Skip to content

HTB DevArea Apache CXF XOP File Read, Hoverfly RCE, Flask Co...#2467

Open
carlospolop wants to merge 1 commit into
masterfrom
update_HTB_DevArea_Apache_CXF_XOP_File_Read_Hoverfly_RC_f43a9dc3d4b38b4a
Open

HTB DevArea Apache CXF XOP File Read, Hoverfly RCE, Flask Co...#2467
carlospolop wants to merge 1 commit into
masterfrom
update_HTB_DevArea_Apache_CXF_XOP_File_Read_Hoverfly_RC_f43a9dc3d4b38b4a

Conversation

@carlospolop

Copy link
Copy Markdown
Collaborator

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

  • Blog URL: https://0xdf.gitlab.io/2026/07/04/htb-devarea.html
  • Blog Title: HTB DevArea: Apache CXF XOP File Read, Hoverfly RCE, Flask Cookie Forgery, SysWatch Command Injection, and Symlink-Based Root File Read
  • Suggested Section: Network Services Pentesting > 80,443 - Pentesting Web Methodology > Web API Pentesting / SOAP services; also cross-reference Pentesting Web > Command Injection and Linux Privilege Escalation > Arbitrary File Read / Symlink validation bypass

🎯 Content Summary

The post is a HackTheBox DevArea walkthrough chaining multiple vulnerability classes: anonymous FTP disclosure, Java SOAP service reversing, Apache CXF MTOM/XOP arbitrary file read via CVE-2022-46364, credential leakage from systemd and procfs, Hoverfly authenticated middleware command injection via CVE-2025-54123, Flask signed-cookie forgery from a leaked secret key, Flask command injection caused by shell=True, and Linux local privilege escalation thro...

🔧 Technical Details

Apache CXF MTOM/XOP file read via CVE-2022-46364: Vulnerable Apache CXF SOAP services can be abused by placing an xop:Include element inside a SOAP parameter and sending the request as multipart/related with an application/xop+xml root part. Instead of only resolving cid: MIME attachments, vulnerable CXF versions resolve URL schemes such as file:// or http://. If the affected parameter is reflected in the response, this becomes arbitrary local file read or SSRF.

File-read credential harvesting: After arbitrary file read, high-value targets include /etc/passwd, systemd service files, process command lines under /proc, and process environments. Secrets are often exposed through ExecStart arguments, environment variables, or service configuration files.

Hoverfly middleware RCE via CVE-2025-54123: Authenticated access to Hoverfly can becom...

🤖 Agent Actions

Continuing the run with a final readiness check and no new edits unless a real gap appears.
Still continuing, not finalizing yet.

Latest readiness check passed:

  • only the intended file is modified
  • diff is still exactly the single web-api-pentesting.md update
  • CXF section is present
  • multipart/XOP request detail is present
  • exactly one ## References section exists
  • blog reference is present
  • git diff --check is clean

Run remains open and ready.


This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

@carlospolop

Copy link
Copy Markdown
Collaborator Author

🔗 Additional Context

Original Blog Post: https://0xdf.gitlab.io/2026/07/04/htb-devarea.html

Content Categories: Based on the analysis, this content was categorized under "Network Services Pentesting > 80,443 - Pentesting Web Methodology > Web API Pentesting / SOAP services; also cross-reference Pentesting Web > Command Injection and Linux Privilege Escalation > Arbitrary File Read / Symlink validation bypass".

Repository Maintenance:

  • MD Files Formatting: 981 files processed

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant