Reconnaissance
Host Setup
Add the machine to /etc/hosts for hostname resolution:
echo "10.129.17.5 devarea.htb" | sudo tee -a /etc/hosts
Port Scan
nmap -sS -sV 10.129.17.5
Results:
Port | Service | Version / Notes |
|---|---|---|
21 | FTP | vsftpd 3.0.5 |
22 | SSH | OpenSSH 9.6p1 Ubuntu |
80 | HTTP | Apache httpd 2.4.58 - static frontend |
8080 | HTTP | Jetty 9.4.27 - Apache CXF SOAP service |
8500 | HTTP Proxy | Hoverfly forward proxy |
8888 | HTTP API | Hoverfly admin API (Go HTTP server) |
The interesting attack surface is port 8080 (Apache CXF - known vulnerable to CVE-2022-46364) and ports 8500/8888 (Hoverfly proxy and admin interface).
Foothold
CVE-2022-46364 - Apache CXF MTOM Local File Inclusion
What is this vulnerability?
Apache CXF supports MTOM (Message Transmission Optimization Mechanism), a SOAP extension for transmitting binary data efficiently. When MTOM is enabled, the xop:Include element can reference external URIs - including file:// paths. An unauthenticated attacker can inject this element into any SOAP string parameter, causing the server to read the referenced file and return its contents base64-encoded in the SOAP response. This effectively gives arbitrary file read on the server without any authentication.
Step 1 - Confirming the SOAP Endpoint
First, probe port 8080 to confirm the service is live:
curl http://devarea.htb:8080/employeeservice
Response:
<soap:Envelope xmlns:soap="...">
<soap:Body>
<soap:Fault>
<faultcode>soap:Server</faultcode>
<faultstring>No binding operation info while invoking unknown method...</faultstring>
</soap:Fault>
</soap:Body>
</soap:Envelope>
A SOAP fault confirms the endpoint is active. Next, retrieve the WSDL to understand the service structure:
curl http://devarea.htb:8080/employeeservice?wsdl
Key information extracted from WSDL:
Operation:
submitReportNamespace:
http://devarea.htb/Vulnerable parameter:
content(typexs:string) - this is where we injectxop:Include
🔐 PREMIUM WRITEUP - MEMBERSHIP REQUIRED
This machine is still active in HTB, so the full walkthrough, exploitation path, and flags cannot be publicly released.
But you can access the entire premium writeup right now.
🌟 Get Instant Access
Unlock the complete step-by-step solution, techniques used, notes, and exclusive insights by becoming a member.
Why Go Premium?
Early access to full detailed writeups
Passwords for active CTF solutions
Advanced exploitation techniques
Upgrade once - unlock everything instantly.
Keep hacking, keep learning, keep winning. 🎯
