Machine Information - Services may take up to 5 minutes to load.
NMAP
└─$ nmap -sT -p- --min-rate 10000 10.129.51.204 -Pn -oA nmap_ports
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-08-03 13:19 IST
Warning: 10.129.51.204 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.129.51.204
Host is up (0.31s latency).
Not shown: 50541 filtered tcp ports (no-response), 14991 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8080/tcp open http-proxy
Nmap done: 1 IP address (1 host up) scanned in 195.52 seconds
└─$ nmap -sC -sV -p 22,80,8080 10.129.51.204 -Pn -oA nmap_port_details
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-08-03 13:23 IST
Nmap scan report for editor.htb (10.129.51.204)
Host is up (0.30s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Editor - SimplistCode Pro
8080/tcp open http Jetty 10.0.20
|_http-open-proxy: Proxy might be redirecting requests
| http-robots.txt: 50 disallowed entries (15 shown)
| /xwiki/bin/viewattachrev/ /xwiki/bin/viewrev/
| /xwiki/bin/pdf/ /xwiki/bin/edit/ /xwiki/bin/create/
| /xwiki/bin/inline/ /xwiki/bin/preview/ /xwiki/bin/save/
| /xwiki/bin/saveandcontinue/ /xwiki/bin/rollback/ /xwiki/bin/deleteversions/
| /xwiki/bin/cancel/ /xwiki/bin/delete/ /xwiki/bin/deletespace/
|_/xwiki/bin/undelete/
| http-webdav-scan:
| Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, LOCK, UNLOCK
| WebDAV type: Unknown
|_ Server Type: Jetty(10.0.20)
| http-title: XWiki - Main - Intro
|_Requested resource was <http://editor.htb:8080/xwiki/bin/view/Main/>
| http-methods:
|_ Potentially risky methods: PROPFIND LOCK UNLOCK
|_http-server-header: Jetty(10.0.20)
| http-cookie-flags:
| /:
| JSESSIONID:
|_ httponly flag not set
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 19.79 seconds
CVE-2025-24893 is a critical unauthenticated remote code execution (RCE) vulnerability in XWiki, a popular open-source enterprise wiki platform. The flaw resides in how the SolrSearch macro improperly handles Groovy expressions inside search queries. This allows unauthenticated attackers to execute arbitrary Groovy code remotely—without any authentication or prior access.
and we are in as oliver via theEd1t0rTeam99 and found user.txt
Privilege Escalation
We are in the Netdata group
In Readable files belonging to root and readable by me, but not world readable, I found something interesting /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo
The ndsudo tool shipped with affected versions of the Netdata Agent allows an attacker to run arbitrary programs with root permissions.
Details
The ndsudo tool is packaged as a root-owned executable with the SUID bit set.
It only runs a restricted set of external commands, but its search paths are supplied by the PATH environment variable. This allows an attacker to control where ndsudo looks for these commands, which may be a path the attacker has write access to.
PoC
As a user that has permission to run ndsudo:
Place an executable with a name that is on ndsudo’s list of commands (e.g. nvme) in a writable path
Set the PATH environment variable so that it contains this path
Run ndsudo with a command that will run the aforementioned executable
└─$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.16.32] from (UNKNOWN) [10.129.51.204] 47324
id
uid=997(xwiki) gid=997(xwiki) groups=997(xwiki)
└─$ ssh oliver@editor.htb
The authenticity of host 'editor.htb (10.129.51.204)' can't be established.
ED25519 key fingerprint is SHA256:TgNhCKF6jUX7MG8TC01/MUj/+u0EBasUVsdSQMHdyfY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'editor.htb' (ED25519) to the list of known hosts.
oliver@editor.htb's password:
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-151-generic x86_64)
* Documentation: <https://help.ubuntu.com>
* Management: <https://landscape.canonical.com>
* Support: <https://ubuntu.com/pro>
System information as of Sun Aug 3 08:32:31 AM UTC 2025
System load: 0.0 Processes: 229
Usage of /: 65.0% of 7.28GB Users logged in: 0
Memory usage: 50% IPv4 address for eth0: 10.129.51.204
Swap usage: 0%
Expanded Security Maintenance for Applications is not enabled.
4 updates can be applied immediately.
To see these additional updates run: apt list --upgradable
4 additional security updates can be applied with ESM Apps.
Learn more about enabling ESM Apps service at <https://ubuntu.com/esm>
Last login: Sun Aug 3 08:32:32 2025 from 10.10.16.32
oliver@editor:~$ ls
user.txt
oliver@editor:~$
oliver@editor:/opt/netdata$ id
uid=1000(oliver) gid=1000(oliver) groups=1000(oliver),999(netdata)
oliver@editor:/tmp$ /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo
at least 2 parameters are needed, but 1 were given.
oliver@editor:/tmp$
