DevArea HTB Write Up

Welcome to another Hack the Box walkthrough. In this blog post, I have demonstrated how I owned the DevArea machine on Hack the Box. Hack The Box is a cybersecurity platform that helps you bridge knowledge gaps and prepares you for cyber security jobs.

You can also test and grow your penetration testing skills, from gathering information to reporting. If you are new to this blog, please do not forget to like, comment and subscribe to my YouTube channel and follow me on LinkedIn for more updates.

About the Machine

DevArea is an easy-level machine on Hack the Box

💡 Community Update

I truly appreciate everyone who has been following my Hack The Box journey and learning from my write-ups. Starting March 29, 2026, active machine walkthroughs will become part of a members-only section to help support the time and effort required to create detailed, high-quality content. Don’t worry - I will continue to share:

Free retired machine write-ups
Learning resources and tips
Partial previews of new machines

❤️ If you’d like to support my work and access full walkthroughs:

Explore Membership

Preview of the Machine

Nmap Enumeration

I ran an Nmap scan with default scripts and version detection to identify open ports and services on the target.

The scan revealed several exposed services. FTP (21) allowed anonymous login, which could provide unauthenticated access to files. SSH (22) was available but likely required credentials. Port 80 redirected to devarea.htb, indicating a virtual host that needed to be added locally for proper access. Additional web services were running on ports 8080 (Jetty), 8500 (proxy service), and 8888 (Hoverfly dashboard), suggesting multiple potential web-based attack surfaces worth further enumeration.

Host Configuration

I added the discovered virtual host to my local hosts file so the application could resolve correctly in the browser.

I authenticated with sudo to modify the /etc/hosts file and mapped the target IP to devarea.htb. This ensured that requests to the domain would resolve locally instead of failing DNS resolution. Since port 80 redirected to this hostname, this step was necessary to properly access the web application. With this in place, I was able to interact with the site as intended and continue web enumeration.

Web Enumeration

I navigated to the target web application to manually explore its functionality and identify potential attack surfaces.

The site loaded successfully on http://devarea.htb and appeared to be a freelancer-style platform connecting developers with companies. I enumerated the available sections including Home, Jobs, Developers, Companies, About, and Contact, along with authentication features like Login and Register. The presence of “Browse Jobs” and “Find Talent” suggested user interaction and possible backend functionality worth testing later. However, initial manual inspection did not reveal any obvious vulnerabilities or sensitive information. At this stage, I noted the application structure and prepared to perform deeper enumeration on individual features and endpoints.

API Enumeration

I enumerated the web service running on port 8080 to identify available API endpoints and functionality.

The response returned a WSDL file, confirming a SOAP-based API exposing an EmployeeService. I identified a submitReport function that accepts structured input including fields like employeeName, department, and content. This indicated user-controlled data is being processed server-side, making it a potential entry point for injection or deserialization attacks. The service endpoint was also clearly defined at /employeeservice, which could be interacted with directly. At this stage, I focused on crafting SOAP requests to test how the application handles input.

Exploitation (XXE via SOAP)

I crafted a malicious SOAP request to test how the API handles external file references and attempted to read local system files.

The server processed the request and returned a base64-encoded response containing the contents of the targeted file. This confirmed an XXE/XOP file read vulnerability, allowing me to access local files on the system. By decoding the output, I was able to retrieve sensitive configuration data, including service details for Hoverfly. This demonstrated that user-controlled input in the SOAP request was not properly sanitized. I leveraged this vulnerability to continue extracting useful information for further exploitation.

Data Extraction

I decoded the base64-encoded response returned from the SOAP request to reveal the actual file contents.

The decoded output revealed a systemd service configuration for Hoverfly, running as the user dev_ryan. Notably, I discovered hardcoded credentials (admin : O7IJ27MyyXiU) within the ExecStart command. This indicated that the service exposes authentication that could potentially be reused elsewhere. Additionally, the service listens on 0.0.0.0, confirming it is accessible over the network. This provided a strong lead for accessing the Hoverfly dashboard or related services using the extracted credentials.

Authentication (Hoverfly API)

I used the extracted credentials to authenticate against the Hoverfly API and obtain an access token.

The request was successful and returned a JWT token, confirming that the credentials were valid. I stored the token in a variable for reuse in authenticated API requests. This granted me authorized access to the Hoverfly service running on port 8888. With this level of access, I could now interact with protected endpoints and potentially manipulate the application further.

Token Analysis

I decoded the JWT token to inspect its contents and understand the privileges associated with it.

The decoded payload confirmed that I was authenticated as the admin user. I observed the token contained standard fields like exp (expiry) and iat (issued time), indicating it was valid for a long duration. No additional restrictions or roles were present, suggesting full administrative access. This validated that the token could be reliably used for further authenticated interactions. I proceeded with this token to explore privileged API functionality.