July 2, 2026
Billing — TryHackMe
Hello everyone. I have written this walkthrough to help you to complete this room.
By Subrat Keshari Sahu
3 min read
Overview:
The Billing room is an Easy-rated walkthrough/challenge designed to highlight how subtle configuration or logic flaws in financial or billing systems can lead to severe security impacts. As the tagline warns, "Some mistakes can be costly."
Task 1:
There is just one task to find both user and root flags. Let's start with "Nmap" first.
- sC: Enables Script Scanning using the default set of Nmap Scripting Engine (NSE) scripts.
- sV: Enables Version Detection.
We got 2 open ports on our IP, i.e., 22 (SSH), 80 (HTTP), and 3306 (MySQL).
Let's check the HTTP port. Open any browser and type the IP address. It is showing us a login page.
We can see the title as 'MagnusBilling.' Let's search it in google to find if there are any vulnerabilities related to it. Yup, we found one; it's an RCE (Remote Command Execution).
Let's exploit it using the "Metasploit" framework.
Now search for the 'magnus' module.
Choose the '0' module to execute. Then, set the address for local and target systems.
Type 'run' and hit the enter button to execute the module. After successful execution, we get the meterpreter connection to the target system. Type 'shell' to get access to the shell. To check the username, type 'id' and press enter. We got the shell as 'asterisk.'
After verifying the username, we can go to find the first flag. Do 'ls' to see the directories present here. Nothing found. Let's try 'ls -lah' to see any hidden files. Nothing useful. I think we are in the wrong directory.
Let's go to the 'home' directory. Then move to the magnus user directory, as that is the name we are familiar with. We got the 'user.txt' hidden inside the directory.
Now check what root privileges we have by type 'sudo -l.'
Before moving to the root, I like to get an interactive shell for myself that is easy to use. We can use this site for reference.
Site: https://0xffsec.com/handbook/shells/full-tty/
Start a separate "Netcat" listener before executing the previous command, where we get our shell. Use the commands to upgrade the shell.
After all those, let's check the root directory mentioned there, which we can access with normal user privileges. There is a '.conf' available.
Now we are going to follow some instructions available on this site to get the root access.
Site: https://juggernaut-sec.com/fail2ban-lpe/
Copy the original stuff to '/tmp.'
…
We are just adding some commands to the duplicate '.conf' file. Then restart the system using the last command.
After a restart it will create a bash file. Just execute that to get the root shell. And we also found the root flag.
Hope it will be useful to you. Thank you for using my walkthrough to complete this room. If you have any doubt, ask me below.