Editor - Hack The Box Machine

August 2025

User Flag

After a nmap on the IP, port 8080 was revealed with XWiki Debian 15.10.8 running.

CVE-2025-24893

pops a shell as xwiki user

Now I need credentials for the user oliver

On /etc/xwiki/hibernate.cfg.xml:

<property name="hibernate.connection.url">jdbc:mysql://localhost/xwiki?useSSL=false&amp;connectionTimeZone=LOCAL&amp;allowPublicKeyRetrieval=true</property>
    <property name="hibernate.connection.username">xwiki</property>
    <property name="hibernate.connection.password">theEd1t0rTeam99</property>
    <property name="hibernate.connection.driver_class">com.mysql.cj.jdbc.Driver</property>
    <property name="hibernate.dbcp.poolPreparedStatements">true</property>
    <property name="hibernate.dbcp.maxOpenPreparedStatements">20</property>

This password is the password for the oliver account in the machine.

Root Flag

tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:34015         0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:8125          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:19999         0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:33060         0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp6       0      0 :::8080                 :::*                    LISTEN      -
tcp6       0      0 127.0.0.1:8079          :::*                    LISTEN      -
tcp6       0      0 :::80                   :::*                    LISTEN      -
tcp6       0      0 :::22                   :::*                    LISTEN      -

Port 19999, Netdata running

https://github.com/AzureADTrent/CVE-2024-32019-POC

/opt/netdata/usr/libexec/netdata/plugins.d/ndsudo nvme-list