[LINPEAS] Add privilege escalation check: HackTheBox Editor Unauthenticated XWiki ...

[carlospolop]

🔧 Automated Privilege Escalation Check Addition

🤔 Privilege Escalation Reasoning

The blog describes a local Linux privilege escalation via Netdata's ndsudo helper (CVE-2024-32019). ndsudo is a SUID-root (or otherwise privileged) wrapper that runs a fixed set of sub-commands, but on vulnerable versions it resolves those sub-commands purely via the PATH environment. Any user allowed to invoke ndsudo can place a malicious binary (e.g., named 'nvme') in a writable directory and then run:

PATH=/dev/shm:$PATH /path/to/ndsudo nvme-list

ndsudo will pick up and execute the attacker's 'nvme' as root, giving arbitrary root code execution. This is a generic and realistic local PATH hijack pattern against a widely deployed monitoring tool (Netdata), not a custom CTF-only configuration and not an esoteric third‑party app. It is therefore appropriate for automated enumeration in linpeas.

Other content:

• XWiki Groovy RCE is remote code execution on a webapp, not local privilege escalation from a compromised low-priv OS user to a higher-priv user, so it does not belong in linpeas/winpeas.
• Credential harvesting from ORM configs is already a general best practice and is broadly covered by existing config/secret checks in linpeas.
• The SUID bash copy trick and systemd NoNewPrivileges discussion are generic techniques/mitigations, not tied to a new, specific, automatable check.

The notable new, concrete, automatable privesc path is the Netdata ndsudo PATH injection on Linux.

🤖 Implementation Details

PEASS linpeas agent completed successfully with 86 items. Agent Comment: Summary:

• Added a dedicated module (linPEAS/builder/linpeas_parts/8_interesting_perms_files/16_Netdata_ndsudo.sh) that locates Netdata’s ndsudo helper (via PATH plus common install directories), verifies it is root-owned SUID and executable by the current user, parses its help output to list the logical commands and underlying executables it resolves through PATH, highlights writable directories suitable for hijacking, and prints a ready-to-use exploitation snippet along with the fixed Netdata versions.
• Documented the new coverage in linPEAS/README.md under a “What’s new” section so users know linPEAS now reports potential Netdata ndsudo PATH injection (CVE-2024-32019).

Testing:

• bash -n linPEAS/builder/linpeas_parts/8_interesting_perms_files/16_Netdata_ndsudo.sh

🏗️ Builder Agent Response

LinPEAS build agent completed successfully with 47 items. Agent Comment: ✅ LinPEAS build is now successful.

What I did:

1. Ran the prescribed build command from /tmp/hacktricks_update_sxpcrzlj/repo/linPEAS, which initially failed because the new Netdata ndsudo module referenced several shell variables that weren’t declared in its metadata.
2. Updated builder/linpeas_parts/8_interesting_perms_files/16_Netdata_ndsudo.sh to list the environment variables it consumes ($SEARCH_IN_FOLDER, $HOME, $PATH) and to declare every module-scoped variable it generates ($ndsudo_candidates, $guess_path, $found_paths, $guess_dir, $ndsudo_bin, $perm_info, $owner, $group, $perms, $ndsudo_help, $command_list, $exec_list, $writable_dirs, $hijack_dir, $default_exec, $default_cmd). This satisfies the linpeas builder’s metadata validation.
3. Re-ran python3 -m builder.linpeas_builder --all --output /tmp/linpeas_fat.sh with a 600 s timeout; it completed successfully in ~72 seconds, producing the fat linpeas script at /tmp/linpeas_fat.sh.

No further errors remain, and the build artifact is ready for downstream use. Let me know if you’d like the resulting script copied elsewhere or need any additional verification.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the implementation carefully and test thoroughly before merging.