https://z3r0s6.github.io/tags/tarfile/Recent content in Tarfile on z3r0sHugoenFri, 08 May 2026 00:00:00 +0000https://z3r0s6.github.io/machines/wingdata/Fri, 08 May 2026 00:00:00 +0000https://z3r0s6.github.io/machines/wingdata/<table> <thead> <tr> <th>Field</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Difficulty</td> <td>Easy</td> </tr> <tr> <td>OS</td> <td>Linux</td> </tr> <tr> <td>CVEs</td> <td>CVE-2025-47812 · CVE-2025-4517 · CVE-2025-4138</td> </tr> </tbody> </table> <hr> <h2 id="summary"> Summary <a class="heading-link" href="#summary"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <p>WingData is an Easy Linux machine. A company website redirects to an FTP client portal running <strong>Wing FTP Server v7.4.3</strong>, which is vulnerable to an unauthenticated RCE (<strong>CVE-2025-47812</strong>). Post-exploitation enumeration reveals a salted SHA-256 hash for user <code>wacky</code> stored in Wing FTP config files. After cracking the hash with hashcat and gaining SSH access, a misconfigured sudo rule allows execution of a Python backup restoration script as root. The script is vulnerable to <strong>CVE-2025-4517</strong>, a tarfile <code>PATH_MAX</code> bypass that allows arbitrary file write - used to overwrite <code>/etc/sudoers</code> and gain root.</p>