WingData (Easy Linux)

CVE Chain: CVE-2025–47812 → Hash extraction → SSH → CVE-2025–4517

Recon

Open ports: 22, 80. wingdata.htb redirects to ftp.wingdata.htb — Wing FTP Server 7.4.3. Add both to /etc/hosts.

→ For the complete writeup with all commands, CLICK HERE

→ For every script used in this writeup, CLICK HERE

CVE-2025–47812 — Wing FTP Unauthenticated RCE via Lua Injection

Wing FTP stores sessions as executable Lua scripts. A null byte in the username breaks out of the Lua string, allowing arbitrary code injection:

unlock on buy me a coffee to see the commands
unlock on buy me a coffee to see the commands

Hash Extraction

Wing FTP uses SHA256(pass.pass. pass.salt) with SaltingString= WingFTP:

unlock on buy me a coffee to see the commands
unlock on buy me a coffee to see the commands

Tip: Special characters (>, |, ') break the Lua injection. Use grep instead of cat for file reading. For reverse shells, wget from attacker HTTP server since direct callbacks are filtered.

SSH & Privilege Escalation

unlock on buy me a coffee to see the commands

Same CVE-2025–4517 tarfile exploit as Facts. Root obtained.

User Flag: /home/wacky/user.txt Root Flag: /root/root.txt