DevArea HackTheBox Writeup - Season10
SUMMARY
This write-up covers the DevArea machine from HackTheBox Season 10. Initial reconnaissance identified multiple HTTP services alongside an exposed FTP server. Anonymous access to FTP allowed us to enumerate internal files and retrieve a Java application named employee-service.jar.
By analyzing the application, we discovered that a web service running on port 8080 leveraged a WSDL endpoint. Further inspection revealed a report parameter vulnerable to XML-based attacks. Exploiting CVE-2022-46364 in Apache CXF through a crafted XML payload allowed us to achieve Local File Inclusion.
The LFI vulnerability enabled enumeration of internal files, leading to the discovery of Hoverfly configuration files that was running on port 8888 granting access to the admin panel. From there, we leveraged a Remote Code Execution vulnerability, CVE-2025-54123, to gain a foothold on the system.
Post-exploitation enumeration revealed a critical misconfiguration where /bin/bash was writable. By combining this with a privileged sudoers entry that executed a custom script as root, we replaced the bash binary and achieved full system compromise.
PATH TO FOLLOW
- Reconnaissance
- FTP Enumeration
- Java Application Analysis
- Exploiting Apache CXF (CVE-2022-46364)
- Credential Extraction & Admin Panel Access
- Remote Code Execution (CVE-2025-54123)
- Privilege Escalation
CONTENT WILL BE RELEASED ONCE THE MACHINE IS RETIRED