring email format of JD@anthem.com the administrator’s email is likely to be an abbrevation of their name too.

Spot the flags

Our beloved admin left some flags behind that we require to gather before we proceed to the next task..

Answer the questions below

Anthem are hiring!

  1. What is flag 1? THM{L0L_WH0_US3S_M3T4}

    this flag was on the comments within the source code found when you inspect the page

  2. What is flag 2? THM{G!T_G00D}

    the flag was also within the source code as the placeholder of. the search form

  3. What is flag 3? THM{L0L_WH0_D15}

    I came across this flag while scrolling through some of the open paths (http://<TARGET_IP>/authors) on the site

  4. What is flag 4? THM{AN0TH3R_M3TA}

    the last flag was also within the header section of the source code on the inspect element

Final stage

Let's get into the box using the intel we gathered.

Answer the questions below

  1. Let's figure out the username and password to log in to the box.(The box is not on a domain)

  2. Gain initial access to the machine, what is the contents of user.txt? THM{N00T_NO0T}

    For this we only have two ports open, 80 - http and 3389 - ms-wbt-server, the get low user access we also need to consider that we don’t have ssh or ftp as options. In this case i tried to explore the option of using the Umbraco CVE to use metasploit to get the user access but didn’t work had to eventually research further and found an option of using Windows RDP.

    xfreerdp /f /u:SG /p:UmbracoIsTheBest! /v:<TARGET_IP>

    when promoted whether you trust the above certificate use T

  3. Can we spot the admin password? ChangeMeBaby1MoreTime

    To find the file that has the admin password we need to change the file settings to show hiddens files

    we’ll now be able to see backups folder that has a restore.txt file

    Next we’ll open the properties of restore then switch to Security, click Edit,

    After applying SG, we’ll now be able to access the restore.txt file to get Admin’s password.

  4. Escalate your privileges to root, what is the contents of root.txt? THM{Y0U_4R3_1337}

    To escalate privileges we’ll use the password we found in previous step to access the Administrator’s files and folders. Under the Desktop we’ll find the root flag

Using the intelligence gathered from passive reconnaissance — such as hidden passwords, usernames, and CMS info — you gain initial access via RDP using valid credentials. From there, by enabling visibility of hidden files and adjusting file permissions, you uncover the admin password. This allows privilege escalation to the Administrator account, where the final root flag is retrieved. The challenge reinforces careful enumeration and lateral thinking without needing brute-force methods.

0
Subscribe to my newsletter

Read articles from Jebitok directly inside your inbox. Subscribe to the newsletter, and don't miss out.

xfreerdpCTF Writeuptryhackmerdpnmap

Written by

Jebitok
Jebitok

Software Developer | Learning Cybersecurity | Open for roles * If you're in the early stages of your career in software development (student or still looking for an entry-level role) and in need of mentorship, you can reach out to me.