Anthem

January 15, 2024

THM{G!T_G00D}

# Nmap 7.94 scan initiated Mon Jan 15 12:13:27 2024 as: nmap -sC -sV -oN nmap 10.10.134.203
Nmap scan report for 10.10.134.203
Host is up (0.73s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Anthem.com - Welcome to our blog
| http-robots.txt: 4 disallowed entries 
|_/bin/ /config/ /umbraco/ /umbraco_client/
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=WIN-LU09299160F
| Not valid before: 2024-01-14T03:58:41
|_Not valid after:  2024-07-15T03:58:41
|_ssl-date: 2024-01-15T04:15:12+00:00; 0s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: WIN-LU09299160F
|   NetBIOS_Domain_Name: WIN-LU09299160F
|   NetBIOS_Computer_Name: WIN-LU09299160F
|   DNS_Domain_Name: WIN-LU09299160F
|   DNS_Computer_Name: WIN-LU09299160F
|   Product_Version: 10.0.17763
|_  System_Time: 2024-01-15T04:14:58+00:00
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jan 15 12:15:14 2024 -- 1 IP address (1 host up) scanned in 107.36 seconds

Once we visit the site i immediately go check the robots.txt and then we can see some url and a password phrase "UmbracoIsTheBest!" which we can use later on.

Then we will visit /umbraco directory in the web browser

After we visited the /umbraco we can see here that there is a login page that only accepts email as our username and a password

As we read the article in the website we can see some quote here

After we google that quote we can see who actually made it and therefore this might be the admin username

Then we found the format for the email address that we can use in the login page

As we use these credentials "SG@anthem.com" as username and the "UmbracoIsTheBest!" as the password

Now we did login as SG user

rdesktop -i 10.10.155.121

SG username

UmbracoIsTheBest! password

Move to the C: Folder then move to backup

Then Change the permission add to SG user read and write

Then view the restore backup file

Then after you obtain the password for Administrator you go to the desktop of the admin to see the root file

PreviousBreak Out The CageNextIce

Last updated