Aster- TryHackMe Writeup

Hello everyone, this blog is a write-up of the “Aster” room from TryHackMe created by Stuxnet.

Room Link:- https://tryhackme.com/room/aster
My Profile:-
https://tryhackme.com/p/DrAnonymous95

My socials
LinkedIn:-
https://www.linkedin.com/in/vinayak-agrawal-2aa5a61ab/
Twitter:-
https://twitter.com/Dr_Anonymous95
Youtube:-
http://www.youtube.com/c/AnonymousWorld95

Enumeration

Like always let’s start with Nmap.

There are 5 ports open : 22,80,1720,2000,5038.
Asterisk Call Manager 5.0.2 is running on port 5038.

PORT 80

Let’s visit port 80 where the webpage is running.

Okay, so looks like we can download a file here. Let’s download the file and check its contents.

While exploring port 80,I ran Gobuster in the background to look for any interesting directories but didn’t find anything.

Okay, now let’s check the file which we downloaded from port 80. The file name is output.pyc .

This is python compiled bytecode. We can decompile this file using uncompyle2 and then can read the file and look for some juicy info.

uncompyle2 — https://github.com/wibiti/uncompyle2

Okay, we successfully decompiled the file and it seems we have a string encoded in hex. We can use cyberchef to decode the hex string.

Cool, after decoding we got a username now we can try to bruteforce the password. Luckily, there is an exploit available on Metasploit.

Now we can use this exploit to bruteforce the password.

USE 1
SET RHOSTS <MACHINE_IP>
SET USERNAME <FOUND FROM CYBERCHEF>
RUN

Great! We got the creds and we can connect on port 5038. We will use telnet to connect to this service using. I was facing a problem in passing credentials in telnet, so I found a way to connect to Asterisk Call Manager here.

Follow the above link and then you can connect to Asterisk.

USER HARRY

We are logged in and now can run further commands. We can list SIP information using SIP show users.

There are some creds. User Harry looks interesting we can try to get SSH.

Login to Harry Using SSH and get the user flag.

ROOT FLAG

There is an Example_Root.jar file present in /home/harry. The java class can be extracted using unzip.

We can decompile the file using JavaDecompiler.

Now we have decompiled the java class file, let's see what’s in there.

The code validates that if /tmp/flag.dat file exists then it will write something in /home/harry/root.txt . So let’s go to /tmp

Bleh… there is no such file with name file.dat.

Amm.. so let’s create a new file with name file.dat and then check /home/harry/root.txt.

You can create a file using the “touch file.dat” command.

Coool after creating the file.dat … you can find your flag in /home/harry/root.txt.

That’s all for this room, we are done with “Aster”

Thanks for Reading. Keep Learning.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Vinayak Agrawal

Vinayak Agrawal

CyberSecurity Enthusiast | eJPT | CEH Practical | CTF Player | https://linktr.ee/VinayakAgrawal