THM — Billing

Some mistakes can be costly.

Photo by Austin Distel on Unsplash

Billing

Enumeration

Nmap

Let’s start with a simple Nmap scan to find open ports on the machine

nmap -T5 -p- billing.thm
Starting Nmap 7.80 ( <https://nmap.org> ) at 2025-03-13 03:51 GMT
Nmap scan report for billing.thm (10.10.255.22)
Host is up (0.00013s latency).
Not shown: 65531 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql
5038/tcp open  unknown
MAC Address: 02:A8:F8:E6:EC:9D (Unknown)

nmap -p 22,80,3306,5038 --script vuln billing.thm
Starting Nmap 7.80 ( <https://nmap.org> ) at 2025-03-13 03:56 GMT
Nmap scan report for billing.thm (10.10.255.22)
Host is up (0.00012s latency).
PORT     STATE SERVICE
22/tcp   open  ssh
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
80/tcp   open  http
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|_  /robots.txt: Robots file
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
3306/tcp open  mysql
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
5038/tcp open  unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
MAC Address: 02:A8:F8:E6:EC:9D (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 32.14 seconds

Web server discovery

Since we have a web server running let’s investigate. We have a login page but as the room stated

THM

Gain a shell, find the way and escalate your privileges!

Note: Bruteforcing is out of scope for this room.

Directory busting