This file provides a complete exploitation walkthrough for the "Outbound Mail" machine on Hack The Box (HTB). It covers initial VPN setup, reconnaissance, exploiting Roundcube Webmail via CVE-2025-49113 for remote code execution (RCE), privilege escalation to user via database credential extraction, and root escalation using CVE-2025-27591 (Below Symlink Attack).
1. Preparation & Recon
1.1 Connect to VPN
sudo openvpn --config /path/to/htb.ovpn
1.2 /etc/hosts Configuration
Add the host (replace IP if your instance is different):
echo "10.10.11.XXX mail.outbound.htb" | sudo tee -a /etc/hosts
2. Initial Enumeration
2.1 Nmap Scan
nmap -sC -sV -oN nmap.txt mail.outbound.htb
Open ports:
22 (SSH)
80 (HTTP)
