Linux - Easy - Editor

Created At: Updated At:

Recon

└──╼ $nmap -p- -A editor.htb
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Editor - SimplistCode Pro
8080/tcp open  http    Jetty 10.0.20
| http-title: XWiki - Main - Intro
|_Requested resource was http://editor.htb:8080/xwiki/bin/view/Main/
|_http-open-proxy: Proxy might be redirecting requests
| http-cookie-flags: 
|   /: 
|     JSESSIONID: 
|_      httponly flag not set
| http-methods: 
|_  Potentially risky methods: PROPFIND LOCK UNLOCK
|_http-server-header: Jetty(10.0.20)
| http-robots.txt: 50 disallowed entries (15 shown)
| /xwiki/bin/viewattachrev/ /xwiki/bin/viewrev/ 
| /xwiki/bin/pdf/ /xwiki/bin/edit/ /xwiki/bin/create/ 
| /xwiki/bin/inline/ /xwiki/bin/preview/ /xwiki/bin/save/ 
| /xwiki/bin/saveandcontinue/ /xwiki/bin/rollback/ /xwiki/bin/deleteversions/ 
| /xwiki/bin/cancel/ /xwiki/bin/delete/ /xwiki/bin/deletespace/ 
|_/xwiki/bin/undelete/
| http-webdav-scan: 
|   Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, LOCK, UNLOCK
|   Server Type: Jetty(10.0.20)
|_  WebDAV type: Unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Clicking docs on the main page leads us to XWiki Debian 15.10.8, which is vulnerable.

https://github.com/dollarboysushil/CVE-2025-24893-XWiki-Unauthenticated-RCE-Exploit-POC

Shell stabilisationfor Qol.

python3 -c 'import pty;pty.spawn("bash")'
stty raw -echo 
^Z
fg

After doing enumeration we can find user password.

find /etc/xwiki -type f -name "*.xml" -exec grep -iE ".*pass.*" {} + 2>/dev/null

pass: theEd1t0rTeam99

IMPORATANT: su oliver wont work, we have to ssh into it.

Priv esc

We can check that on port 19999 is netdata with version 1.45.2.
We can quickly find CVE with POC for it.

https://securityvulnerability.io/vulnerability/CVE-2024-32019
https://github.com/AzureADTrent/CVE-2024-32019-POC

Following the step by step guide we get root.