vulnerability

Hack The Box - HTB Editor Writeup - Easy - Season 8 Weekly - August 2nd, 2025

1337 Sheets
1337 Sheets
·
Hack The Box - HTB Editor Writeup - Easy - Season 8 Weekly - August 2nd, 2025

HTB Editor Box - Complete Writeup

Difficulty: Easy
OS: Linux

Overview

Editor is an easy-level Linux machine that demonstrates real-world vulnerabilities in web applications. The attack path involves exploiting a CVE in XWiki, credential harvesting from configuration files, and privilege escalation through a vulnerable SUID binary.

Key Learning Points:

  • XWiki Groovy Code Injection (CVE-2024-31982)
  • Configuration file enumeration
  • SUID binary exploitation
  • PATH manipulation attacks

Reconnaissance & Enumeration

Nmap Port Scan

Starting with a comprehensive port scan to identify running services:

nmap -sC -sV -oA editor 10.x.x.x

Results:

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-08-02 15:37 CDT
Host is up (0.082s latency).
Not shown: 997 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Editor - SimplistCode Pro
8080/tcp open  http    Jetty 10.0.20
|_http-open-proxy: Proxy might be redirecting requests
| http-methods: 
|_  Potentially risky methods: PROPFIND LOCK UNLOCK
|_http-server-header: Jetty(10.0.20)
| http-robots.txt: 50 disallowed entries (15 shown)
| /xwiki/bin/viewattachrev/ /xwiki/bin/viewrev/ 
| /xwiki/bin/pdf/ /xwiki/bin/edit/ /xwiki/bin/create/ 
| /xwiki/bin/inline/ /xwiki/bin/preview/ /xwiki/bin/save/ 
| /xwiki/bin/saveandcontinue/ /xwiki/bin/rollback/ /xwiki/bin/deleteversions/ 
| /xwiki/bin/cancel/ /xwiki/bin/delete/ /xwiki/bin/deletespace/ 
|_/xwiki/bin/undelete/
| http-webdav-scan: 
|   Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, LOCK, UNLOCK
|   WebDAV type: Unknown
|_  Server Type: Jetty(10.0.20)
| http-cookie-flags: 
|   /: 
|     JSESSIONID: 
|_      httponly flag not set
| http-title: XWiki - Main - Intro
|_Requested resource was http://editor.htb:8080/xwiki/bin/view/Main/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.09 seconds

Key Findings:

  • Port 22: SSH service (OpenSSH 8.9p1)
  • Port 80: Nginx web server hosting "Editor - SimplistCode Pro"
  • Port 8080: Jetty server running XWiki application

The most interesting finding is the XWiki instance on port 8080, which shows multiple administrative endpoints in robots.txt and uses WebDAV methods.

XWiki Version Discovery

Navigating to http://editor.htb:8080/xwiki reveals an XWiki installation:

Critical Discovery: XWiki Version 15 is vulnerable to CVE-2024-31982 - a remote code execution vulnerability through Groovy script injection.

Initial Foothold - XWiki CVE-2024-31982

Vulnerability Analysis

CVE-2024-31982 affects XWiki versions and allows unauthenticated remote code execution through:

  • Groovy script injection in search endpoints
  • Bypass of access controls through RSS feed functionality
  • Multiple attack vectors via different endpoints (SolrSearch, DatabaseSearch)

Exploit Development

Created a comprehensive Python exploit that handles multiple attack scenarios: