This is my first write-up and i will show you how to get user and root access on TryHackMe Billing machine. Hope you love it.

Nmap Scan

First of all lets scan with Nmap;

nmap -p- -sCV --min-rate 2000 -T5 10.10.87.208

Great, we have;

• Port 22 | SSH
• Port 80 | Apache httpd (Running MagnusBilling)
• Port 3306 | MariaDB
• Port 5038 | Asteriks Call Manager

Port 80

On port 80, we have a basic login page;

From here, we can check for the common files, and there you go; we found a README.md file. And with that we have the MagnusBilling version info.

Shell As Asterisk

When we search it up we can see that this version of MagnusBilling is vulnerable to Unauthorized RCE

We can use Metasploit Framework to exploit it very easily.

And here we have the exploit, once you configure the options you can get a meterpreter shell. I preferred port 4443 but you can choose any you want.

Good, now we have shell as asterisk user. Since i don’t really like meterpreters shell, i switched to netcat shell (they are same).

I checked the home directory for other users and found magnus user, this is the user we need because it has the user flag and we have the permission to read it.

Shell As Root

Now this is the hard part but its my favorite. To escalate our privileges lets check sudo -l first.

The Asterisk user can run the fail2ban-client command with sudo privileges, without being prompted for a password. What is fail2ban?

Wiki: Fail2Ban is an intrusion prevention software framework. Written in the Python programming language, it is designed to prevent brute-force attacks. It is able to run on POSIX systems that have an interface to a packet-control system or firewall installed locally, such as iptables or TCP Wrapper.

Lets make a quick google search to check if can escalate our privileges to root with fail2ban-client;

We found something in this article. It seems pretty useful. The article shows how to use fail2ban-client for PrivEsc, so lets use it.

First we need to check Jails;

Second, set an action for any of these jails and configure it to change /bin/bash file permissions. After that you can ban an ip and get the root shell;

And finally we have got the user and root flag in this write-up. It was fun to pwn this machine and it was very easy, for a beginner its a great room to understand the basics of exploit searching and privesc. Hope you had fun reading this write-up!

This is it for this post everyone, hope you learn and enjoy. Also don’t forget to check forum!