[{"data":1,"prerenderedAt":490},["ShallowReactive",2],{"\u002F2025\u002Ftryhackme-anthem-writeup":3,"surround-\u002F2025\u002Ftryhackme-anthem-writeup":481},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":8,"description":9,"date":10,"updated":10,"image":11,"categories":12,"recommend":6,"draft":6,"readingTime":14,"body":19,"_type":474,"_id":475,"_source":476,"_file":477,"_stem":478,"_extension":479,"_original_dir":480},"\u002F2025\u002Ftryhackme-anthem-writeup","2025",false,"","TryHackMe - Anthem","A comprehensive walkthrough of the TryHackMe Anthem room. This guide covers reconnaissance via robots.txt, gaining initial access to the Umbraco CMS, connecting via RDP, and escalating privileges on Windows by manipulating file permissions to reveal the administrator password.","2025-09-01T17:37:04.000Z","https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-anthem-writeup\u002Fthumbnail.jpg",[13],"CTF",{"text":15,"minutes":16,"time":17,"words":18},"2 min read",1.81,108600,362,{"type":20,"children":21,"toc":467},"root",[22,28,44,51,56,60,65,69,74,102,106,120,124,137,141,162,166,171,208,226,230,251,257,276,280,300,304,343,347,353,358,362,375,379,399,403,408,412,417,421,426,430,457,462],{"type":23,"tag":24,"props":25,"children":27},"element","pic",{"src":26},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-anthem-writeup\u002F1.jpg",[],{"type":23,"tag":29,"props":30,"children":31},"p",{},[32,35],{"type":33,"value":34},"text","Target IP: ",{"type":23,"tag":36,"props":37,"children":41},"a",{"href":38,"rel":39},"https:\u002F\u002Ftryhackme.com\u002Froom\u002Fanthem",[40],"nofollow",[42],{"type":33,"value":43},"10.10.153.77",{"type":23,"tag":45,"props":46,"children":48},"h2",{"id":47},"reconnaissance",[49],{"type":33,"value":50},"Reconnaissance",{"type":23,"tag":29,"props":52,"children":53},{},[54],{"type":33,"value":55},"First, let's start with a port scan to see which services are running.",{"type":23,"tag":24,"props":57,"children":59},{"src":58},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-anthem-writeup\u002F2.jpg",[],{"type":23,"tag":29,"props":61,"children":62},{},[63],{"type":33,"value":64},"We have a web server running. Let's check it out.",{"type":23,"tag":24,"props":66,"children":68},{"src":67},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-anthem-writeup\u002F3.jpg",[],{"type":23,"tag":29,"props":70,"children":71},{},[72],{"type":33,"value":73},"When we manually browse the site, we gather the following information:",{"type":23,"tag":75,"props":76,"children":77},"ul",{},[78,84,93],{"type":23,"tag":79,"props":80,"children":81},"li",{},[82],{"type":33,"value":83},"Jane Doe",{"type":23,"tag":79,"props":85,"children":86},{},[87],{"type":23,"tag":36,"props":88,"children":90},{"href":89},"mailto:JD@anthem.com",[91],{"type":33,"value":92},"JD@anthem.com",{"type":23,"tag":79,"props":94,"children":95},{},[96,98],{"type":33,"value":97},"A poem about the administrator",{"type":23,"tag":24,"props":99,"children":101},{"src":100},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-anthem-writeup\u002F4.jpg",[],{"type":23,"tag":24,"props":103,"children":105},{"src":104},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-anthem-writeup\u002F5.jpg",[],{"type":23,"tag":29,"props":107,"children":108},{},[109,111,118],{"type":33,"value":110},"There's a poem about the administrator. Researching this poem leads us to the name ",{"type":23,"tag":112,"props":113,"children":115},"code",{"className":114},[],[116],{"type":33,"value":117},"Solomon Grundy",{"type":33,"value":119},".",{"type":23,"tag":24,"props":121,"children":123},{"src":122},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-anthem-writeup\u002F6.jpg",[],{"type":23,"tag":29,"props":125,"children":126},{},[127,129,135],{"type":33,"value":128},"We don't have any more information at the moment. Let's check the site's ",{"type":23,"tag":112,"props":130,"children":132},{"className":131},[],[133],{"type":33,"value":134},"robots.txt",{"type":33,"value":136}," file for any hidden directories.",{"type":23,"tag":24,"props":138,"children":140},{"src":139},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-anthem-writeup\u002F7.jpg",[],{"type":23,"tag":29,"props":142,"children":143},{},[144,146,152,154,160],{"type":33,"value":145},"From here, we find the important phrase ",{"type":23,"tag":112,"props":147,"children":149},{"className":148},[],[150],{"type":33,"value":151},"UmbracoIsTheBest!",{"type":33,"value":153}," and the ",{"type":23,"tag":112,"props":155,"children":157},{"className":156},[],[158],{"type":33,"value":159},"\u002Fumbraco",{"type":33,"value":161}," directory. When we navigate to this directory, we find a login form.",{"type":23,"tag":24,"props":163,"children":165},{"src":164},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-anthem-writeup\u002F8.jpg",[],{"type":23,"tag":29,"props":167,"children":168},{},[169],{"type":33,"value":170},"Now, let's try to log in using the information we have. A few combinations come to mind:",{"type":23,"tag":75,"props":172,"children":173},{},[174,189],{"type":23,"tag":79,"props":175,"children":176},{},[177,182,184],{"type":23,"tag":112,"props":178,"children":180},{"className":179},[],[181],{"type":33,"value":92},{"type":33,"value":183},":",{"type":23,"tag":112,"props":185,"children":187},{"className":186},[],[188],{"type":33,"value":151},{"type":23,"tag":79,"props":190,"children":191},{},[192,194,200,201,206],{"type":33,"value":193},"If we format Solomon Grundy similarly = ",{"type":23,"tag":112,"props":195,"children":197},{"className":196},[],[198],{"type":33,"value":199},"SG@anthem.com",{"type":33,"value":183},{"type":23,"tag":112,"props":202,"children":204},{"className":203},[],[205],{"type":33,"value":151},{"type":33,"value":207}," (We don't have any other potential passwords).",{"type":23,"tag":29,"props":209,"children":210},{},[211,213,218,219,224],{"type":33,"value":212},"When we try these credentials, the pair ",{"type":23,"tag":112,"props":214,"children":216},{"className":215},[],[217],{"type":33,"value":199},{"type":33,"value":183},{"type":23,"tag":112,"props":220,"children":222},{"className":221},[],[223],{"type":33,"value":151},{"type":33,"value":225}," successfully logs us into the CMS administration page.",{"type":23,"tag":24,"props":227,"children":229},{"src":228},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-anthem-writeup\u002F9.jpg",[],{"type":23,"tag":29,"props":231,"children":232},{},[233,235,241,243,249],{"type":33,"value":234},"I tried to upload a reverse shell to get a shell from this page, but I was unsuccessful. We need another way.\nWe know that an ",{"type":23,"tag":112,"props":236,"children":238},{"className":237},[],[239],{"type":33,"value":240},"RDP",{"type":33,"value":242}," service is running on port ",{"type":23,"tag":112,"props":244,"children":246},{"className":245},[],[247],{"type":33,"value":248},"3389",{"type":33,"value":250},". Let's try to connect to RDP with the information we have.",{"type":23,"tag":45,"props":252,"children":254},{"id":253},"initial-access",[255],{"type":33,"value":256},"Initial Access",{"type":23,"tag":29,"props":258,"children":259},{},[260,262,268,270,275],{"type":33,"value":261},"After some trial and error, we were able to log in with the username ",{"type":23,"tag":112,"props":263,"children":265},{"className":264},[],[266],{"type":33,"value":267},"SG",{"type":33,"value":269}," and the password ",{"type":23,"tag":112,"props":271,"children":273},{"className":272},[],[274],{"type":33,"value":151},{"type":33,"value":119},{"type":23,"tag":24,"props":277,"children":279},{"src":278},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-anthem-writeup\u002F10.jpg",[],{"type":23,"tag":29,"props":281,"children":282},{},[283,285,291,293,299],{"type":33,"value":284},"We now have access to a Windows machine. However, when we run the ",{"type":23,"tag":112,"props":286,"children":288},{"className":287},[],[289],{"type":33,"value":290},"whoami",{"type":33,"value":292}," command in cmd, we see that we are a low-privileged user: ",{"type":23,"tag":112,"props":294,"children":296},{"className":295},[],[297],{"type":33,"value":298},"win-lu09299160f\\sg",{"type":33,"value":119},{"type":23,"tag":24,"props":301,"children":303},{"src":302},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-anthem-writeup\u002F11.jpg",[],{"type":23,"tag":29,"props":305,"children":306},{},[307,309,317,319,325,327,333,335,341],{"type":33,"value":308},"Let's perform a simple scan on the system. Press ",{"type":23,"tag":310,"props":311,"children":314},"key",{":r":312,"code":313},"true","win",[315],{"type":33,"value":316},"WIN + R",{"type":33,"value":318}," and type ",{"type":23,"tag":112,"props":320,"children":322},{"className":321},[],[323],{"type":33,"value":324},"recent",{"type":33,"value":326},". This will open a list of recently accessed files. The ",{"type":23,"tag":112,"props":328,"children":330},{"className":329},[],[331],{"type":33,"value":332},"backup",{"type":33,"value":334}," folder catches our attention. Inside, we find a file named ",{"type":23,"tag":112,"props":336,"children":338},{"className":337},[],[339],{"type":33,"value":340},"restore.txt",{"type":33,"value":342},". However, when we try to open it, we get a permission denied error.",{"type":23,"tag":24,"props":344,"children":346},{"src":345},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-anthem-writeup\u002F12.jpg",[],{"type":23,"tag":45,"props":348,"children":350},{"id":349},"privilege-escalation",[351],{"type":33,"value":352},"Privilege Escalation",{"type":23,"tag":29,"props":354,"children":355},{},[356],{"type":33,"value":357},"If we right-click the file, go to Properties, and do a quick analysis, we see that we are already the owner of the file.",{"type":23,"tag":24,"props":359,"children":361},{"src":360},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-anthem-writeup\u002F13.jpg",[],{"type":23,"tag":29,"props":363,"children":364},{},[365,367,373],{"type":33,"value":366},"This means we can grant ourselves the necessary permissions. To do this, go to the ",{"type":23,"tag":112,"props":368,"children":370},{"className":369},[],[371],{"type":33,"value":372},"Security",{"type":33,"value":374}," tab in the file's Properties.",{"type":23,"tag":24,"props":376,"children":378},{"src":377},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-anthem-writeup\u002F14.jpg",[],{"type":23,"tag":29,"props":380,"children":381},{},[382,384,390,392,398],{"type":33,"value":383},"Click on ",{"type":23,"tag":112,"props":385,"children":387},{"className":386},[],[388],{"type":33,"value":389},"Edit",{"type":33,"value":391},", then click on ",{"type":23,"tag":112,"props":393,"children":395},{"className":394},[],[396],{"type":33,"value":397},"Add",{"type":33,"value":119},{"type":23,"tag":24,"props":400,"children":402},{"src":401},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-anthem-writeup\u002F15.jpg",[],{"type":23,"tag":29,"props":404,"children":405},{},[406],{"type":33,"value":407},"Enter your username, check it, and add it.",{"type":23,"tag":24,"props":409,"children":411},{"src":410},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-anthem-writeup\u002F16.jpg",[],{"type":23,"tag":29,"props":413,"children":414},{},[415],{"type":33,"value":416},"Now, give the user you just added (yourself) full control.",{"type":23,"tag":24,"props":418,"children":420},{"src":419},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-anthem-writeup\u002F17.jpg",[],{"type":23,"tag":29,"props":422,"children":423},{},[424],{"type":33,"value":425},"Now we can read the file.",{"type":23,"tag":24,"props":427,"children":429},{"src":428},"https:\u002F\u002Fhackpaper-image-server.pages.dev\u002Fimages\u002Fblogs\u002Ftryhackme-anthem-writeup\u002F18.jpg",[],{"type":23,"tag":29,"props":431,"children":432},{},[433,435,441,443,449,451,456],{"type":33,"value":434},"We find the password ",{"type":23,"tag":112,"props":436,"children":438},{"className":437},[],[439],{"type":33,"value":440},"ChangeMeBaby1MoreTime",{"type":33,"value":442},". This is likely the password for the ",{"type":23,"tag":112,"props":444,"children":446},{"className":445},[],[447],{"type":33,"value":448},"Administrator",{"type":33,"value":450}," account. Let's disconnect our current RDP session and reconnect as ",{"type":23,"tag":112,"props":452,"children":454},{"className":453},[],[455],{"type":33,"value":448},{"type":33,"value":119},{"type":23,"tag":458,"props":459,"children":461},"copy",{"code":460},"xfreerdp3 \u002Fv:lianyu.thm \u002Fu:Administrator \u002Fp:ChangeMeBaby1MoreTime",[],{"type":23,"tag":29,"props":463,"children":464},{},[465],{"type":33,"value":466},"And we are root...",{"title":7,"searchDepth":468,"depth":468,"links":469},4,[470,472,473],{"id":47,"depth":471,"text":50},2,{"id":253,"depth":471,"text":256},{"id":349,"depth":471,"text":352},"markdown","content:posts:2025:tryhackme-anthem-writeup.md","content","posts\u002F2025\u002Ftryhackme-anthem-writeup.md","posts\u002F2025\u002Ftryhackme-anthem-writeup","md","\u002Fposts",[482,486],{"_path":483,"title":484,"date":485},"\u002F2025\u002Ftryhackme-lianyu-writeup","TryHackMe - Lian Yu","2025-09-01T14:54:37.000Z",{"_path":487,"title":488,"date":489},"\u002F2025\u002Ftryhackme-fowsniff-writeup","TryHackMe - Fowsniff CTF","2025-09-02T07:57:20.000Z",1777022958967]