{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreieaf7dw55uqbjinrfixykwabwzbv765tr4uztnjoocufc7s7kml2e",
"uri": "at://did:plc:gc2nrf5j5b2po5huoyw6utr4/app.bsky.feed.post/3mi5k23noa7p2"
},
"coverImage": {
"$type": "blob",
"ref": {
"$link": "bafkreigwqudbzjirr5c5nkyo3gp6kb7qclmwkccb7f3ek67ih5yyinhtp4"
},
"mimeType": "image/jpeg",
"size": 49912
},
"description": "BOX INFO\n\n\n\n\n\n\nProperty\nValue\n\n\n\n\nName\nDevArea\n\n\nOS\nLinux (Ubuntu)\n\n\nDifficulty\nMedium\n\n\n\n\n\n\n\nPHASE 1: RECONNAISSANCE\n\n\nPORT SCAN\n\nnmap -sV -sC -p- --min-rate 5000 $TARGET\n\n\n\n\n\n\n\nPort\nService\nDetails\n\n\n\n\n21\nFTP\nvsftpd - Anonymous login allowed\n\n\n22\nSSH\nOpenSSH\n\n\n80\nHTTP\nApache (Ubuntu) - redirects to virtual host\n\n\n8080\nHTTP\nJetty - SOAP/WSDL service\n\n\n8500\nHTTP Proxy\nService virtualization proxy (requires auth)\n\n\n8888\nHTTP\nService virtualization admin dashboard (requires auth)\n\n\n\n\n\n\n\nHOST SE...",
"path": "/hack-the-box-season-10-htb-devarea-writeup-medium-weekly-march-28th-2026-2/",
"publishedAt": "2026-03-28T16:00:00.000Z",
"site": "https://1337sheets.com",
"tags": [
"Subscribe now"
],
"textContent": "## Box Info\n\nProperty | Value\n---|---\n**Name** | DevArea\n**OS** | Linux (Ubuntu)\n**Difficulty** | Medium\n\n* * *\n\n## Phase 1: Reconnaissance\n\n### Port Scan\n\n\n nmap -sV -sC -p- --min-rate 5000 $TARGET\n\n\nPort | Service | Details\n---|---|---\n21 | FTP | vsftpd - Anonymous login allowed\n22 | SSH | OpenSSH\n80 | HTTP | Apache (Ubuntu) - redirects to virtual host\n8080 | HTTP | Jetty - SOAP/WSDL service\n8500 | HTTP Proxy | Service virtualization proxy (requires auth)\n8888 | HTTP | Service virtualization admin dashboard (requires auth)\n\n### Host Setup\n\n\n echo \"$TARGET devarea.htb\" | sudo tee -a /etc/hosts\n\n\n* * *\n\n## Phase 2: Enumeration\n\n### FTP (Port 21) - Anonymous Access\n\n\n ftp anonymous@$TARGET\n # password: anonymous\n ftp> cd pub\n ftp> ls\n -rw-r--r-- 1 ftp ftp 6445030 <date> employee-service.jar\n ftp> get employee-service.jar\n\n\nA Java JAR file is available for download. This is the compiled application for the SOAP service running on port 8080.\n\n### HTTP (Port 80) - Main Website\n\n\n curl -sI http://$TARGET/\n # HTTP/1.1 302 Found → Location: http://devarea.htb/\n\n\nA static developer hiring platform. No dynamic functionality or meaningful attack surface on port 80.\n\n### HTTP (Port 8080) - SOAP Web Service\n\n\n curl -s 'http://devarea.htb:8080/employeeservice?wsdl'\n\n\nA SOAP web service with a single operation `submitReport` that accepts:\n\n * `employeeName` (string)\n * `department` (string)\n * `content` (string)\n * `confidential` (boolean)\n\n\n\n### Port 8500 - Service Virtualization Proxy\n\n\n curl -s http://$TARGET:8500/\n # \"This is a proxy server. Does not respond to non-proxy requests.\"\n\n curl -s --proxy http://$TARGET:8500 http://example.com\n # 407 Proxy authentication required\n\n\nService virtualization proxy. Requires authentication to use.\n\n### Port 8888 - Service Virtualization Admin Dashboard\n\n\n curl -sI http://$TARGET:8888/\n # HTTP/1.1 200 OK → Dashboard (Angular app)\n\n curl -sv http://$TARGET:8888/api/v2/hoverfly 2>&1 | grep HTTP\n # HTTP/1.1 401 Unauthorized\n\n\nThe admin API requires Bearer token authentication.\n\n### JAR Analysis\n\nExtract and decompile the downloaded JAR:\n\n\n mkdir extracted && cd extracted\n jar xf ../employee-service.jar\n\n # Find application classes (under the HTB package namespace)\n find . -path \"*/devarea/*.class\"\n\n # Decompile to inspect\n javap -c -p <package>/ServerStarter.class\n # Binds to http://0.0.0.0:8080/employeeservice\n\n\n### This post is for subscribers only\n\nBecome a member to get access to all content\n\nSubscribe now",
"title": "Hack The Box - Season 10 HTB DevArea Writeup - Medium- Weekly - March 28th, 2026",
"updatedAt": "2026-03-28T21:06:25.395Z"
}