HTB- Outbound Machine Writeup

Shreyas D RShreyas D R
3 min read

Enumeration:

(It took very long to scan , but I entered IP directly into the browser and got the webpage)

Lets visit the webpage ,

Before this make sure to sure to add the ip and mail.outbound.htb in /etc/hosts

Now note the version of the roundcube

A simple google search and we see:

After reading around I came across a github repo :

CVE-2025-49113

Using this I managed to get a Reverse Shell

(Yes I had to switch to PWN box due to issues in my internet . Because I was exhausted debugging it for days)

Note: Make sure that the listener is open before executing the exploit.

Now searching around in the configs directory we find a config.php file where we get the following :

Now we execute SQL commands to find out the users

We can see that the above details are encoded in Base64 hence we switch to cyber chef where we try to decipher the text

I have reduced it to the important part:

Now decoding the password from Base64 we get:

Now note the des_key from the config file ( It hinted triple DES so I directly knew what to do next)

Figuring out the keys properly took me a while since im dumb however I managed to finally get the output

Recap of used details I used so far :

rcmail-!24ByteDESkey*Str

2fb46fd3403c4eec

0902bebb9084f1c5c4a09c8936e409bf

We get : 595mO8DmwGeD

Now we switch to jacob and enumerate

It took me a while to thoroughly search but I figured INBOX would where it would likely be so I scourged there.

Now we got the ssh creds for Jacob and managed to finally get the shell

gY4Wr3a1evp4

We finally got the user.txt (Yayyy!!!)

Again I tried to root but it didnt workout so I spent hours googling and finally asked ChatGPT about /below . Finally I understood the directory and files in below . With a sequence of manipulation by removing the error files and manipulating it into /etc/passwd I finally managed to make my dummy account (donut hahaha) the sudo. I had to restart my machine a few times to get it right since it broke down with bad configs.

This took the longest time to get right but I managed to finally get it done.

We finally got the flag and we were done . YAYYY!!!

I rate this machine a solid 6/10 for difficulty (Skill issues from my side were very apparent :( )

See you guys in the next article !!

0
Subscribe to my newsletter

Read articles from Shreyas D R directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Shreyas D R
Shreyas D R