Platform: Hack The Box
Season: 9
Difficulty: Easy
OS: Linux
Date: 2025-10-30
Author: x4cc3
Outbound is an Easy Linux machine running Roundcube Webmail on mail.outbound.htb. A Roundcube CVE provides RCE as www-data. Roundcube's MySQL credentials are recovered from the config file. Stored IMAP credentials in the database are decrypted using Roundcube's built-in utility (/bin/decrypt), yielding SSH access as jacob. The below binary with sudo NOPASSWD is exploited for root.
| Port | Service |
|---|---|
| 22/tcp | SSH |
| 80/tcp | HTTP |
Nmap scan
CVE research
Exploit found
Subdomain: mail.outbound.htb — Roundcube Webmail 1.6.10
Roundcube 1.6.10 had a known vulnerability. A public PoC provided a reverse shell as www-data.