HTB - Editor

2024-12-08 · 3 min read

| OS: Linux

| Difficulty: Easy [20]

| Season: 9

Editor is a Linux box hosting a code editor website, with documentation on an XWiki instance. I’ll exploit a vulnerability in XWiki’s Solr search that allows unauthenticated Groovy script injection to get remote code execution and a shell. From there, I’ll find database credentials in the XWiki Hibernate config and pivot to a user who reuses the password. Enumerating localhost services, I’ll find NetData running an older version that installs a vulnerable ndsudo SetUID binary that is vulnerable to PATH injection, which I’ll abuse to get root.

Recon

Initial Scanning

nmap finds three open TCP ports, SSH (22) and two HTTP (80, 8080):

 1oxdf@hacky$ nmap -p- -vvv --min-rate 10000 10.10.11.80
 2Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-08-09 18:01 UTC
 3...[snip]...
 4Nmap scan report for 10.10.11.80
 5Host is up, received echo-reply ttl 63 (0.12s latency).
 6Scanned at 2025-08-09 18:01:57 UTC for 16s
 7Not shown: 65532 closed tcp ports (reset)
 8PORT     STATE SERVICE    REASON
 922/tcp   open  ssh        syn-ack ttl 63
1080/tcp   open  http       syn-ack ttl 63
118080/tcp open  http-proxy syn-ack ttl 63
12
13Read data files from: /usr/bin/../share/nmap
14Nmap done: 1 IP address (1 host up) scanned in 16.11 seconds
15           Raw packets sent: 153968 (6.775MB) | Rcvd: 105117 (4.205MB)
16oxdf@hacky$ nmap -p 22,80,8080 -sCV 10.10.11.80
17Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-08-09 18:06 UTC
18Nmap scan report for 10.10.11.80
19Host is up (0.089s latency).
20
21PORT     STATE SERVICE VERSION
2222/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
23| ssh-hostkey:
24|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
25|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
2680/tcp   open  http    nginx 1.18.0 (Ubuntu)
27|_http-server-header: nginx/1.18.0 (Ubuntu)
28|_http-title: Did not follow redirect to http://editor.htb/
298080/tcp open  http    Jetty 10.0.20
30| http-methods:
31|_  Potentially risky methods: PROPFIND LOCK UNLOCK
32|_http-server-header: Jetty(10.0.20)
33| http-webdav-scan:
34|   Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, LOCK, UNLOCK
35|   Server Type: Jetty(10.0.20)
36|_  WebDAV type: Unknown
37| http-title: XWiki - Main - Intro
38|_Requested resource was http://10.10.11.80:8080/xwiki/bin/view/Main/
39| http-cookie-flags:
40|   /:
41|     JSESSIONID:
42|_      httponly flag not set
43| http-robots.txt: 50 disallowed entries (15 shown)
44| /xwiki/bin/viewattachrev/ /xwiki/bin/viewrev/
45| /xwiki/bin/pdf/ /xwiki/bin/edit/ /xwiki/bin/create/
46| /xwiki/bin/inline/ /xwiki/bin/preview/ /xwiki/bin/save/
47| /xwiki/bin/saveandcontinue/ /xwiki/bin/rollback/ /xwiki/bin/deleteversions/
48| /xwiki/bin/cancel/ /xwiki/bin/delete/ /xwiki/bin/deletespace/
49|_/xwiki/bin/undelete/
50|_http-open-proxy: Proxy might be redirecting requests
51Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
52
53Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
54Nmap done: 1 IP address (1 host up) scanned in 11.63 seconds

Based on the OpenSSH and nginx versions, the host is likely running Ubuntu 22.04 jammy [LTS].

All of the ports show a TTL of 63, which matches the expected TTL for Linux one hop away.

The website on port 80 is redirecting to editor.htb.

Subdomain Brute Force

Given the use of domain name based routing and the domain editor.htb, I’ll check for subdomains that respond differently than the default case using ffuf:

 1oxdf@hacky$ ffuf -u http://10.10.11.80 -H "Host: FUZZ.editor.htb" -w /opt/SecLists/Discovery/DNS/subdomains-top1million-20000.txt -ac
 2
 3        /'___\  /'___\           /'___\       
 4       /\ \__/ /\ \__/  __  __  /\ \__/       
 5       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
 6        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
 7         \ \_\   \ \_\  \ \____/  \ \_\       
 8          \/_/    \/_/   \/___/    \/_/       
 9
10       v2.1.0-dev
11________________________________________________
12
13 :: Method           : GET
14 :: URL              : http://10.10.11.80
15 :: Wordlist         : FUZZ: /opt/SecLists/Discovery/DNS/subdomains-top1million-20000.txt
16 :: Header           : Host: FUZZ.editor.htb
17 :: Follow redirects : false
18 :: Calibration      : true
19 :: Timeout          : 10
20 :: Threads          : 40
21 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
22________________________________________________
23
24wiki                    [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 93ms]
25:: Progress: [19966/19966] :: Job [1/1] :: 447 req/sec :: Duration: [0:00:45] :: Errors: 0 ::