Welcome to another Hack the Box walkthrough. In this blog post, I have demonstrated how I owned the DevArea machine on Hack the Box. Hack The Box is a cybersecurity platform that helps you bridge knowledge gaps and prepares you for cyber security jobs.
You can also test and grow your penetration testing skills, from gathering information to reporting. If you are new to this blog, please do not forget to like, comment and subscribe to my YouTube channel and follow me on LinkedIn for more updates.Machine Overview
DevArea is a medium-difficulty Linux machine on Hack The Box that focuses on chaining multiple real-world vulnerabilities from web enumeration to full system compromise. The attack began with Nmap enumeration, where I identified several exposed services including FTP, SSH, and multiple web applications running on different ports. This led to host resolution, where I mapped devarea.htb locally to properly interact with the web application.
During web enumeration, I explored the site functionality but found no immediate vulnerabilities, prompting deeper inspection of exposed services. This led to API enumeration, where I discovered a SOAP-based service on port 8080 exposing a WSDL endpoint. By interacting with this service, I achieved exploitation via XXE (XOP injection), allowing me to read local files from the system.
Through data extraction, I decoded sensitive information from the response, revealing Hoverfly service credentials. Using these, I performed authentication against the Hoverfly API and obtained a valid JWT token. In the token analysis phase, I confirmed administrative access, which allowed me to proceed with remote code execution via the Hoverfly middleware API, ultimately gaining a reverse shell as the dev_ryan user.
In the post-exploitation enumeration phase, I gathered system information and retrieved the user flag. I then moved into privilege escalation enumeration, where I discovered misconfigured sudo permissions and a world-writable /usr/bin/bash. Leveraging this, I performed privilege escalation via bash hijacking, followed by payload preparation, where I crafted a malicious bash wrapper.
Finally, I triggered the exploit through a privileged script to obtain a root shell, completing the privilege escalation phase. In the last step, post-exploitation (root access), I verified root privileges and captured the root flag, successfully completing the machine.
Protected Page
The first step in owning the DevArea machine like I have always done in my previous writeups is to connect my Kali Linux terminal with Hack the Box server. To establish this connection, I ran the following command in the terminal:
Once the connection between my Kali Linux terminal and Hack the Box server has been established, I started the Interpreter machine and I was assigned an IP address (10.129.24.196).
Nmap Enumeration
I ran an Nmap scan with default scripts and version detection to identify open ports and services on the target.
The scan revealed several exposed services. FTP (21) allowed anonymous login, which could provide unauthenticated access to files. SSH (22) was available but likely required credentials. Port 80 redirected to devarea.htb, indicating a virtual host that needed to be added locally for proper access. Additional web services were running on ports 8080 (Jetty), 8500 (proxy service), and 8888 (Hoverfly dashboard), suggesting multiple potential web-based attack surfaces worth further enumeration.
Host Configuration
I added the discovered virtual host to my local hosts file so the application could resolve correctly in the browser.
I authenticated with sudo to modify the /etc/hosts file and mapped the target IP to devarea.htb. This ensured that requests to the domain would resolve locally instead of failing DNS resolution. Since port 80 redirected to this hostname, this step was necessary to properly access the web application. With this in place, I was able to interact with the site as intended and continue web enumeration.
Web Enumeration
I navigated to the target web application to manually explore its functionality and identify potential attack surfaces.
The site loaded successfully on http://devarea.htb and appeared to be a freelancer-style platform connecting developers with companies. I enumerated the available sections including Home, Jobs, Developers, Companies, About, and Contact, along with authentication features like Login and Register. The presence of “Browse Jobs” and “Find Talent” suggested user interaction and possible backend functionality worth testing later. However, initial manual inspection did not reveal any obvious vulnerabilities or sensitive information. At this stage, I noted the application structure and prepared to perform deeper enumeration on individual features and endpoints.
API Enumeration
I enumerated the web service running on port 8080 to identify available API endpoints and functionality.
The response returned a WSDL file, confirming a SOAP-based API exposing an EmployeeService. I identified a submitReport function that accepts structured input including fields like employeeName, department, and content. This indicated user-controlled data is being processed server-side, making it a potential entry point for injection or deserialization attacks. The service endpoint was also clearly defined at /employeeservice, which could be interacted with directly. At this stage, I focused on crafting SOAP requests to test how the application handles input.
Exploitation (XXE via SOAP)
I crafted a malicious SOAP request to test how the API handles external file references and attempted to read local system files.
The server processed the request and returned a base64-encoded response containing the contents of the targeted file. This confirmed an XXE/XOP file read vulnerability, allowing me to access local files on the system. By decoding the output, I was able to retrieve sensitive configuration data, including service details for Hoverfly. This demonstrated that user-controlled input in the SOAP request was not properly sanitized. I leveraged this vulnerability to continue extracting useful information for further exploitation.
Data Extraction
I decoded the base64-encoded response returned from the SOAP request to reveal the actual file contents.
The decoded output revealed a systemd service configuration for Hoverfly, running as the user dev_ryan. Notably, I discovered hardcoded credentials (admin : O7IJ27MyyXiU) within the ExecStart command. This indicated that the service exposes authentication that could potentially be reused elsewhere. Additionally, the service listens on 0.0.0.0, confirming it is accessible over the network. This provided a strong lead for accessing the Hoverfly dashboard or related services using the extracted credentials.
Authentication (Hoverfly API)
I used the extracted credentials to authenticate against the Hoverfly API and obtain an access token.
The request was successful and returned a JWT token, confirming that the credentials were valid. I stored the token in a variable for reuse in authenticated API requests. This granted me authorized access to the Hoverfly service running on port 8888. With this level of access, I could now interact with protected endpoints and potentially manipulate the application further.
Token Analysis
I decoded the JWT token to inspect its contents and understand the privileges associated with it.
The decoded payload confirmed that I was authenticated as the admin user. I observed the token contained standard fields like exp (expiry) and iat (issued time), indicating it was valid for a long duration. No additional restrictions or roles were present, suggesting full administrative access. This validated that the token could be reliably used for further authenticated interactions. I proceeded with this token to explore privileged API functionality.
Remote Code Execution (Hoverfly Middleware)
I set up a netcat listener on my machine to catch a reverse shell from the target.
I then attempted to abuse the Hoverfly middleware API by sending a malicious payload, but initially received a 401 Unauthorized response due to an invalid or missing token.
To troubleshoot, I verified the request and noticed the token was not properly set, which explained the authentication failure.
I re-authenticated using the previously discovered credentials to generate a fresh valid JWT token.
With a valid token, I resent the payload to configure Hoverfly middleware to execute a reverse shell.
This time the request succeeded with a 200 OK, confirming the payload was accepted and executed. Immediately after, I received a reverse shell connection on my listener as the user dev_ryan, successfully achieving remote code execution on the target.
Post-Exploitation Enumeration
After gaining a reverse shell, I began enumerating the system to confirm my access and gather useful information.
The output confirmed I had a shell as the user dev_ryan on the target machine devarea, indicating successful initial compromise.
I navigated to the user’s home directory and listed its contents. I noticed standard configuration files along with a few interesting findings, including a syswatch-v1.zip file owned by root and a .bash_history symlink pointing to /dev/null, likely to prevent command logging.
Finally, I accessed the user.txt file and successfully retrieved the user flag, marking completion of the initial foothold phase.
Privilege Escalation Enumeration
I checked for sudo privileges to identify any commands I could run as root without a password.
The output revealed that dev_ryan could execute /opt/syswatch/syswatch.sh as root without a password, which immediately stood out as a potential privilege escalation vector. However, there were some restrictions in place, specifically denying certain arguments like web-stop and web-restart. Despite these limitations, the ability to run a script as root suggested I might be able to abuse its functionality or input handling. I noted this script as a high-priority target for further analysis and exploitation.
Privilege Escalation Enumeration
I checked the permissions of the bash binary to see if it could be leveraged for privilege escalation.
The output showed that /usr/bin/bash had world-writable permissions (777), meaning any user could modify it. This is a critical misconfiguration, as it allows me to overwrite the binary with malicious code or replace it entirely. Since bash is commonly executed by privileged processes, this opened a clear path to escalate privileges. I identified this as a strong privilege escalation vector to gain root access.
Privilege Escalation Enumeration
I navigated to the /tmp directory to inspect temporary files that might aid in privilege escalation.
The directory contained several interesting files, including bash.bak and evil_bash, which appeared to be related to a previous or ongoing exploitation attempt. Since /tmp is world-writable, it is commonly used for staging payloads and scripts. The presence of these files suggested a potential method to overwrite or hijack the bash binary. I also noted the hoverfly directory, which could be tied to the running service. This reinforced my earlier finding that bash manipulation might be leveraged for privilege escalation.
Privilege Escalation (Bash Hijacking)
I created a backup of the original bash binary and prepared a malicious wrapper script to hijack execution.
Next, I crafted a malicious script that would trigger a reverse shell and then restore the original bash binary to avoid breaking the system.
This script uses the writable /usr/bin/bash to execute my payload, sending a reverse shell back to my machine on port 5555. After execution, it restores the original bash binary to remain stealthy and maintain system stability. This setup prepared me to replace the system bash and trigger execution through a privileged process.
Privilege Escalation (Payload Preparation)
I made the malicious script executable so it could be run as a replacement for the bash binary.
By setting the execute permission, I ensured the system could run my evil_bash script like a normal binary. This was a necessary step before swapping it with /usr/bin/bash. Once executed by a privileged process, the script would trigger a reverse shell and then restore the original bash binary. This finalized the setup for the privilege escalation exploit.
Privilege Escalation (Root Shell)
I started a new netcat listener to catch the root shell triggered by my payload.
On the compromised host, I executed a chained command to replace the writable bash binary and trigger it via a privileged script.
This command killed running bash processes, replaced /usr/bin/bash with my malicious script, and executed the allowed sudo script to invoke bash as root. As soon as the script ran, my payload executed and sent a reverse shell back to my listener. I successfully received a root shell on port 5555, confirming full system compromise.
Post-Exploitation (Root Access)
After receiving the reverse shell, I verified my privileges to confirm successful privilege escalation.
The output confirmed I was running as root on the target machine devarea, indicating full system compromise.
I then navigated to the root directory and retrieved the root.txt flag, successfully completing the machine. This marked the final step of the exploitation process with full administrative access achieved.
Hurray!!! I got the root flag and with that the machine was officially pwned.
If you enjoy reading my walkthrough, do not forget to like, comment, and subscribe to my YouTube channel and also connect with me on LinkedIn. Also, don't forget to turn on post notification on my Twitter and Medium account to get notification as soon as I write.
Found this walkthrough helpful? Buying me a coffee helps power the late nights spent writing technical walkthroughs and keeping them free for everyone ☕
Keywords:
DevArea.htb
devarea hackthebox
solved DevArea on Hack the Box
hackthebox devarea write up
devarea htb walkthrough
rooted DevArea on Hack the Box
devarea htb write up
devarea user flag
DevArea HTB Season 10 complete solution
devarea root flag
DevArea
pwned DevArea on Hack the Box
eloquia.htb
eloquia hackthebox
solved eloquia on Hack the Box
hackthebox eloquia write up
eloquia htb walkthrough
rooted eloquia on Hack the Box
eloquia htb write up
eloquia user flag
Eloquia HTB Season 10 complete solution
Eloquia root flag
how to solve Eloquia htb machine pdf
pwned Eloquia on Hack the Box
how to solve DevArea machine on hack the box
0 Comments