https://phucrio.me/tags/ffuf/Recent content in Ffuf on Rio BlogHugo -- 0.150.0enSun, 31 May 2026 17:38:09 -0400https://phucrio.me/posts/htb-wingdata-write-up/Sun, 31 May 2026 14:22:01 -0400https://phucrio.me/posts/htb-wingdata-write-up/<h2 id="summary">Summary</h2> <p>WingData is a Linux machine built around <strong>Wing FTP Server</strong>. The intended path chains a <strong>Wing FTP unauthenticated RCE</strong> into credential recovery for SSH access as <code>wacky</code>, followed by a root escalation through a <strong>Python <code>tarfile</code> extraction bug</strong> exposed by a sudo-allowed restore script.</p> <p>Attack chain:</p> <p><code>Wing FTP exposure → config leakage / credential recovery → SSH as wacky → vulnerable tar restore script → root</code></p> <table> <thead> <tr> <th>Step</th> <th>Technique</th> <th>Result</th> </tr> </thead> <tbody> <tr> <td>Recon</td> <td><code>nmap</code>, vhost checks, <code>ffuf</code></td> <td>Wing FTP attack surface identified</td> </tr> <tr> <td>Initial access</td> <td>Wing FTP RCE / recovered credentials</td> <td>SSH as <code>wacky</code></td> </tr> <tr> <td>Privilege escalation</td> <td>CVE-2025-4517 (<code>tarfile.extractall(filter=&quot;data&quot;)</code>)</td> <td><code>root</code></td> </tr> </tbody> </table> <p><strong>Target</strong></p>