Privesc

Summary WingData is a Linux machine built around Wing FTP Server. The intended path chains a Wing FTP unauthenticated RCE into credential recovery for SSH access as wacky, followed by a root escalation through a Python tarfile extraction bug exposed by a sudo-allowed restore script. Attack chain: Wing FTP exposure → config leakage / credential recovery → SSH as wacky → vulnerable tar restore script → root Step Technique Result Recon nmap, vhost checks, ffuf Wing FTP attack surface identified Initial access Wing FTP RCE / recovered credentials SSH as wacky Privilege escalation CVE-2025-4517 (tarfile.extractall(filter="data")) root Target ...

Summary Facts is a Linux machine running Camaleon CMS behind nginx, with SSH exposed and a public MinIO/S3-style media service. Initial access comes from CVE-2024-46987, an authenticated Camaleon CMS path traversal / arbitrary file read. The file read is used to grab the user flag and an encrypted SSH private key for trivia. After cracking the SSH key passphrase, privilege escalation is straightforward because trivia can run /usr/bin/facter as root with NOPASSWD. Facter custom facts are Ruby files; loading one with --custom-dir executes Ruby code as root. ...

Summary SmartHire is a medium-difficulty Linux machine from HackTheBox. It hosts an AI hiring platform built with Flask on nginx, using MLflow for model management. Initial access is gained via CVE-2024-37054, a pickle deserialization vulnerability in MLflow that allows remote code execution by overwriting a model artifact with a malicious payload. Privilege escalation exploits a writable plugin directory combined with a sudo rule — a crafted .pth file executed by site.addsitedir() runs as root. ...