{
"path": "/blog/htb-writeup-wingdata",
"site": "at://did:plc:5fyfskntvw6jltxmdu2we7nw/site.standard.publication/3mdro5atvvd2o",
"tags": [
"ctf"
],
"$type": "site.standard.document",
"title": "HTB Writeup - WingData",
"bskyPostRef": {
"cid": "bafyreidw2z6lqjbegal46migr6i5m6eqaw7cyw7sigg7gwmmqjzmd7icgi",
"uri": "at://did:plc:5fyfskntvw6jltxmdu2we7nw/app.bsky.feed.post/3mfn2kzsv4i2r"
},
"publishedAt": "2026-02-19T00:00:00.000Z",
"textContent": "Intro\n\nWhoops, just realized I missed the first two week of the HTB season. Week 3 is WingData, an easy rated Linux box. The server is running OpenSSH and a webserver that takes you to a page for a file sharing program.\n\nClicking \"Client Portal\" takes you to ftp.wingdata.htb, a login page for Wing FTP Server.\n\nInitial Intrusion\n\nThe initial intrusion here is very simple to find and execute. The version of Wing FTP Server is displayed as v7.4.3, and a quick search finds a critical CVE for it. The vulnerability is caused by improper handling of null bytes in the username value. A maliciously crafted request can inject Lua code into session files, which can then be executed by visiting the targeted path.\n\nI wrote a custom RCE module to use with toboggan, giving me a more convenient to use shell. One small issue I ran into was that my script didn't log out after, which eventually lead to me hitting the log on limit for the user anonymous. After adding a request to the logout endpoint to my module and restarting the server, I had a nice simple shell.\n\n<div class=\"special-block block-note\">\nI could've just used the exploit on its own or used a reverse shell, > but I'd never used toboggan and wanted to write a module for fun.\n</div>\n\nAfter looking around on the system for a bit I found a user named wacky who had a Wing FTP account and a local user. The file /opt/wftpserver/Data/1/users/wacky.xml contained account data, including the hash. After some research about how Wing FTP hashes passwords, I found that it was a SHA256 hash with the salt string \"WingFTP\" appended. With this info, I was able to crack the password using hashcat and rockyou.txt, allowing me to ssh into the system as wacky and giving me flag.\n\nPrivilege Escalation\n\nThe first thing I checked for was wacky's sudo priviledges with sudo -l, where I found that wacky is allowed to run a python backup script with any input.\n\nI took a look at the script to see what could be exploited. The use of tarfile stuck out the most, and I quickly remembered hearing about a critical CVE from last year. This was CVE-2025-4517, which can be used to perform arbitrary filesystem writes. With a little more searching, I found this particularly handy exploit that includes preset attacks for priviledge escalation, including one that injects an SSH key into /root/.ssh/authorized_keys.\n\nTo exploit the vulnerability, all I had to do was generate a malicious tar archive using the exploit, then run the backup script on it.\n\n<div class=\"special-block block-note\">\nI had a nice screenshot here showing the commands to run the exploit, > but the next day when I opened this file the link was broken and the > file is nowhere to be found. What the hell did org-attach do to my > image?\n\nI even started the machine up again to go redo the exploit for > screenshots, but I suddenly can't even ping it.\n</div>\n\nAll that was left was SSHing in as root and grabbing the key.\n\n<div class=\"special-block block-note\">\nI'm publishing this so late because instead of writing it I was adding support for .org files to this blog. Now I've already started on week 4, so it was about time to finish this.\n</div>",
"canonicalUrl": "https://quasigod.xyz/blog/htb-writeup-wingdata"
}