Skip to content
Home » Hack The Box: Outbound Machine Walkthrough – Easy Difficulity

Hack The Box: Outbound Machine Walkthrough – Easy Difficulity

Reading Time: 11 minutes

Introduction to Outbound:

In this write-up, we will explore the “Outbound” machine from Hack The Box, categorised as an easy difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.

Objective:

The goal of this walkthrough is to complete the “Outbound” machine from Hack The Box by achieving the following objectives:

User Flag:

The initial foothold was achieved by exploiting CVE‑2025‑49113 in Roundcube version 1.6.10 using Tyler’s valid credentials. This vulnerability in the file upload feature allowed remote code execution, enabling a reverse shell that was upgraded to a fully interactive shell. Investigation of the Roundcube configuration revealed the database credentials, which were used to access the MariaDB instance. Within the database, Jacob’s encrypted session data was located and decrypted using the known DES key, revealing his plaintext password. Using this password, SSH authentication was successful, providing access to Jacob’s environment and allowing the retrieval of the user flag.

Root Flag:

Privilege escalation was identified through sudo -l, which showed that the user could execute /usr/bin/below. Research revealed that the installed version of below is vulnerable to CVE‑2025‑27591, which involves a world-writable /var/log/below directory with permissions set to 0777. Exploiting this vulnerability using the publicly available Python PoC allowed execution of commands as root. Leveraging this access, the root flag was retrieved by reading the /root/root.txt file.

Enumerating the Outbound Machine

Reconnaissance:

Nmap Scan:

Begin with a network scan to identify open ports and running services on the target machine. 

nmap -sC -sV 10.10.11.77 -oA initial

Nmap Output: 

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 9.6p1 Ubuntu 3ubuntu13.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 0c:4b:d2:76:ab:10:06:92:05:dc:f7:55:94:7f:18:df (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBN9Ju3bTZsFozwXY1B2KIlEY4BA+RcNM57w4C5EjOw1QegUUyCJoO4TVOKfzy/9kd3WrPEj/FYKT2agja9/PM44=
|   256 2d:6d:4a:4c:ee:2e:11:b6:c8:90:e6:83:e9:df:38:b0 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH9qI0OvMyp03dAGXR0UPdxw7hjSwMR773Yb9Sne+7vD
80/tcp open  http    syn-ack ttl 63 nginx 1.24.0 (Ubuntu)
|_http-title: Did not follow redirect to http://mail.outbound.htb/
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.24.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Analysis:

  • Port 22: Running OpenSSH 9.6p1, providing secure remote access.
  • Port 80: Running nginx 1.24.0, redirecting to the Roundcube webmail portal.

Web Application Exploration:

Accessing the http://mail.outbound.htb portal reveals a Roundcube Webmail interface. We can proceed to log in using the provided credentials.

Entering the Tyler credentials allows us to access the Roundcube Webmail interface.

After accessing the email portal, the inbox appears to be empty.

Roundcube Webmail 1.6.10 service enumeration and analysis on Outbound machine

After logging in, the first step is to check the Roundcube version. In this case, it is running version 1.6.10.

Another way to verify the version is by checking the information embedded in the page’s source code.

After doing some research, I discovered that this version is affected by a known vulnerability, identified as CVE-2025-49113.

CVE‑2025‑49113: Critical Vulnerability in Roundcube on Outbound machine

CVE‑2025‑49113 is a serious vulnerability in Roundcube Webmail versions up to 1.5.9 and 1.6.10. It occurs in the upload.php feature, where certain input parameters are not properly validated. An attacker with valid user credentials can exploit this flaw to execute arbitrary code on the server by sending a specially crafted payload. This can allow the attacker to run commands, install backdoors, or take further control of the system. The vulnerability is particularly dangerous because it requires minimal technical effort once credentials are obtained, and proof-of-concept exploits are publicly available. Applying the patched versions 1.5.10 or 1.6.11 and above is necessary to secure the system.

How the Exploit Works

The script begins by checking whether the Roundcube instance is running a vulnerable version. If it is, it continues with the login process. Once authenticated, it uploads a normal-looking PNG file to the server. During this upload, the exploit carries out two key injections: one targeting the PHP session via the _from parameter in the URL, and another that slips a malicious object into the filename field of the _file parameter. When combined, these injections trigger code execution on the server, allowing the attacker to execute commands remotely.

You can download the Python script from the following repository: https://github.com/00xCanelo/CVE-2025-49113.

This command runs the exploit script and requires four arguments: the target Roundcube URL, a valid username, the corresponding password, and the system command you want the server to execute.

The upload went through successfully.

Unfortunately, it didn’t produce any outcome.

I changed the payload to use a base64‑encoded command.

The attempt failed once more.

I replaced the script with the PHP version from https://github.com/hakaioffsec/CVE-2025-49113-exploit. Unexpectedly, the script hung, and that’s a positive indication.

Finally, it worked successfully.

Tyler user account enumeration and analysis

So, let’s proceed using Tyler’s credentials.

Improve the shell to a full interactive one.

I couldn’t locate any files related to the configuration.

Since the application uses Roundcube, let’s check for the configuration file at /var/www/html/roundcube/config/config.inc.php.

This configuration file defines the essential settings for the Roundcube Webmail installation. It specifies the MySQL database connection using the credentials roundcube:RCDBPass2025 on the local database server, which Roundcube relies on to store its data. The file also sets the IMAP and SMTP servers to localhost on ports 143 and 587, meaning both incoming and outgoing mail services run locally, and Roundcube uses the user’s own login credentials for SMTP authentication. The product name is set to Roundcube Webmail, and the configuration includes a 24‑character DES key used for encrypting IMAP passwords in session data. Additionally, the installation enables the archive and zipdownload plugins and uses the elastic skin for its interface. Overall, this file contains the key operational and security‑sensitive parameters needed for Roundcube to function.

The commands show a successful login to the MariaDB database using the roundcube user account with the password RCDBPass2025. After entering the password, access to the MariaDB monitor is granted, allowing the user to execute SQL commands. The prompt confirms that the server is running MariaDB version 10.11.13 on Ubuntu 24.04, and provides standard information about the database environment, including copyright details and basic usage instructions. This access enables management of the Roundcube database, including querying, updating, or modifying stored data.

The commands demonstrate exploring the MariaDB instance after logging in as the roundcube user. First, show databases; lists all databases on the server, revealing the default information_schema and the roundcube database, which stores the webmail application’s data. Next, use roundcube; switches the context to the Roundcube database, allowing operations within it. Running show tables; displays all the tables in the database, totaling 17, which include tables for caching (cache, cache_index, cache_messages, etc.), email contacts (contacts, contactgroups, contactgroupmembers), user identities (identities, users), and other operational data (session, system, filestore, responses, searches). These tables collectively manage Roundcube’s functionality, storing user accounts, session data, cached messages, and other configuration or runtime information necessary for the webmail system.

This snippet appears to be a serialized Roundcube session or user configuration for the account jacob. It stores settings such as the user ID, username, encrypted password, IMAP server details (localhost:143), mailbox information (e.g., INBOX with 2 unseen messages), session tokens, authentication secret, timezone (Europe/London), UI preferences like skin and layout, and other session-related flags. Essentially, it contains all the data Roundcube needs to manage the user’s session, mailbox view, and preferences while interacting with the webmail interface.

Creating a Python script to recover the plaintext password from encrypted session data.

#!/usr/bin/env python3
import base64
from Crypto.Cipher import DES3
from Crypto.Util.Padding import unpad

DES_KEY = 'rcmail-!24ByteDESkey*Str'  # Roundcube 3DES key (24 bytes)


def extract_iv_and_data(b64_string):
    """Decode base64 and split into IV + encrypted data."""
    raw = base64.b64decode(b64_string)
    return raw[:8], raw[8:]


def create_cipher(des_key, iv):
    """Return a 3DES CBC cipher instance."""
    key = des_key.encode('utf-8')[:24]
    return DES3.new(key, DES3.MODE_CBC, iv)


def decrypt_value(b64_string, des_key):
    """Decrypt a Roundcube-encrypted base64 string."""
    try:
        iv, encrypted = extract_iv_and_data(b64_string)
        cipher = create_cipher(des_key, iv)

        decrypted_padded = cipher.decrypt(encrypted)

        # Remove padding safely
        try:
            decrypted = unpad(decrypted_padded, DES3.block_size)
        except:
            decrypted = decrypted_padded.rstrip(b'\x00\x01\x02\x03\x04\x05\x06\x07\x08')

        return decrypted.decode('utf-8', errors='ignore').strip(), iv, encrypted

    except Exception as e:
        return f"Decryption failed: {str(e)}", None, None


def print_decryption(label, data, des_key):
    """Helper to decrypt and print results in structured form."""
    plaintext, iv, encrypted = decrypt_value(data, des_key)

    print(f"[{label}]")
    print(f"  Base64: {data}")
    print(f"  Plaintext: {plaintext}")

    if iv is not None:
        print(f"  IV: {iv.hex()}")
        print(f"  Encrypted(hex): {encrypted.hex()}")
    print()


def main():
    # Extracted values
    username = "jacob"
    password_b64 = "L7Rv00A8TuwJAr67kITxxcSgnIk25Am/"
    auth_secret_b64 = "DpYqv6maI9HxDL5GhcCd8JaQQW"
    request_token_b64 = "TIsOaABA1zHSXZOBpH6up5XFyayNRHaw"

    print("\n=== Roundcube Password / Token Decryptor ===\n")
    print(f"Using DES Key: {DES_KEY}\n")

    print(f"User: {username}\n")

    print_decryption("Password", password_b64, DES_KEY)
    print_decryption("Auth Secret", auth_secret_b64, DES_KEY)
    print_decryption("Request Token", request_token_b64, DES_KEY)

    print("Decryption Method: 3DES CBC (IV extracted from base64)")


if __name__ == "__main__":
    main()

This Python script is designed to decrypt Roundcube webmail passwords (and similar session tokens) that are stored in 3DES-encrypted form. Key points:

  • Decryption Method: Uses 3DES in CBC mode with a 24-byte key (des_key) and an 8-byte IV extracted from the start of the base64-encoded data.
  • Encrypted Data Handling: The script first base64-decodes the input, separates the IV (first 8 bytes) from the encrypted payload, and then decrypts it.
  • Padding Removal: After decryption, it removes PKCS#5/7 padding with unpad; if that fails, it manually strips extra bytes.
  • Target Data: In this example, it decrypts the user jacob’s password (L7Rv00A8TuwJAr67kITxxcSgnIk25Am/) along with the auth_secret and request_token.
  • Output: Shows the plaintext password, IV, and encrypted data in hex for analysis.

The decrypted Roundcube credentials reveal the username jacob with the plaintext password 595mO8DmwGeD. These credentials can now be tested for SSH authentication to determine whether the same password is reused across services. Since password reuse is common in misconfigured environments, attempting SSH login with these details may provide direct shell access to the target system.

The email content from Jacob’s mailbox shows two messages. The first, from Tyler, notifies Jacob of a recent password change and provides a temporary password gY4Wr3a1evp4, advising Jacob to update it upon next login. The second email, from Mel, informs Jacob about unexpected high resource consumption on the main server. Mel mentions that resource monitoring has been enabled and that Jacob has been granted privileges to inspect the logs, with a request to report any irregularities immediately. Together, these emails reveal sensitive information including temporary credentials and access responsibilities for server monitoring.

We’re now able to access and read the user flag.

Escalate to Root Privileges Access on the Outbound machine

Privilege Escalation:

Consistent with the earlier hint, sudo -l reveals sudo access to /usr/bin/below.

After investigating below, we found its GitHub project. In the Security section, the advisory GHSA-9mc5-7qhg-fp3w is listed.

This advisory describes an Incorrect Permission Assignment for a Critical Resource affecting version 0.9.0. Inspecting the /var/log/below directory, we see that its permissions are set to 0777, meaning it is world-writable. This confirms the advisory’s impact, as anyone can create or modify files in this directory.

Mapping the Vulnerability to CVE‑2025‑27591

Further research shows that this vulnerability is tracked as CVE‑2025‑27591, and a PoC is publicly available.

Upload the Python script to the compromised host.

Using the exploit from the following source: BridgerAlderson’s CVE‑2025‑27591 PoC on GitHub.

We can read the root flag simply by running cat root.txt.

Tags: