Billing- A TryHackMe Writeup

Billing created by RunasRs

Start the machine and let it fully boot.

Run an nmap scan to see what ports are up

Looks like we have a webserver running, with some sort of Login page to a Billing Software

Upon further investigation, this is for the Magnus Billing software for Voip phones. If we search for any known exploits for this software we find one that is in metasploit

MagnusBilling application unauthenticated Remote Command Execution.Rapid7

Set the LHOST and RHOST accordingly and run it, and we will get a meterperter shell

We can run 'shell' in the meterpreter and drop into an actual shell on the device. To make it easier to navigate we can upgrade to a stable shell:

python3 -c 'import pty;pty.spawn("/bin/bash")'

This will allow us to actually see the path and we can navigate to the home directory. We'll see that the only user in there is magnus and once we view that directory we will see the user.txt file. Cat that and user is done.

If we run sudo -l we can see that we have no password access to /usr/bin/fail2ban-client.

I had no idea what this software was so I had to do some digging. I found this page that explains a bit about it and also this page that talks about Linux Privilege Escalation. We basically have to restart the service first, by running:

sudo /usr/bin/fail2ban-client restart

After that we have to setup the fail2ban to run a certain script anytime an action is performed. We'll have it run a script to read the root flag when an IP is blocked from accessing SSH

sudo /usr/bin/fail2ban-client set sshd action iptables-multilport actionban "/bin/bash -c 'cat /root/root.txt > /tmp/root.txt && chmod 777 /tmp/root.txt'"

Lets break this command down:

• sudo /usr/bin/fail2ban-client: This invokes the Fail2ban client with root privileges, which is necessary to modify Fail2ban's configuration.

• set sshd action iptables-multiport: This targets the sshd jail and specifies that the iptables-multiport action should be modified.

• actionban: This specifies that the actionban parameter of the iptables-multiport action should be changed.

• "/bin/bash -c ‘cat /root/root.txt > /tmp/root.txt && chmod 777 /tmp/root.txt’": This is the malicious command that the command intends to set as the action to be performed when a ban occurs.

The Malicious Command's Actions:

1. cat /root/root.txt > /tmp/root.txt: This reads the contents of the /root/root.txt file and redirects it to the /tmp/root.txt file.

2. chmod 777 /tmp/root.txt: This changes the permissions of the /tmp/root.txt file to 777, which means it is readable, writable, and executable by everyone.

Now that we have the malicious payload set, we have to trigger it. We set this so it runs when an IP is banned, so lets ban one (we'll just do the localhost)

sudo /usr/bin/fail2ban-client set sshd banip 127.0.0.1

It'll come back with a '1' as an output if it is successful

Now we can just navigate to our /tmp folder and we'll see the root.txt file listed there with full privilege access. cat the file and we're done!