Hello everyone, this blog is a write-up of the “Aster” room from TryHackMe created by Stuxnet.
Like always let’s start with Nmap.
There are 5 ports open : 22,80,1720,2000,5038.
Asterisk Call Manager 5.0.2 is running on port 5038.
Let’s visit port 80 where the webpage is running.
Okay, so looks like we can download a file here. Let’s download the file and check its contents.
While exploring port 80,I ran Gobuster in the background to look for any interesting directories but didn’t find anything.
Okay, now let’s check the file which we downloaded from port 80. The file name is output.pyc .
This is python compiled bytecode. We can decompile this file using uncompyle2 and then can read the file and look for some juicy info.
uncompyle2 — https://github.com/wibiti/uncompyle2
Okay, we successfully decompiled the file and it seems we have a string encoded in hex. We can use cyberchef to decode the hex string.
Cool, after decoding we got a username now we can try to bruteforce the password. Luckily, there is an exploit available on Metasploit.
Now we can use this exploit to bruteforce the password.
SET RHOSTS <MACHINE_IP>
SET USERNAME <FOUND FROM CYBERCHEF>
Great! We got the creds and we can connect on port 5038. We will use telnet to connect to this service using. I was facing a problem in passing credentials in telnet, so I found a way to connect to Asterisk Call Manager here.
Follow the above link and then you can connect to Asterisk.
We are logged in and now can run further commands. We can list SIP information using SIP show users.
There are some creds. User Harry looks interesting we can try to get SSH.
Login to Harry Using SSH and get the user flag.
There is an Example_Root.jar file present in /home/harry. The java class can be extracted using unzip.
We can decompile the file using JavaDecompiler.
Now we have decompiled the java class file, let's see what’s in there.
The code validates that if /tmp/flag.dat file exists then it will write something in /home/harry/root.txt . So let’s go to /tmp
Bleh… there is no such file with name file.dat.
Amm.. so let’s create a new file with name file.dat and then check /home/harry/root.txt.
You can create a file using the “touch file.dat” command.
Coool after creating the file.dat … you can find your flag in /home/harry/root.txt.
That’s all for this room, we are done with “Aster”
Thanks for Reading. Keep Learning.