Table of Contents
Executive Summary
WingData is an Easy-rated Linux machine that demonstrates critical vulnerabilities in outdated software. The attack chain exploits two high-severity CVEs:
CVE-2025-47812 - Unauthenticated Remote Code Execution in Wing FTP Server 7.4.3
CVE-2025-4138 - Python tarfile PATH_MAX bypass allowing arbitrary file write
The exploitation process involves:
Exploiting Wing FTP's NULL byte handling vulnerability to inject Lua code
Extracting and cracking user password hashes (sha256 with salt)
Leveraging Python 3.12.3's tarfile vulnerability to write SSH keys to root's authorized_keys
Obtaining full root access via SSH key authentication
Reconnaissance
Network Scanning
Initial port scan revealed two open services:
# Fast port discovery
sudo nmap -sS -p- --min-rate 10000 -T5 10.129.225.27 -oG ports.txt
# Results
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Service Enumeration
Detailed service fingerprinting identified specific versions:
# Extract discovered ports
ports=$(grep -oP '\d+/open' ports.txt | cut -d'/' -f1 | tr '\n' ',' | sed 's/,$//')
# Deep enumeration
sudo nmap -sC -sV -A -O -p$ports 10.129.225.27 -oA wingdata_detailed
Key Findings:
Port | Service | Version | Details |
|---|---|---|---|
22/tcp | SSH | OpenSSH 9.2p1 Debian 2+deb12u7 | Standard SSH service |
80/tcp | HTTP | Apache httpd 2.4.66 | Hosting WingData Solutions website |
Operating System: Linux (Debian 12)
Web Application Analysis
Main Site (wingdata.htb)
The primary website presented WingData Solutions, a file transfer company advertising:
Secure file transfer services
Global collaboration tools
Regulatory compliance features
Link to client portal at ftp.wingdata.htb
FTP Portal (ftp.wingdata.htb)
Accessing the subdomain revealed:
Wing FTP Server - Web Client
Version: 7.4.3
Login interface with username/password fields
DNS Configuration:
echo "10.129.225.27 wingdata.htb ftp.wingdata.htb" | sudo tee -a /etc/hosts
🔐 PREMIUM WRITEUP - MEMBERSHIP REQUIRED
This machine is still active in HTB, so the full walkthrough, exploitation path, and flags cannot be publicly released.
But you can access the entire premium writeup right now.
🌟 Get Instant Access
Unlock the complete step-by-step solution, techniques used, notes, and exclusive insights by becoming a member.
Why Go Premium?
Early access to full detailed writeups
Passwords for active CTF solutions
Advanced exploitation techniques
Upgrade once - unlock everything instantly.
Keep hacking, keep learning, keep winning. 🎯
