Billing
Billing - TryHackMe

Billing

Eduardo Cochella Eduardo Cochella

Eduardo Cochella

MSc. Electrical engineering | Penetration tester | Ethical Hacker | Network engineer | Red Team | Cyber researcher | Top 1% TryHackMe | Top 1% Hack The Box | CTF Player

Published Mar 10, 2025
+ Follow

Enumeration: After running a simple service - version scan, we discovered three ports open.

Port 22-ssh, 80-http, 3306-mysql.

Article content
Nmap Scan

Visiting the Web Application, we noticed that is running MagnusBilling, an open-source billing system.

Article content
Visiting the Web page.

Googling a little bit, we found an Unauthenticated Remote Command Execution (CVE-2023-30258).

A Command Injection vulnerability in MagnusBilling application 6.x and 7.x allows remote attackers to run arbitrary commands via unauthenticated HTTP request.

Article content
Reference:

Exploiting the vulnerability using the Metasploit Framework, we couldn't get a Meterpreter session on the first try, so we had to force the exploit with the command "set ForceExploit true".

Article content
Meterpreter Session.

We were able to read the User.txt flag under "Magnus" user directory.

Article content
User Flag.

Linux Enumeration

Our current user "asterisk" is able to run "fail2ban-client" with root privileges.

Article content
sudo -l

We found 8 active jails

Article content
Jails are basically configurations that define which logs to monitor.

To run commands as root using fail2ban, we can adjust one of the jail's actions, such as the command executed when an IP is banned.

Article content
fail2ban-client privilege escalation procedure. Getting the root flag.


To view or add a comment, sign in

More articles by Eduardo Cochella

  • Ledger - Tryhackme
    May 6, 2025

    Ledger - Tryhackme

    Nmap Enumeration We are definitely facing a Domain Controller. Domain Controller After digging into ports 80 and 443…

  • You Got Mail
    Feb 10, 2025

    You Got Mail

    Enumeration Let's start this room by running Nmap. We can see the smtp, pop3 and imap are in the server.

  • Lookup - TryHackMe
    Nov 26, 2024

    Lookup - TryHackMe

    Basic Scan: SSH and HTTP are running. NMAP basic scan Analyzing the Web Application: We had to deal with a login page.

  • Cheese CTF
    Sep 25, 2024

    Cheese CTF

    NMAP enumeration It seems the all ports are running. Checking port 80, we found that a web application is running.

    1 Comment
  • Attacktive Directory
    Aug 22, 2024

    Attacktive Directory

    NMAP enumeration shows up an Active Directory environment - Kerberos Port 88 DNS_Domain_Name: spookysec.local User…

  • Injectics
    Jul 30, 2024

    Injectics

    Enumeration Ports 22 and 80 are open Web Application running on port 80 Checking the source code, we found an…

  • New York Flankees
    Jul 15, 2024

    New York Flankees

    Enumeration Port 22 and 8080-http are open Checking the request, we found a script function that leaks a token. Custom…

  • CyberLens
    May 23, 2024

    CyberLens

    Enumeration Don't forget to manually define the IP addresses associated with the specific hostname After a deep…

  • CREATIVE
    Apr 16, 2024

    CREATIVE

    Enumeration Ports 22 and 80 are open Web App Analysis - Nothing interesting Let's look for some subdomains -…

  • Hack Smarter Security
    Mar 21, 2024

    Hack Smarter Security

    Enumeration Ports 21, 22, 80, 1311, and 3389 are open Checking port 21 we found some Credit Cards and a Stolen Passport…

    1 Comment
See all articles

Insights from the community

Others also viewed

Explore topics