Skip to Content
WriteupsTryHackMeAnthem

Anthem - THM

This is the writeup for the TryHackMe easy difficulty room called Anthem .

Task1

This is going to be an exploitable website.
Since we shouldn’t show any flags or answers for the tasks, we will only show you the method how you can get the answers.

1st Part - Recon

CMD: nmap -sT -sV -F $IP -Pn
 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-10-28 16:10 CET
Nmap scan report for 10.10.93.22
Host is up (0.082s latency).
Not shown: 98 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
[[REDACTED]]/tcp   open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
[[REDACTED]]/tcp open  ms-wbt-server Microsoft Terminal Services
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/.
Nmap done: 1 IP address (1 host up) scanned in 13.66 seconds

The nmap scan show us what port the webserver and the RDP server are running on.
These two port numbers are the answers for the 2nd and 3rd tasks.

The 4th task mentions something about web crawlers.
We know that the crawlers always check the robots.txt file if it exists.

4th

The first line of the file reveals the password.

5th

The browser addon Wappalyzer tells us what CMS the website is using.

6th

Hmmm what might be the domain of the website, I wonder…

The 7th task is to find the name of the admin.

7th1

Looking up the lines of the poem we find a name.

7th2

For the 8th task we have to find out the email of the admin.

8th

This article shows the email of Jane Doe which is JD@anthem.com. If we follow this logic the administrator’s email will be the admin’s initials followed by @anthem.com.

2nd Part - Flag Hunt

Task2

The 1st and 2nd flag are found in the source code of the page located at http://$IP/archive/we-are-hiring/

Flag12

The 3rd flag is on the page http://$IP/authors/jane-doe/

Flag3

The 4th flag is found in the source code of the page located at http://$IP/archive/a-cheers-to-our-it-department/

Flag4

3rd Part - RDP Access

Task3

The task says that we already have the credentials to authenticate to the machine via RDP.

The username is the initials of the admin user written all caps. The password is the one we already found in the robots.txt file.

After accessing the desktop the first flag is found in the file called user.txt.

3Flag1

If we look closely we discover a hidden folder called backup in the root folder of the system drive.

3Flag21

The hidden folder contains a file called restore.txt but we don’t have permissions to read it.

3Flag22

However we are able to modify its permissions and add our account with full access to it.

3Flag2

To get the admin flag we just have to login via RDP using the username: Administrator and the previous password.

3Flag3

Last updated on