DevArea

---

Table of Contents

1. Reconnaissance
2. Foothold - Apache CXF LFI via CVE-2022-46364
   • Confirming the SOAP Endpoint
   • Reading /etc/passwd
   • Extracting Hoverfly Credentials
3. Initial Access - Hoverfly Middleware RCE
   • Authenticating to the Admin API
   • Injecting a Reverse Shell
   • User Flag
4. Privilege Escalation - World-Writable Bash
   • Enumeration
   • Spawning a Non-Bash Shell
   • Replacing /bin/bash
   • Triggering Root Execution
   • Root Flag
5. Summary & Key Takeaways

---

Reconnaissance

Host Setup

Add the machine to /etc/hosts for hostname resolution:

echo "10.129.17.5  devarea.htb" | sudo tee -a /etc/hosts

Port Scan

nmap -sS -sV 10.129.17.5

Results:

Port	Service	Version / Notes
21	FTP	vsftpd 3.0.5
22	SSH	OpenSSH 9.6p1 Ubuntu
80	HTTP	Apache httpd 2.4.58 - static frontend
8080	HTTP	Jetty 9.4.27 - Apache CXF SOAP service
8500	HTTP Proxy	Hoverfly forward proxy
8888	HTTP API	Hoverfly admin API (Go HTTP server)

The interesting attack surface is port 8080 (Apache CXF - known vulnerable to CVE-2022-46364) and ports 8500/8888 (Hoverfly proxy and admin interface).

---

---

🔒

Premium Content

The full exploitation walkthrough, privilege escalation, and flags are available exclusively for members.

Unlock Full Writeup →