WingData
HackTheBox WingData machine writeup — reconnaissance and enumeration walkthrough.
WingData
Table of Contents
- Executive Summary
- Reconnaissance
- Initial Access - CVE-2025-47812
- Credential Extraction & Cracking
- User Access
- Privilege Escalation - CVE-2025-4138
- Flags
- Remediation
- Key Takeaways
Executive Summary
WingData is an Easy-rated Linux machine that demonstrates critical vulnerabilities in outdated software. The attack chain exploits two high-severity CVEs:
- CVE-2025-47812 - Unauthenticated Remote Code Execution in Wing FTP Server 7.4.3
- CVE-2025-4138 - Python tarfile PATH_MAX bypass allowing arbitrary file write
The exploitation process involves:
- Exploiting Wing FTP’s NULL byte handling vulnerability to inject Lua code
- Extracting and cracking user password hashes (sha256 with salt)
- Leveraging Python 3.12.3’s tarfile vulnerability to write SSH keys to root’s authorized_keys
- Obtaining full root access via SSH key authentication
Reconnaissance
Network Scanning
Initial port scan revealed two open services:
1
2
3
4
5
6
7
# Fast port discovery
sudo nmap -sS -p- --min-rate 10000 -T5 10.129.225.27 -oG ports.txt
# Results
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Service Enumeration
Detailed service fingerprinting identified specific versions:
1
2
3
4
5
# Extract discovered ports
ports=$(grep -oP '\d+/open' ports.txt | cut -d'/' -f1 | tr '\n' ',' | sed 's/,$//')
# Deep enumeration
sudo nmap -sC -sV -A -O -p$ports 10.129.225.27 -oA wingdata_detailed
Key Findings:
| Port | Service | Version | Details |
|---|---|---|---|
| 22/tcp | SSH | OpenSSH 9.2p1 Debian 2+deb12u7 | Standard SSH service |
| 80/tcp | HTTP | Apache httpd 2.4.66 | Hosting WingData Solutions website |
Operating System: Linux (Debian 12)
Web Application Analysis
Main Site (wingdata.htb)
The primary website presented WingData Solutions, a file transfer company advertising:
- Secure file transfer services
- Global collaboration tools
- Regulatory compliance features
- Link to client portal at ftp.wingdata.htb
FTP Portal (ftp.wingdata.htb)
Accessing the subdomain revealed:
1
2
3
Wing FTP Server - Web Client
Version: 7.4.3
Login interface with username/password fields
DNS Configuration:
1
echo "10.129.225.27 wingdata.htb ftp.wingdata.htb" | sudo tee -a /etc/hosts
Premium Content
The full exploitation walkthrough, privilege escalation, and flags are available exclusively for members.
Unlock Full Writeup → This post is licensed under CC BY 4.0 by the author.