Nmap scan report for
Host is up (0.19s latency).
Not shown: 995 closed ports
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: WIN-LU09299160F
| NetBIOS_Domain_Name: WIN-LU09299160F
| NetBIOS_Computer_Name: WIN-LU09299160F
| DNS_Domain_Name: WIN-LU09299160F
| DNS_Computer_Name: WIN-LU09299160F
| Product_Version: 10.0.17763
|_ System_Time: 2020-10-25T15:13:32+00:00
| ssl-cert: Subject: commonName=WIN-LU09299160F
| Not valid before: 2020-10-24T15:12:24
|_Not valid after: 2021-04-25T15:12:24
|_ssl-date: 2020-10-25T15:14:42+00:00; 0s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-10-25T15:13:32
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 97.59 seconds
smbclient -L \\\\\\
Enter WORKGROUP\root's password:
session setup failed: NT_STATUS_ACCESS_DENIED
That's dead end
On the page source we can find a flag of some sort
potential password
[email protected]
email address at
=============================================================== [9/21]
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
[+] Url:
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
2020/10/25 20:20:30 Starting gobuster
/search (Status: 200)
/blog (Status: 200)
/sitemap (Status: 200)
/rss (Status: 200)
/archive (Status: 301)
/categories (Status: 200)
/authors (Status: 200)
/Search (Status: 200)
/tags (Status: 200)
/install (Status: 302)
/RSS (Status: 200)
/Blog (Status: 200)
/Archive (Status: 301)
/SiteMap (Status: 200)
/siteMap (Status: 200)
/INSTALL (Status: 302)
/Sitemap (Status: 200)
/1073 (Status: 200)
/Rss (Status: 200)
/Categories (Status: 200)
For getting the name of admin visit the page there is a poem written , search on goolge to find who wrote this poem
We peviously found [email protected]
the hint says that There is another email address on the website that should help us figuring out the email pattern used by the administrator.
So admin is Solomon Grundy and carfting the email like the pattern above [email protected]
will let us login with the credentials UmbracoIsTheBest!
Launch Remmina
with the credentials username as sg
and passowrd UmbracoIsTheBest!
Turn on the option for show hidden files
as the hints says that admin's password is hidden.
You can find a folder named backup
and in thier restore.txt
but you don't have rights to view this file.
What you could do is right click on properites and change but I'll show how you can do this with cmd.
When try to view it will show you that you don't have permissions so,
Flag 1 THM{L0L_WH0_US3S_M3T4}
On html boiler plate
Flag 2 THM{G!T_G00D}
in body of html
Flag 3 THM{L0L_WH0_D15
Flag 4 THM{AN0TH3R_M3TA}