HackTheBox Outbound Writeup
HackTheBox Outbound 是一台简单难度的 Linux 机器。本文按照信息收集、初始访问、横向或提权路径的顺序整理完整解题过程,突出关键漏洞点、凭据来源与最终拿到 user/root 或域权限的利用链。
htb outbound
初步枚举
nmap 10.10.11.79 -sV
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-26 04:01 EST
Nmap scan report for era.htb (10.10.11.79)
Host is up (5.7s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.5
80/tcp open http nginx 1.18.0 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.89 seconds
攻击链路
攻击Web应用程序(CVE-2025-49113)-->得到Docker环境shell-->升级shell-->查看config配置-->登录数据库-->查看user和session表-->破解密码-->使用该账户登录到Web-->得到ssh密码-->进入ssh后查看sudo命令-->得到below(CVE-2025-27591) HackTheBox Outbound
Initial Enumeration
nmap 10.10.11.79 -sV
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-26 04:01 EST
Nmap scan report for era.htb (10.10.11.79)
Host is up (5.7s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.5
80/tcp open http nginx 1.18.0 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.89 seconds
Attack Chain
Attack the web application (CVE-2025-49113) --> Get a Docker environment shell --> Upgrade the shell --> Check config files --> Log in to the database --> View user and session tables --> Crack the password --> Use the account to log into the web application --> Get the SSH password --> After SSH login, check the sudo commands --> Get below (CVE-2025-27591)