WingData (Wing FTP RCE → Python tarfile PATH_MAX bypass)

hackthebox

Task: Full HackTheBox machine with Wing FTP Server v7.4.3. Solution: CVE-2025-47812 unauthenticated RCE via NULL byte injection in username for initial access, SHA-256 salted hash cracking for user credentials, then CVE-2025-4517 Python tarfile data filter PATH_MAX bypass for privilege escalation to root.

apache hashcat ssh wing_ftp cve-2025-47812 cve-2025-4517 null_byte_injection lua_injection session_injection sha256_salted_hash tarfile_data_filter path_max_bypass symlink_escape python_tarfile

null_byte_session_injection_rcelua_code_injection_via_sessionsha256_salt_crackingtarfile_path_max_symlink_escapenested_directory_path_overflowssh_key_injectionbase64_exfiltration

$ ls tags/ techniques/

apache hashcat ssh wing_ftp cve-2025-47812 cve-2025-4517 null_byte_injection lua_injection session_injection sha256_salted_hash tarfile_data_filter path_max_bypass symlink_escape python_tarfile

null_byte_session_injection_rcelua_code_injection_via_sessionsha256_salt_crackingtarfile_path_max_symlink_escapenested_directory_path_overflowssh_key_injectionbase64_exfiltration

$ cat /etc/rate-limit

Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.

WingData (Wing FTP RCE → Python tarfile PATH_MAX bypass) — HackTheBox

Description

Full machine on HackTheBox. Wing FTP Server v7.4.3 with CVE-2025-47812 vulnerability (unauthenticated RCE via NULL byte injection in username) for initial access, then cracking SHA-256 salted hashes from Wing FTP configs, and privilege escalation via CVE-2025-4517 — Python tarfile data filter bypass through PATH_MAX overflow.

Target: 10.129.4.210
OS: Linux (Debian-based)
Stack: Apache 2.4.66, Wing FTP Server v7.4.3 (Free Edition), Python 3.12.3
Users: root, wacky (uid=1000), wingftp

Flags

#	Type	Flag	Method
1	User	`79fe504bb3f54818c9b9179031c1957c`	SSH as wacky (cracked Wing FTP hash)
2	Root	`e7f9f385b134b649752bc7ef5fb10f45`	CVE-2025-4517 tarfile PATH_MAX → SSH key injection

Reconnaissance

Nmap Scan

nmap -sV -sC -T4 -p- --min-rate=1000 10.129.4.210

Open ports:

22 — SSH (OpenSSH 9.2p1)
80 — HTTP (Apache 2.4.66) → redirect to wingdata.htb

Internal ports (discovered after initial access):

8080 — localhost admin interface
5466 — Wing FTP admin panel
37433 — internal service

Identification

Port 80 → wingdata.htb — corporate site "WingData Solutions"
Link "Client Portal" → http://ftp.wingdata.htb/
FTP subdomain: Wing FTP Server v7.4.3 (Free Edition) with web login interface
Version < 7.4.4 → vulnerable to CVE-2025-47812

Step 1: Initial Access — CVE-2025-47812 (Wing FTP Server RCE)

Wing FTP Server versions before 7.4.4 have a critical vulnerability CVE-2025-47812 — unauthenticated RCE via NULL byte injection in the username parameter during login.

Vulnerability

Exploitation mechanism:

NULL byte truncation in authentication: the c_CheckUser() function uses strlen(), which truncates the string at NULL byte (%00). If you pass anonymous%00<lua_code>, authentication passes as user anonymous.

...