DevArea

created: "2026-03-31 18:39"
tags:
  - HTB
title: DevArea
OS: Linux
difficulty:
  - Medium
datePublished: 2026-03-29 03:00
image: https://htb-mp-prod-public-storage.s3.eu-central-1.amazonaws.com/avatars/88d6d295a9624c91cbdae1e0215cb354.png
author:
  - EmSec
comment:
aliases:
score: 
scoreStar:
authUserInUserOwns: false
authUserInRootOwns: false
favorite: false
updated: "2026-04-01 08:55"
locked: false
password:

1. User

1.1. Recon

1.1.1. PortScan

┌──(root㉿kali)-[~/Desktop/htb/DevArea]
└─# nmap 10.129.187.123 -p 21,22,80,8080,8500,8888 -sCV
Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-31 06:51 EDT
Nmap scan report for 10.129.187.123
Host is up (0.070s latency).

PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 3.0.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x    2 ftp      ftp          4096 Sep 22  2025 pub
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:10.10.16.18
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.5 - secure, fast, stable
|_End of status
22/tcp   open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.15 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 83:13:6b:a1:9b:28:fd:bd:5d:2b:ee:03:be:9c:8d:82 (ECDSA)
|_  256 0a:86:fa:65:d1:20:b4:3a:57:13:d1:1a:c2:de:52:78 (ED25519)
80/tcp   open  http    Apache httpd 2.4.58
|_http-title: Did not follow redirect to http://devarea.htb/
|_http-server-header: Apache/2.4.58 (Ubuntu)
8080/tcp open  http    Jetty 9.4.27.v20200227
|_http-title: Error 404 Not Found
|_http-server-header: Jetty(9.4.27.v20200227)
8500/tcp open  http    Golang net/http server
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.0 500 Internal Server Error
|     Content-Type: text/plain; charset=utf-8
|     X-Content-Type-Options: nosniff
|     Date: Tue, 31 Mar 2026 10:51:30 GMT
|     Content-Length: 64
|     This is a proxy server. Does not respond to non-proxy requests.
|   GenericLines, Help, LPDString, RTSPRequest, SIPOptions, SSLSessionReq, Socks5:
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest, HTTPOptions:
|     HTTP/1.0 500 Internal Server Error
|     Content-Type: text/plain; charset=utf-8
|     X-Content-Type-Options: nosniff
|     Date: Tue, 31 Mar 2026 10:51:14 GMT
|     Content-Length: 64
|_    This is a proxy server. Does not respond to non-proxy requests.
8888/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Hoverfly Dashboard

1.2. web

1.2.1. WEB 80

Pasted image 20260331185340.png

1.2.2. Web 8080 Jetty

Pasted image 20260331185513.png

1.2.3. web 8500 hoverfly

根据官方的描述： hoverfly是一个面向开发人员和测试人员的轻量级服务虚拟化/API 模拟/API 模拟工具，是一个用Go写的工具
Pasted image 20260331185810.png

1.2.4. hoverfly RCE

https://github.com/SpectoLabs/hoverfly/security/advisories/GHSA-r4h8-hfp2-ggmf

尝试利用发现没有任何回显，猜测是需要认证后才能访问
Pasted image 20260331190721.png

1.3. FTP

┌──(root㉿kali)-[~/Desktop/htb/DevArea]
└─# ftp 10.129.187.123
Connected to 10.129.187.123.
220 (vsFTPd 3.0.5)
Name (10.129.187.123:root): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||49107|)
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 Sep 22  2025 pub
226 Directory send OK.
ftp> cd pub
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||45777|)
150 Here comes the directory listing.
-rw-r--r--    1 ftp      ftp       6445030 Sep 22  2025 employee-service.jar
226 Directory send OK.
ftp> get employee-service.jar
local: employee-service.jar remote: employee-service.jar
229 Entering Extended Passive Mode (|||42922|)
150 Opening BINARY mode data connection for employee-service.jar (6445030 bytes).
100% |********************************************************************************************************|  6293 KiB    1.87 MiB/s    00:00 ETA
226 Transfer complete.
6445030 bytes received in 00:03 (1.83 MiB/s)

1.4. java反编译

借助AI进行逆向分析得知：这是一个基于 Apache CXF 3.2.14 的 JAX-WS SOAP Web Service，运行于嵌入式 Jetty 上，使用 Woodstox 5.0.3 作为 XML 解析器，JDK 1.8 编译。

有一个接口路径为 http://0.0.0.0:8080/employeeservice ，WSDL 位于 ?wsdl

1.4.1. submitReport

@WebService(name = "EmployeeService", targetNamespace = "http://devarea.htb/")
/* loaded from: employee-service.jar:htb/devarea/EmployeeService.class */
public interface EmployeeService {
    String submitReport(Report report);
}

submitReport 是这个接口的唯一方法

public class Report {
    private String employeeName;
    private String department;
    private String content;
    private boolean confidential;

    public String getEmployeeName() {
        return this.employeeName;
    }

    public void setEmployeeName(String employeeName) {
        this.employeeName = employeeName;
    }

    public String getDepartment() {
        return this.department;
    }

    public void setDepartment(String department) {
        this.department = department;
    }

    public String getContent() {
        return this.content;
    }

    public void setContent(String content) {
        this.content = content;
    }

    public boolean isConfidential() {
        return this.confidential;
    }

    public void setConfidential(boolean confidential) {
        this.confidential = confidential;
    }

    public String toString() {
        return "Report{employeeName='" + this.employeeName + "', department='" + this.department + "', content='" + this.content + "', confidential=" + this.confidential + '}';
    }
}

这个接口会接受接 employeeName 、department 、content、 confidential 字段的 Report 对象

Claude直接提示我这个版本的 CXF存在CVE-2022-46364 SSRF漏洞