HTB: DevArea
Overview
| Attribute | Value |
|---|---|
| OS | Linux |
| Difficulty | Medium |
| Category | Web + RCE + Privilege Escalation |
| Key CVEs | CVE-2022-46364, CVE-2024-45388 |
| Techniques | SSRF, RCE, JAR Decompilation, |
| Defensive Shell Analysis |
DevArea is a medium-difficulty machine demonstrating the importance of chaining multiple vulnerabilities. Initial access requires exploiting an SSRF in Apache CXF to extract credentials, which then enable RCE on a Hoverfly Dashboard instance. The privilege escalation component shows how proper shell script hardening can make seemingly obvious exploits (plugin execution, PATH manipulation) completely ineffective.
Reconnaissance
Port Enumeration
A standard nmap scan reveals multiple services:
Initial Enumeration
Interesting findings:
- FTP allows anonymous login on
/pub/directory - Port 8080 runs Jetty with a SOAP service (EmployeeService)
- Port 8888 hosts a Hoverfly Dashboard (authentication required)
- Port 8500 is a proxy service (Hoverfly proxy component)
Anonymous FTP yields: employee-service.jar — a compiled Java service
containing the SOAP endpoint.
Java Bytecode Analysis
Decompiled the JAR using CFR:
Key observations:
- Apache CXF SOAP framework
- Service listening on
/employeeservicepath - Method:
submitReport(Report)with DTO containing employeeName, department, content, confidential fields - CXF version is potentially vulnerable (CVE-2022-46364)
Foothold: CVE-2022-46364 (Apache CXF XOP Include SSRF)
Vulnerability Overview
Apache CXF versions <= 3.5.2 and 3.4.9 process MTOM (Message Transmission Optimization Mechanism) multipart requests containing xop:Include elements. The framework fails to validate URI schemes, allowing <//> URIs for arbitrary file read.
The vulnerability exists because:
- MTOM is designed for efficient binary attachment transmission
- xop:Include references external resources via href
- CXF resolves the href without scheme validation
- A crafted <//> URI causes the framework to read local files
Exploitation
Used the public PoC from GitHub to extract the Hoverfly service configuration file:
Exfiltrated Content
The systemd service file reveals the Hoverfly instance configuration:
Key extraction: Credentials for Hoverfly dashboard — admin / [REDACTED]
Detection Opportunity
Defense: Systemd service files should not be world-readable, or credentials should be stored in external secret management (Vault, AWS Secrets Manager). The presence of credentials in systemd configurations is a common misconfiguration.
Lateral Movement: CVE-2024-45388 (Hoverfly Middleware RCE)
Authentication
Logged into the Hoverfly Dashboard at http://devarea.htb:8888 using
extracted credentials. The dashboard is a web UI for configuring a
proxy and traffic simulation service.
Used Burp Suite to intercept dashboard traffic and captured the JWT bearer token issued after authentication.
Vulnerability Overview
Hoverfly’s /api/v2/hoverfly/middleware REST endpoint accepts a JSON
payload with unsanitized binary and script fields. These fields are
passed directly to the operating system for command execution without
input validation or sanitization.
Exploitation chain:
- Send HTTP PUT to
/api/v2/hoverfly/middleware - Include JSON with arbitrary
binary(e.g.,/bin/bash) andscript(shell command) - Hoverfly spawns the binary with the script argument
- Injected shell metacharacters (
&&,|,;) execute arbitrary commands
Exploitation
Using Burp Repeater with the captured JWT token:
Alternatively, via curl:
Shell Stabilization
Access to dev_ryan user obtained.
Privilege Escalation: SysWatch Defensive Analysis
Enumeration
Standard privilege escalation enumeration:
Critical observation: dev_ryan can execute /opt/syswatch/syswatch.sh
as root without password. The sudo rule includes defensive settings:
env_reset: Clears all environment variables before executionsecure_path: Whitelist-based PATH (blocks directory injection)use_pty: Allocate pseudo-terminal (affects environment handling)
SysWatch Architecture
The script provides a monitoring framework with plugin execution:
Apparent vulnerability: log_monitor.sh is whitelisted for root
execution. If we could write to /opt/syswatch/plugins/ or manipulate
the bash execution, we’d have immediate RCE as root.
Defensive Measures Discovered
Plugin Directory Not Writable
/opt/syswatch/plugins/ is owned by root with mode 755. No write
access for dev_ryan.
Bash Binary Hardened with Immutable Flag
The immutable flag (e) prevents deletion or modification. Even if we
had root access to /usr/bin, the file cannot be changed without
first removing the immutable attribute via chattr -i (which requires
CAP_LINUX_IMMUTABLE capability).
Sudo Environment Hardening
The sudo rule includes
env_reset(default) andsecure_path. These prevent:- Passing custom $PATH to influence bash lookup
- Using
-Eto preserve environment variables - Relying on environment-based tricks
Exploitation Attempts
PATH Injection (Failed)
Strategy: Create a malicious bash script in the home directory, then
rely on bash lookup from PATH.
Result: ❌ Failed
Reason: Sudo env_reset overrides the $PATH variable entirely with
secure_path. The whitelist includes only system directories. Our
malicious bash is never found.
Additional attempt with sudo -E:
Result: ❌ Failed — The sudo configuration explicitly prohibits -E
due to env_reset policy.
Lesson: When sudo has env_reset and secure_path, environment
manipulation is ineffective.
Bash Binary Replacement (Failed)
Strategy: Overwrite /usr/bin/bash with a malicious script.
Then attempted to remove immutable flag:
Result: ❌ Failed
Reason: The immutable flag is set at the filesystem level. Removing it
requires CAP_LINUX_IMMUTABLE capability, which unprivileged users do
not have. Even with write access to the directory, the flag prevents
modification.
Lesson: Immutable attributes are effective defenses for critical binaries.
Symlink Race Condition in /tmp (Failed)
Strategy: The log_monitor.sh plugin creates a timestamp file
/tmp/logmonitor_timestamp. If we can hijack this with a symlink
before the plugin runs, we might influence its behavior.
Result: ❌ Failed
Reason: File /tmp/logmonitor_timestamp is created by syswatch running
as root in previous invocations. Due to /tmp sticky bit semantics, only
the owner (root) can delete it. dev_ryan receives “Permission denied”.
Lesson: Sticky bit on /tmp prevents most race-condition exploits.
Logs Function Analysis (No Bypass Found)
The view_logs() subcommand accepts log filenames and handles symlinks
with validation:
Tested various inputs:
Result: ⚠️ No bypass discovered. Regex validation is comprehensive.
Alternative Attack Vector: Syswatch Web UI + Flask JWT Forgery
Further enumeration reveals that syswatch runs a Flask-based web UI on port 7777. The configuration is readable by dev_ryan:
Critical Finding: The Flask SECRET_KEY is exposed in plaintext.
With this secret, we forge admin JWT cookies:
Newline Injection in /service-status
The Flask /service-status endpoint doesn’t sanitize newlines (%0a),
allowing command injection:
Symlink Exploitation
Newline injection creates symlinks:
/opt/syswatch/logs/x→/root/root.txt/opt/syswatch/logs/service.log→x
Then:
Follows symlink chain → /root/root.txt → Root flag obtained!
Assessment: Multi-Layer Attack Surface
The defensive hardening of the syswatch shell script (regex validation, symlink checks, immutable binaries) is strong. However, the privilege escalation path bypasses these defenses entirely by exploiting a different component:
| Layer | Mechanism | Effectiveness |
|---|---|---|
| Write Protection | plugins/ owned by root | Strong |
| Binary Hardening | Immutable flag on bash | Strong |
| Sudo Hardening | env_reset + secure_path | Strong |
| Input Validation | Regex whitelisting | Strong |
| Symlink Validation | Path traversal checks | Strong |
| /tmp Protection | Sticky bit (root-owned files) | Strong |
Remaining attack vectors would require:
- A command injection flaw in the script logic
- A regex validation bypass (unlikely, uses simple patterns)
- An extremely tight race condition (impractical)
- A different privilege escalation path entirely
Root Flag Obtained
Status
Both user.txt and root.txt obtained via CVE chaining and Flask JWT forgery + Symlink exploitation.
Detection & Lessons Learned
What Went Wrong (What to Fix)
On the Syswatch Shell Script Side: The shell script had strong defensive measures that prevented obvious exploits (PATH injection, binary replacement, regex validation). These worked as intended.
But the Weakness Was Elsewhere:
Flask Configuration Exposure: The SECRET_KEY stored in plaintext in a readable config file allows JWT forgery.
Newline Injection in Flask: The /service-status endpoint doesn’t sanitize newlines, enabling command injection.
Symlink Creation in Logs Directory: Injected commands can create symlinks that appear as legitimate logs.
Symlink Following in Sudo Command: The syswatch.sh logs function follows symlinks without sufficient protection, leading to arbitrary file read as root.
The Real Lesson: Defensive hardening on one component doesn’t help if a different component (Flask Web UI) is weak. An attacker will always find the path of least resistance.
Stored in a separate credentials file (mode 600)
Retrieved from a secrets manager (Vault, AWS Secrets Manager)
Never hardcoded in service files
RCE via Middleware API: The Hoverfly middleware endpoint should:
- Validate
binaryagainst an allowlist (e.g., /bin/bash only) - Sandbox the execution (chroot, seccomp, container)
- Require strong authentication (OAuth2, mTLS)
- Log all executions for audit
- Validate
SSRF in SOAP Framework: Apache CXF should:
- Validate URI schemes (reject <//>, gopher://, etc.)
- Implement URL allowlisting for external resources
- Use network-layer controls to block local file access
For Blue Team: Detection Strategies
- Monitor sudo execution: Alert on
/opt/syswatch/syswatch.shinvocations - Audit credentials: Scan systemd services for plaintext passwords
- Network monitoring: Detect outbound reverse shells from Hoverfly process
- File integrity: Monitor bash binary attributes and
/opt/syswatch/directory changes
For Red Team: Alternative Angles
If targeting a real environment with similar setup:
- Fuzz the syswatch script with malformed arguments
- Analyze
common.shfor injection in imported functions - Check for cron jobs or systemd timers that might be manipulable
- Review application logs for clues about functionality
- Investigate other services or users for lateral movement
Timeline
| Stage | Technique | Result |
|---|---|---|
| Recon | Port scan, FTP, JAR analysis | SOAP endpoint |
| Foothold | CVE-2022-46364 (SSRF) | Extract creds |
| Lateral | CVE-2024-45388 (Hoverfly RCE) | dev_ryan shell |
| Priv Esc | Flask JWT Forgery + Symlink | root.txt obtained |
Tools & References
Vulnerabilities
- CVE-2022-46364: Apache CXF XOP Include SSRF (Public PoC)
- CVE-2024-45388: Hoverfly Middleware RCE (Credential-dependent)
Tools Used
- nmap (service enumeration)
- CFR decompiler (Java bytecode analysis)
- Burp Suite (JWT capture, RCE testing, traffic inspection)
- netcat (reverse shell)
- curl (API testing)
Security Patterns
- OWASP: File Upload Vulnerabilities & RCE Prevention
- SANS: Privilege Escalation via Sudo Misconfiguration
- CWE-427: Uncontrolled Search Path Element
- CWE-427: Improper Input Validation in Shell Scripts