本文介绍了一种针对Linux操作系统的渗透测试,主要内容包括通过利用CVE-2025-24893漏洞获取初步Shell,并通过枚举和检查获得凭据。接着,利用CVE-2024-32019漏洞进行特权提升。文章详细描述了Nmap扫描结果、Web服务的发现,以及随后使用的工具和方法,提供了具体的漏洞利用链接和相关信息。 This article introduces a penetration test targeting a Linux operating system. The main content includes obtaining an initial shell by exploiting CVE-2025-24893, followed by credential harvesting through enumeration and inspection. Subsequently, privilege escalation is achieved by leveraging CVE-2024-32019. The article details the Nmap scan results, the discovery of web services, and the tools and methods subsequently used, providing specific exploit links and related information.
OS:Linux
Easy
Foothold:
CVE-2025-24893 XWiki 15.10.8
PrivEsc:
CVE-2024-32019 ndsudoRecon
┌──(kali㉿kali)-[~/Work/Work]
└─$ sudo nmap --open 10.10.11.80 -A
[sudo] password for kali:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-28 02:36 EST
Nmap scan report for 10.10.11.80
Host is up (1.1s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://editor.htb/
8080/tcp open http Jetty 10.0.20
| http-cookie-flags:
| /:
| JSESSIONID:
|_ httponly flag not set
| http-title: XWiki - Main - Intro
|_Requested resource was http://10.10.11.80:8080/xwiki/bin/view/Main/
|_http-server-header: Jetty(10.0.20)
| http-robots.txt: 50 disallowed entries (15 shown)
| /xwiki/bin/viewattachrev/ /xwiki/bin/viewrev/
| /xwiki/bin/pdf/ /xwiki/bin/edit/ /xwiki/bin/create/
| /xwiki/bin/inline/ /xwiki/bin/preview/ /xwiki/bin/save/
| /xwiki/bin/saveandcontinue/ /xwiki/bin/rollback/ /xwiki/bin/deleteversions/
| /xwiki/bin/cancel/ /xwiki/bin/delete/ /xwiki/bin/deletespace/
|_/xwiki/bin/undelete/
|_http-open-proxy: Proxy might be redirecting requests
| http-methods:
|_ Potentially risky methods: PROPFIND LOCK UNLOCK
| http-webdav-scan:
| WebDAV type: Unknown
| Server Type: Jetty(10.0.20)
|_ Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, LOCK, UNLOCK
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 8080/tcp)
HOP RTT ADDRESS
1 739.30 ms 10.10.16.1
2 371.46 ms 10.10.11.80
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.88 secondsWeb
8080
发现版本号XWiki 15.10.8
查看发现此Poc
Foothold
使用后即可得到初步shell
枚举路径后发现
查看/home得到凭据:oliver:theEd1t0rTeam99
PrivEsc
运行linpeas.sh
搜索后发现
OS: Linux
Easy
Foothold:
CVE-2025-24893 XWiki 15.10.8
PrivEsc:
CVE-2024-32019 ndsudoRecon
┌──(kali㉿kali)-[~/Work/Work]
└─$ sudo nmap --open 10.10.11.80 -A
[sudo] password for kali:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-28 02:36 EST
Nmap scan report for 10.10.11.80
Host is up (1.1s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://editor.htb/
8080/tcp open http Jetty 10.0.20
| http-cookie-flags:
| /:
| JSESSIONID:
|_ httponly flag not set
| http-title: XWiki - Main - Intro
|_Requested resource was http://10.10.11.80:8080/xwiki/bin/view/Main/
|_http-server-header: Jetty(10.0.20)
| http-robots.txt: 50 disallowed entries (15 shown)
| /xwiki/bin/viewattachrev/ /xwiki/bin/viewrev/
| /xwiki/bin/pdf/ /xwiki/bin/edit/ /xwiki/bin/create/
| /xwiki/bin/inline/ /xwiki/bin/preview/ /xwiki/bin/save/
| /xwiki/bin/saveandcontinue/ /xwiki/bin/rollback/ /xwiki/bin/deleteversions/
| /xwiki/bin/cancel/ /xwiki/bin/delete/ /xwiki/bin/deletespace/
|_/xwiki/bin/undelete/
|_http-open-proxy: Proxy might be redirecting requests
| http-methods:
|_ Potentially risky methods: PROPFIND LOCK UNLOCK
| http-webdav-scan:
| WebDAV type: Unknown
| Server Type: Jetty(10.0.20)
|_ Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, LOCK, UNLOCK
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 8080/tcp)
HOP RTT ADDRESS
1 739.30 ms 10.10.16.1
2 371.46 ms 10.10.11.80
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.88 secondsWeb
8080
Version XWiki 15.10.8 discovered
Review and discovered this Poc
Foothold
Using it yields an initial shell
After enumerating paths, discovered
Checking /home reveals credentials: oliver:theEd1t0rTeam99
PrivEsc
Running linpeas.sh
After searching, discovered