HackTheBox - WingData
Machine: WingData
Difficulty: Esay
Tools Used: Nmap, ffuf, searchsploit, hashcat, Python, sshpass
Table of Contents
- Reconnaissance
- Foothold - CVE-2025-47812: Wing FTP Lua Injection RCE
- Lateral Movement - Credential Extraction & Hash Cracking
- Privilege Escalation - CVE-2025-4517: Python tarfile PATH_MAX Bypass
- Attack Chain Overview
Reconnaissance
Port Scanning
Starting with a comprehensive Nmap scan to map the attack surface:
$ nmap -A -sC -sS -v -p- --min-rate=1000 <TARGET_IP> -oN nmap
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u7 (protocol 2.0)
| ssh-hostkey:
| 256 [REDACTED] (ECDSA)
|_ 256 [REDACTED] (ED25519)
80/tcp open http Apache httpd 2.4.66
| http-methods:
|_ Supported Methods: HEAD GET POST OPTIONS
|_http-title: WingData Solutions
|_http-server-header: Apache/2.4.66
Service Info: Host: localhost; OS: Linux
Only two ports are exposed -- SSH on port 22 and Apache on port 80. The HTTP title reads "WingData Solutions," and the host resolves to wingdata.htb, which we add to /etc/hosts.
Virtual Host Enumeration
With only two ports and a web application in play, searching for hidden virtual hosts is a logical next step. Using ffuf against a subdomain wordlist while filtering out the default response:
$ ffuf -w /usr/share/seclists/Discovery/DNS/shubs-subdomains.txt \
-u http://wingdata.htb -H "Host: FUZZ.wingdata.htb" -t 1000 -c -fw 21
ftp [Status: 200, Size: 678, Words: 44, Lines: 10, Duration: 574ms]
A single virtual host surfaces: ftp.wingdata.htb. After adding it to /etc/hosts and navigating to it, the response headers reveal the software immediately:
Server: Wing FTP Server(Free Edition)
The login page at /login.html confirms we are dealing with Wing FTP Server, a commercial multi-protocol file server with an embedded Lua scripting engine. This detail about the Lua engine turns out to be critical.