HTB DevArea Apache CXF XOP File Read, Hoverfly RCE, Flask Co...#2467
Open
carlospolop wants to merge 1 commit into
Open
HTB DevArea Apache CXF XOP File Read, Hoverfly RCE, Flask Co...#2467carlospolop wants to merge 1 commit into
carlospolop wants to merge 1 commit into
Conversation
Collaborator
Author
🔗 Additional ContextOriginal Blog Post: https://0xdf.gitlab.io/2026/07/04/htb-devarea.html Content Categories: Based on the analysis, this content was categorized under "Network Services Pentesting > 80,443 - Pentesting Web Methodology > Web API Pentesting / SOAP services; also cross-reference Pentesting Web > Command Injection and Linux Privilege Escalation > Arbitrary File Read / Symlink validation bypass". Repository Maintenance:
Review Notes:
Bot Version: HackTricks News Bot v1.0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 Automated Content Update
This PR was automatically generated by the HackTricks News Bot based on a technical blog post.
📝 Source Information
🎯 Content Summary
The post is a HackTheBox DevArea walkthrough chaining multiple vulnerability classes: anonymous FTP disclosure, Java SOAP service reversing, Apache CXF MTOM/XOP arbitrary file read via
CVE-2022-46364, credential leakage from systemd and procfs, Hoverfly authenticated middleware command injection viaCVE-2025-54123, Flask signed-cookie forgery from a leaked secret key, Flask command injection caused byshell=True, and Linux local privilege escalation thro...🔧 Technical Details
Apache CXF MTOM/XOP file read via CVE-2022-46364: Vulnerable Apache CXF SOAP services can be abused by placing an
xop:Includeelement inside a SOAP parameter and sending the request asmultipart/relatedwith anapplication/xop+xmlroot part. Instead of only resolvingcid:MIME attachments, vulnerable CXF versions resolve URL schemes such asfile://orhttp://. If the affected parameter is reflected in the response, this becomes arbitrary local file read or SSRF.File-read credential harvesting: After arbitrary file read, high-value targets include
/etc/passwd, systemd service files, process command lines under/proc, and process environments. Secrets are often exposed throughExecStartarguments, environment variables, or service configuration files.Hoverfly middleware RCE via CVE-2025-54123: Authenticated access to Hoverfly can becom...
🤖 Agent Actions
Continuing the run with a final readiness check and no new edits unless a real gap appears.
Still continuing, not finalizing yet.
Latest readiness check passed:
web-api-pentesting.mdupdate## Referencessection existsgit diff --checkis cleanRun remains open and ready.
This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.