I just solved Enigma from Hack the Box!
Enigma Machine Summary
Enigma is an easy difficulty Linux machine on Hack The Box that focuses on misconfigured network services, exposed file shares, mail service enumeration, credential harvesting, and authenticated web application exploitation. The machine demonstrates how seemingly low-risk exposures, including an improperly configured NFS share, onboarding documentation, accessible mail services, and vulnerable web applications, can be chained together to achieve complete system compromise.
The attack chain began with Nmap enumeration, which revealed several exposed services including SSH, HTTP, POP3, IMAP, and NFS. During host configuration, the enigma.htb virtual host was added to the local hosts file after observing the HTTP redirect from the target IP. Initial web enumeration identified a professional Enigma Corp website but no immediately exploitable functionality, prompting further investigation of the remaining exposed services.
Attention then shifted to NFS enumeration, where an exported onboarding share was discovered. After mounting the NFS share, I enumerated its contents and found an onboarding PDF. Through file retrieval and document analysis, the PDF revealed valid employee webmail credentials for Kevin Mitchell together with the internal mail server hostname. After updating the local hosts file with the mail server address through another host configuration step, I performed mail service enumeration and verified the available IMAP services. Further IMAPS enumeration confirmed that the encrypted mail service was operational and accepting secure client connections.
Using the recovered credentials, I successfully performed IMAP authentication and gained access to Kevin's mailbox. I then carried out email enumeration and mailbox enumeration, reviewing every available message and confirming there were no hidden attachments or additional emails. During email analysis, I discovered references to another employee, Sarah, and eventually obtained access to her mailbox, where an internal IT email disclosed administrative credentials for an OpenSTAManager support portal hosted on another virtual host.
Following another host configuration step to resolve the newly discovered virtual host, I accessed the support portal and completed application enumeration, identifying an instance of OpenSTAManager version 2.9.8. Research into publicly available vulnerabilities revealed an authenticated file upload vulnerability affecting this version. During OpenSTAManager exploitation, I adapted a public proof-of-concept into a custom Python exploit that authenticated to the application, uploaded a malicious payload, and successfully achieved remote code execution as the www-data user.
The exploit automated the remaining stages of the attack by leveraging the compromised application to execute commands on the underlying Linux host, escalate privileges through the vulnerable environment, and retrieve both the user and root flags. The machine highlights how information disclosure, exposed infrastructure services, weak credential management, and vulnerable enterprise software can be chained together to progress from initial enumeration to full system compromise with minimal resistance.
Protected Page
The first step in owning the Enigma machine like I have always done in my previous writeups is to connect my Kali Linux terminal with Hack the Box server. To establish this connection, I ran the following command in the terminal:
Nmap Enumeration
I started the assessment by running an Nmap service and version scan against the target to identify the exposed attack surface and gather information about the services running on the host.
enigma.htb, indicating that I would need to configure my local hosts file before continuing with web enumeration. The combination of mail services and NFS exports suggested multiple potential attack paths that I planned to investigate during the next phase of the engagement.Host Configuration
After identifying that the web server redirected requests to enigma.htb, I configured my local system to resolve the virtual host correctly. This ensured that all future requests would be directed to the intended web application during enumeration.
/etc/hosts file. With the host configuration complete, I was able to access the website using the enigma.htb domain and continue with web enumeration against the correct virtual host.Web Enumeration
After configuring the hostname, I browsed to the target IP and confirmed that the web server automatically redirected all requests to http://enigma.htb. This validated the virtual host identified during the Nmap scan and confirmed that the application was intended to be accessed through its domain name.
NFS Enumeration
Since the Nmap scan revealed an NFS service, I enumerated its exported shares to determine whether any directories were accessible without authentication. This is a common reconnaissance step, as misconfigured NFS exports can expose sensitive files to unauthenticated users.
/srv/nfs/onboarding, which was accessible to all clients (*). This indicated a potentially insecure NFS configuration and provided a promising target for further investigation by mounting the share and reviewing its contents.NFS Share Mounting
After identifying the exposed NFS export, I created a local mount point and mounted the remote share to inspect its contents. This allowed me to access the files stored on the export as if they were located on my local system.
New_Employee_Access.pdf. Since onboarding documents often contain credentials or internal access information in CTF environments, this immediately became the next artifact I examined.File Retrieval
To simplify my analysis, I copied the PDF from the mounted NFS share into my current working directory. Working with a local copy ensured that I could inspect the document without relying on the mounted share throughout the investigation.
Document Analysis
I opened the retrieved PDF on my local machine and reviewed its contents for any sensitive information that could assist with gaining initial access. The document appeared to be an automatically generated onboarding form issued by Enigma Corp's IT department for a newly provisioned employee.
No command was required for this step, as I simply opened the PDF by double-clicking it in my file explorer.
kevin and password Enigma2024!, along with the webmail URL http://mail001.enigma.htb. These credentials provided my first set of authenticated access and became the next target for further enumeration.Host Configuration
The onboarding document referenced the webmail portal at mail001.enigma.htb, so I updated my local hosts file to resolve the hostname to the target IP address. This ensured that I could access the mail service using its intended virtual host.
Mail Service Enumeration
After obtaining valid webmail credentials, I performed a targeted Nmap scan against the IMAP ports to verify the mail services exposed by the target. This helped me confirm which protocols were available before attempting authenticated access.
143) and the encrypted IMAPS port (993). Since secure IMAP was available, I chose to continue interacting with the mail server using the recovered credentials over the encrypted service.IMAPS Enumeration
Before attempting to authenticate, I verified that the encrypted IMAPS service was accessible and inspected its TLS configuration. This allowed me to confirm the server certificate and ensure the mail service was ready to accept secure client connections.
The TLS handshake completed successfully, revealing a self-signed certificate with the common name enigma and establishing a TLS 1.3 session. After the connection was established, the server presented the Dovecot IMAP banner along with its supported authentication capabilities, confirming that the IMAPS service was operational and ready for authenticated enumeration using the recovered credentials.
IMAP Authentication
With valid credentials recovered from the onboarding document, I authenticated to the IMAPS service using curl to verify access to the mailbox. I first listed the available mailboxes before examining the contents of the user's inbox.
INBOX, indicating that there was mail waiting to be reviewed, making the inbox my next target for further enumeration.Email Enumeration
After confirming that the inbox contained a message, I retrieved it by specifying its UID through the IMAPS service. Reading individual emails often reveals internal information, usernames, or additional attack paths that are useful during post-authentication enumeration.
sarah@enigma.htb) and mentioned that new employee access credentials were distributed through the company's shared drive, providing valuable context for the ongoing investigation.Mailbox Enumeration
To ensure I was not missing any hidden content, I enumerated the mailbox using multiple IMAP retrieval methods. I accessed the message by its mailbox index and also issued FETCH requests to retrieve both the email headers and the complete message body.
Email Analysis
After gaining access to Sarah's mailbox, I reviewed the available emails to identify any internal communications that could reveal additional services or credentials. I retrieved the message directly by its UID to inspect its full contents.
http://support_001.enigma.htb. In addition to disclosing the URL, it revealed the temporary admin username and password, providing a new authenticated attack path to continue the assessment.Host Configuration
The email from the IT department referenced the OpenSTAManager portal at support_001.enigma.htb, so I updated my local hosts file to resolve the new hostname to the target IP address. This ensured I could access the application using its intended virtual host.
Application Enumeration
Using the hostname recovered from the internal email, I browsed to support_001.enigma.htb to inspect the newly discovered service. This allowed me to identify the application before attempting to authenticate with the credentials provided by the IT department.
Application Authentication
Using the administrative credentials recovered from Sarah's mailbox, I authenticated to the OpenSTAManager portal. The login was successful, confirming that the credentials were valid and granting me access to the application's administrative interface.
info.php page, which displayed the OpenSTAManager dashboard and application details. With authenticated access established, I began enumerating the application for its version, available modules, and any potential vulnerabilities that could be leveraged further.OpenSTAManager Exploitation
After identifying the application version as OpenSTAManager 2.9.8, I researched publicly available vulnerabilities affecting this release. My research led me to a public proof-of-concept demonstrating that the application's update mechanism could be abused to upload a malicious ZIP archive, resulting in remote code execution.
Remote Code Execution
After preparing the exploit, I executed it against the target to test whether the vulnerable OpenSTAManager instance could be compromised. The script authenticated with the administrative credentials and automated the exploitation chain from initial access through post-exploitation.
www-data user before leveraging the remaining attack chain to escalate privileges. It automatically retrieved both the user.txt and root.txt flags, demonstrating that the entire exploitation process - from authenticated access to full system compromise - had been completed successfully.Keywords:
Enigma HTB Writeup
Enigma HTB Walkthrough
enigma.htb
Enigma - HackTheBox Season 11 Machine Walkthrough
enigma hack the box writeup
enigma hack the box
support_001.enigma.htb
mail001.enigma.htb
kevin:Enigma2024!
I just solved Enigma from Hack the Box!
Enigma machine htb season11 user flag
HackTheBox - Enigma Season 11 htb root flag
Owned Enigma from Hack the Box
Enigma HTB Walkthrough Season 11 HackTheBox machine
Rooted Enigma from Hack the Box
Enigma user flag htb season 11 HackTheBox walkthrough
Enigma machine root flag HTB Season11 Hack the Box
Hack The Box (HTB): Enigma Machine (Full Walkthrough)
Pwned Enigma from Hack the Box
eloquia.htb
eloquia htb writeup
Eloquia - HackTheBox Season 9 htb machine walkthrough
HTB Eloquia Complete Solution
Eloquia Hack the Box Walkthrough
Eloquia Hack the Box Write Up
Eloquia HTB Machine Season 9 User Flag
Eloquia Hack The Box Machine Season 9 Root Flag
checkpoint.htb season 11
Checkpoint Hack the Box Walkthrough
Checkpoint Hack the Box Write Up
Checkpoint HTB Writeup
Season 11 Hack the Box - Checkpoint User Flag
Season11 HackTheBox - Checkpoint Root Flag HTB Walkthrough
Reactor - HackTheBox Season 11 Walkthrough
Helix Season11 Hack the Box Walkthrough




























1 Comments
To current members, the password to access this encrypted page and other pages has been sent to your email address. If you haven't received it yet, reach out to me at isiaqibrahim.tr@gmail.com
ReplyDeleteNote: This write up includes the complete code blocks and commands. The password for each write up is different. I have sent the password to your inbox on Buy Me A Coffee.
Happy Hacking!!!😈😈