HackTheBox Editor Unauthenticated XWiki Groovy RCE (CVE-2025...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://0xdf.gitlab.io/2025/12/06/htb-editor.html
• Blog Title: HackTheBox Editor: Unauthenticated XWiki Groovy RCE (CVE-2025-24893) to Netdata ndsudo PATH Injection (CVE-2024-32019)
• Suggested Section: 1) network-services-pentesting/pentesting-web (new subsection: "XWiki SolrSearch Groovy RCE (CVE-2025-24893)" under a possible XWiki or CMS-specific area); 2) linux-hardening/linux-privilege-escalation (add to SUID / PATH-based privesc patterns, e.g., a subsection like "Abusing SUID Helpers That Trust PATH (Netdata ndsudo CVE-2024-32019)")

🎯 Content Summary

This post walks through a full compromise of the HackTheBox machine Editor, chaining an unauthenticated Groovy RCE in XWiki (CVE-2025-24893), credential reuse, and a Netdata local privilege escalation (CVE-2024-32019) to gain root. The author carefully shows how XWiki's Solr search feature works and how it is abused, then how Netdata's ndsudo helper is designed and why a PATH injection leads to privilege escalation.

Recon & initial web attack surface🔧 Technical Details

Unauthenticated Groovy injection via XWiki SolrSearch (CVE-2025-24893)
This trick targets XWiki's Solr search RSS rendering. On affected versions, unauthenticated users can inject wiki syntax and Groovy code into the text parameter of the SolrSearch endpoint, typically:
/xwiki/bin/get/Main/SolrSearch?media=rss&text=... or /xwiki/bin/view/Main/SolrSearch?media=rss&text=....
By URL-encoding a payload like:
}}}{{async async=false}}{{groovy}}println("Hello from" + " search text:" + (23 + 19)){{/groovy}}{{/async}}
and sending it in text, XWiki processes the {{groovy}} macro while generating an RSS feed and executes attacker-controlled Groovy. The output appears in the RSS item title. On any XWiki instance that evaluates user-supplied search text in this way (prior to 15.10.11 / 16.4.1 / 16.5.0RC1), an unauthenticated attacker can run arbitrary Groovy code simply by crafti...

🤖 Agent Actions

Summary:

• Expanded src/pentesting-web/ssti-server-side-template-injection/README.md with a dedicated subsection on abusing XWiki’s SolrSearch RSS renderer (CVE-2025-24893), covering discovery, payload crafting, safe command execution, post-exploitation of hibernate.cfg.xml, and the impact of NoNewPrivileges; added the required reference section citing the new sources.
• Updated src/linux-hardening/privilege-escalation/README.md by documenting the Netdata ndsudo PATH injection bug (CVE-2024-32019) with step-by-step exploitation commands, a sample payload, and hardening guidance; appended references for the new material.

Tests: Not run (not requested).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://0xdf.gitlab.io/2025/12/06/htb-editor.html

Content Categories: Based on the analysis, this content was categorized under "1) network-services-pentesting/pentesting-web (new subsection: "XWiki SolrSearch Groovy RCE (CVE-2025-24893)" under a possible XWiki or CMS-specific area); 2) linux-hardening/linux-privilege-escalation (add to SUID / PATH-based privesc patterns, e.g., a subsection like "Abusing SUID Helpers That Trust PATH (Netdata ndsudo CVE-2024-32019)")".

Repository Maintenance:

• MD Files Formatting: 914 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

[carlospolop]

merge