Machine Information - As is common in real life pentests, you will start the Outbound box with credentials for the following account tyler / LhKL1o9Nm3X2
NMAP
└─$ nmap -sC -sV -p 22,8010.129.105.204-Pn -oA nmap_port_details Starting Nmap 7.95(<https://nmap.org> ) at 2025-07-14 20:21 ISTNmap scan report for10.129.105.204Host is up (0.59s latency).PORTSTATESERVICEVERSION22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.12(UbuntuLinux; protocol 2.0)| ssh-hostkey:|256 0c:4b:d2:76:ab:10:06:92:05:dc:f7:55:94:7f:18:df (ECDSA)|_ 2562d:6d:4a:4c:ee:2e:11:b6:c8:90:e6:83:e9:df:38:b0 (ED25519)80/tcp open http nginx 1.24.0(Ubuntu)|_http-server-header: nginx/1.24.0(Ubuntu)|_http-title:Did not follow redirect to <http://mail.outbound.htb/>ServiceInfo: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed.Please report any incorrect results at <https://nmap.org/submit/> .Nmapdone:1IPaddress (1 host up) scanned in 59.22 seconds
Port 80
It’s a Roundcube mail login page
Since we have the credentials, let’s try to login
We found it’s version
Foothold/ shell
Shell as ?
CVE‑2025‑49113
on looking for Roundcube Webmail 1.6.10 exploit we found CVE‑2025‑49113
A critical vulnerability has been discovered in Roundcube Webmail (versions < 1.5.10 and 1.6.0–1.6.10) that allows authenticated users to perform remote code execution through a PHP object deserialization flaw triggered by improper validation of the _from parameter in program/actions/settings/upload.php. The flaw carries a CVSS 3.1 score of 9.9 (Critical)
Now we have to confirm whether it is hitting our machine or not
Nice, we are getting hit. Now we have to get the shell
Docker
We are in a docker environment since dockerenv file in the / directory.
SQL
We found credentials to the roundcube db
When I was trying to use MySQL (mysql -u roundcube -pRCDBPass2025), it was stuck and not going anywhere, probably because it'll try to spawn a MySQL shell, which won't be directed to my terminal, cos it's technically outside bash
Now there are three way
Transfer chisel to port forward the SQL port and access it on your local machine
Transfer a Meterpreter shell
look for and transfer the database
Now I don’t want to go for 1 and 2, so I will be dumping the database and transfer it to my system
Since I do not know the password (so no scp) I will base64 encode the db and decrypt it on my machine
Now first we need to make a db on our local
Now we need to import the roundcube db
Now we can confirm that db is imported or not
Now let’s look at users
Let's also take a look at the session table.
I can see 7 rows but the important one is the oldest one
the var is base64 encoded
Decrypting jacob password
The password here is:
This is usually encrypted, not plaintext. Roundcube by default encrypts the password in session using a secret key defined in config.inc.php:
from ChatGPT I got this script
Now, let’s try to authenticate as Jacob
Email for Jacob
SSH failed, but we can login to roundcube mail
We can see the new password was rested by tyler for jacob
and we are in with the new password and found user.txt
Privilege Escalation
We can run /usr/bin/below with any arguments, except:
-config
-debug
d (short for -debug)
below is a performance monitoring tool (Rust-based), similar to top, with config parsing and TUI rendering. It may invoke external programs, read files, or use unsafe libraries (if exploitable).
There is a feature to record the data but for some reason it is not recording but we found the location
Nothing was there in the data file
CVE-2025-27591
We found the advisory for CVE-2025-27591, and according to which
A privilege escalation vulnerability existed in the Below service prior to v0.9.0 due to the creation of a world-writable directory at /var/log/below. This could have allowed local unprivileged users to escalate to root privileges through symlink attacks that manipulate files such as /etc/shadow.
Taking a look around, we can find error files in /var/log/below, interestingly enough error_root.log is writeable.
Let's try to symlink this file to some other file that we can see and that can potentially allow us to escalate privileges, I chose /etc/passwd because it doesn't have any permission restrictions unlike /etc/sudoers.
Next let's run any below command that'll error out, as root.
Now let's check /etc/passwd
Success! We have read write permissions on /etc/passwd. Let's add an entry and swap to that user
└─$ whatweb -v -a 3 <http://mail.outbound.htb/>
WhatWeb report for <http://mail.outbound.htb/>
Status : 200 OK
Title : Roundcube Webmail :: Welcome to Roundcube Webmail
IP : 10.129.105.204
Country : RESERVED, ZZ
Summary : Bootstrap, Content-Language[en], Cookies[roundcube_sessid], HTML5, HTTPServer[Ubuntu Linux][nginx/1.24.0 (Ubuntu)], HttpOnly[roundcube_sessid], JQuery, nginx[1.24.0], PasswordField[_pass], RoundCube, Script, X-Frame-Options[sameorigin]
Detected Plugins:
[ Bootstrap ]
Bootstrap is an open source toolkit for developing with
HTML, CSS, and JS.
Website : <https://getbootstrap.com/>
[ Content-Language ]
Detect the content-language setting from the HTTP header.
String : en
[ Cookies ]
Display the names of cookies in the HTTP headers. The
values are not returned to save on space.
String : roundcube_sessid
[ HTML5 ]
HTML version 5, detected by the doctype declaration
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
OS : Ubuntu Linux
String : nginx/1.24.0 (Ubuntu) (from server string)
[ HttpOnly ]
If the HttpOnly flag is included in the HTTP set-cookie
response header and the browser supports it then the cookie
cannot be accessed through client side script - More Info:
<http://en.wikipedia.org/wiki/HTTP_cookie>
String : roundcube_sessid
[ JQuery ]
A fast, concise, JavaScript that simplifies how to traverse
HTML documents, handle events, perform animations, and add
AJAX.
Website : <http://jquery.com/>
[ PasswordField ]
find password fields
String : _pass (from field name)
[ RoundCube ]
Opensource Webmail written in PHP
Website : <http://roundcube.net/>
[ Script ]
This plugin detects instances of script HTML elements and
returns the script language/type.
[ X-Frame-Options ]
This plugin retrieves the X-Frame-Options value from the
HTTP header. - More Info:
<http://msdn.microsoft.com/en-us/library/cc288472%28VS.85%29>.
aspx
String : sameorigin
[ nginx ]
Nginx (Engine-X) is a free, open-source, high-performance
HTTP server and reverse proxy, as well as an IMAP/POP3
proxy server.
Version : 1.24.0
Website : <http://nginx.net/>
HTTP Headers:
HTTP/1.1 200 OK
Server: nginx/1.24.0 (Ubuntu)
Date: Mon, 14 Jul 2025 15:06:30 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
Set-Cookie: roundcube_sessid=jol6h18b72edk0feap85rpeks5; path=/; HttpOnly
Expires: Mon, 14 Jul 2025 15:06:30 GMT
Last-Modified: Mon, 14 Jul 2025 15:06:30 GMT
Cache-Control: private, no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Frame-Options: sameorigin
Content-Language: en
Content-Encoding: gzip
ww-data@mail:/var/www/html/roundcube/config$ cat config.inc.php
cat config.inc.php
<?php
/*
+-----------------------------------------------------------------------+
| Local configuration for the Roundcube Webmail installation. |
| |
| This is a sample configuration file only containing the minimum |
| setup required for a functional installation. Copy more options |
| from defaults.inc.php to this file to override the defaults. |
| |
| This file is part of the Roundcube Webmail client |
| Copyright (C) The Roundcube Dev Team |
| |
| Licensed under the GNU General Public License version 3 or |
| any later version with exceptions for skins & plugins. |
| See the README file for a full license statement. |
+-----------------------------------------------------------------------+
*/
$config = [];
// Database connection string (DSN) for read+write operations
// Format (compatible with PEAR MDB2): db_provider://user:password@host/database
// Currently supported db_providers: mysql, pgsql, sqlite, mssql, sqlsrv, oracle
// For examples see <http://pear.php.net/manual/en/package.database.mdb2.intro-dsn.php>
// NOTE: for SQLite use absolute path (Linux): 'sqlite:////full/path/to/sqlite.db?mode=0646'
// or (Windows): 'sqlite:///C:/full/path/to/sqlite.db'
$config['db_dsnw'] = 'mysql://roundcube:RCDBPass2025@localhost/roundcube';
<--SNIP-->
└─$ sudo mysql -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \\g.
Your MariaDB connection id is 32
Server version: 11.4.4-MariaDB-3 Debian n/a
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Support MariaDB developers by giving a star at <https://github.com/MariaDB/server>
Type 'help;' or '\\h' for help. Type '\\c' to clear the current input statement.
MariaDB [(none)]> CREATE DATABASE roundcube;
Query OK, 1 row affected (0.001 sec)
MariaDB [(none)]> exit;
Bye
└─$ sudo mysql -u root -p roundcube < roundcube.sql
Enter password:
└─$ sudo mysql -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \\g.
Your MariaDB connection id is 34
Server version: 11.4.4-MariaDB-3 Debian n/a
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Support MariaDB developers by giving a star at <https://github.com/MariaDB/server>
Type 'help;' or '\\h' for help. Type '\\c' to clear the current input statement.
MariaDB [(none)]> USE roundcube;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [roundcube]> show tables;
+---------------------+
| Tables_in_roundcube |
+---------------------+
| cache |
| cache_index |
| cache_messages |
| cache_shared |
| cache_thread |
| collected_addresses |
| contactgroupmembers |
| contactgroups |
| contacts |
| dictionary |
| filestore |
| identities |
| responses |
| searches |
| session |
| system |
| users |
+---------------------+
17 rows in set (0.001 sec)
MariaDB [roundcube]>
└─$ ssh jacob@10.10.11.77
jacob@10.10.11.77's password:
Welcome to Ubuntu 24.04.2 LTS (GNU/Linux 6.8.0-63-generic x86_64)
* Documentation: <https://help.ubuntu.com>
* Management: <https://landscape.canonical.com>
* Support: <https://ubuntu.com/pro>
System information as of Fri Jul 18 09:58:49 AM UTC 2025
System load: 0.01 Processes: 247
Usage of /: 69.9% of 6.73GB Users logged in: 0
Memory usage: 10% IPv4 address for eth0: 10.10.11.77
Swap usage: 0%
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See <https://ubuntu.com/esm> or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Thu Jul 10 11:44:49 2025 from 10.10.14.77
jacob@outbound:~$ ls
user.txt
jacob@outbound:~$ sudo -l
Matching Defaults entries for jacob on outbound:
env_reset, mail_badpass, secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin, use_pty
User jacob may run the following commands on outbound:
(ALL : ALL) NOPASSWD: /usr/bin/below *, !/usr/bin/below --config*, !/usr/bin/below --debug*, !/usr/bin/below -d*
jacob@outbound:~$
jacob@outbound:/tmp$ sudo /usr/bin/below record &
[1] 8915
jacob@outbound:/tmp$ Jul 18 10:15:23.722 DEBG Starting up!
Jul 18 10:15:23.722 ERRO
----------------- Detected unclean exit ---------------------
Error Message: Failed to acquire file lock on index file: /var/log/below/store/index_01752796800: EAGAIN: Try again
-------------------------------------------------------------
^C
[1]+ Exit 1 sudo /usr/bin/below record
jacob@outbound:/tmp$ cd /var/log/below/store/
jacob@outbound:/var/log/below/store$ ls
data_01752796800 index_01752796800
jacob@outbound:/var/log/below/store$
