{"id":483,"date":"2025-12-24T04:02:00","date_gmt":"2025-12-24T04:02:00","guid":{"rendered":"https:\/\/hackingwithj.com\/?p=483"},"modified":"2025-12-18T16:11:48","modified_gmt":"2025-12-18T16:11:48","slug":"thm-aster","status":"publish","type":"post","link":"https:\/\/hackingwithj.com\/?p=483","title":{"rendered":"THM: Aster"},"content":{"rendered":"\n

This machine was a nice change of pace. Instead of the usual web-heavy approach, it introduced VoIP services<\/strong>, credential reuse, and a small reverse-engineering exercise at the end. A good reminder that not every box starts (or ends) with HTTP.<\/p>\n\n\n\n

NMAP<\/h2>\n\n\n\n
PORT     STATE SERVICE     VERSION\n22\/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   2048 fe:e3:52:06:50:93:2e:3f:7a:aa:fc:69:dd:cd:14:a2 (RSA)\n|   256 9c:4d:fd:a4:4e:18:ca:e2:c0:01:84:8c:d2:7a:51:f2 (ECDSA)\n|_  256 c5:93:a6:0c:01:8a:68:63:d7:84:16:dc:2c:0a:96:1d (ED25519)\n80\/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))\n| http-methods: \n|_  Supported Methods: GET HEAD POST OPTIONS\n|_http-server-header: Apache\/2.4.18 (Ubuntu)\n|_http-title: Aster CTF\n1720\/tcp open  h323q931?\n2000\/tcp open  cisco-sccp?\n5038\/tcp open  asterisk    Asterisk Call Manager 5.0.2\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\n\n\n
The standout port here was 5038<\/strong> \u2014 Asterisk Call Manager. That immediately suggested VoIP-related attack paths.<\/p>\n\n\n\n
HTTP (80)<\/h2>\n\n\n\n
The website on port 80 was very basic.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Default checks<\/h3>\n\n\n\n
    \n
  • Gobuster \u2192 nothing useful<\/li>\n\n\n\n
  • FFUF \u2192 nothing useful<\/li>\n\n\n\n
  • Source code review \u2192 nothing useful<\/li>\n<\/ul>\n\n\n\n
    Clicking the Download<\/strong> button returned a compiled Python file. Decompiling it using uncompyle6<\/code> revealed the following encoded content:<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Running the extracted data through CyberChef<\/strong> produced:<\/p>\n\n\n\n
    \n
    Good job, user “admin” the open source framework for building communications, installed in the server.Good job reverser, python is very cool!Good job reverser, python is very cool!Good job reverser, python is very cool!<\/p>\n<\/blockquote>\n\n\n\n
    The interesting part here was the username admin<\/code><\/strong> \u2014 potentially useful elsewhere. The web path ended here, so I shifted focus to the remaining open ports.<\/p>\n\n\n\n
    VoIP (5038)<\/h2>\n\n\n\n
    Port 5038 was running Asterisk Call Manager 5.0.2<\/strong>. After some research, I found that it\u2019s often misconfigured and sometimes vulnerable to credential brute forcing. Metasploit includes a module specifically for this. After some trial and error (and one VM crash), I configured it and ran the attack.<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Eventually, I recovered valid credentials.<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Logging in was successful \u2014 important detail: you need to press Enter twice<\/em> for commands to execute properly.<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    SIP Enumeration & Credential Reuse<\/h3>\n\n\n\n
    Enumerating SIP users revealed multiple accounts, including harry<\/strong>.<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    On a hunch, I tried reusing the recovered password for SSH access as harry<\/code>. And it worked.<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Privilege Escalation<\/h2>\n\n\n\n
    With SSH access as harry<\/code>, I started looking around the home directory. One file immediately stood out: Example_root.jar<\/code> I downloaded the file and decompiled it using JD-GUI<\/strong>. The decompiled source showed the following logic:<\/p>\n\n\n\n
    import java.io.File;\nimport java.io.FileWriter;\nimport java.io.IOException;\n\npublic class Example_Root {\n  public static boolean isFileExists(File paramFile) {\n    return paramFile.isFile();\n  }\n  \n  public static void main(String[] paramArrayOfString) {\n    String str = \"\/tmp\/flag.dat\";\n    File file = new File(str);\n    try {\n      if (isFileExists(file)) {\n        FileWriter fileWriter = new FileWriter(\"\/home\/harry\/root.txt\");\n        fileWriter.write(\"my secret <3 baby\");\n        fileWriter.close();\n        System.out.println(\"Successfully wrote to the file.\");\n      } \n    } catch (IOException iOException) {\n      System.out.println(\"An error occurred.\");\n      iOException.printStackTrace();\n    } \n  }\n}<\/code><\/pre>\n\n\n\n
    The logic was simple:<\/p>\n\n\n\n
      \n
    • If \/tmp\/flag.dat<\/code> exists<\/li>\n\n\n\n
    • The program writes to root.txt<\/code> in Harry\u2019s home directory<\/li>\n<\/ul>\n\n\n\n
      All that was needed was to create the file:<\/p>\n\n\n\n
      touch \/tmp\/flag.dat<\/code><\/pre>\n\n\n\n
      After a short wait, the file appeared \u2014 and with it, the final flag. (I forgot to take a screenshot of the exact moment, but here\u2019s proof the room was completed.)<\/p>\n\n\n\n
      \"\"<\/figure>\n\n\n\n
      Learning Notes<\/h2>\n\n\n\n
        \n
      • Reverse engineering isn\u2019t always complex \u2014 sometimes it\u2019s just understanding basic logic.<\/li>\n\n\n\n
      • Decompiled files (Python, Java, binaries) often contain direct hints.<\/li>\n\n\n\n
      • VoIP services are worth enumerating \u2014 they\u2019re frequently overlooked.<\/li>\n\n\n\n
      • Credential reuse is still incredibly common.<\/li>\n\n\n\n
      • Follow the breadcrumbs \u2014 every step in this box hinted at the next.<\/li>\n<\/ul>\n\n\n\n
        Final Thoughts<\/h2>\n\n\n\n
        This challenge was a great mix of:<\/p>\n\n\n\n
          \n
        • non-standard services (VoIP),<\/li>\n\n\n\n
        • light reverse engineering,<\/li>\n\n\n\n
        • and simple but effective privilege escalation.<\/li>\n<\/ul>\n\n\n\n
          Not flashy \u2014 just solid enumeration and logical progression. Exactly the kind of box that reinforces fundamentals.<\/p>\n","protected":false},"excerpt":{"rendered":"
          This machine was a nice change of pace. Instead of the usual web-heavy approach, it introduced VoIP services, credential reuse, and a small reverse-engineering exercise at the end. A good reminder that not every box starts (or ends) with HTTP. NMAP The standout port here was 5038 \u2014 Asterisk Call Manager. That immediately suggested VoIP-related […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[8,20],"tags":[],"class_list":["post-483","post","type-post","status-publish","format-standard","hentry","category-ctf","category-cybersecurity"],"_links":{"self":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts\/483","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=483"}],"version-history":[{"count":2,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts\/483\/revisions"}],"predecessor-version":[{"id":493,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts\/483\/revisions\/493"}],"wp:attachment":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=483"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=483"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=483"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}