Hack The Box - Season 10 HTB DevArea Writeup - Medium- Weekly - March 28th, 2026

Box Info

Phase 1: Reconnaissance

Port Scan

nmap -sV -sC -p- --min-rate 5000 $TARGET

Host Setup

echo "$TARGET devarea.htb" | sudo tee -a /etc/hosts

Phase 2: Enumeration

FTP (Port 21) - Anonymous Access

ftp anonymous@$TARGET
# password: anonymous
ftp> cd pub
ftp> ls
-rw-r--r--  1 ftp ftp  6445030 <date> employee-service.jar
ftp> get employee-service.jar

A Java JAR file is available for download. This is the compiled application for the SOAP service running on port 8080.

HTTP (Port 80) - Main Website

curl -sI http://$TARGET/
# HTTP/1.1 302 Found → Location: http://devarea.htb/

A static developer hiring platform. No dynamic functionality or meaningful attack surface on port 80.

HTTP (Port 8080) - SOAP Web Service

curl -s 'http://devarea.htb:8080/employeeservice?wsdl'

A SOAP web service with a single operation submitReport that accepts:

• employeeName (string)
• department (string)
• content (string)
• confidential (boolean)

Port 8500 - Service Virtualization Proxy

curl -s http://$TARGET:8500/
# "This is a proxy server. Does not respond to non-proxy requests."

curl -s --proxy http://$TARGET:8500 http://example.com
# 407 Proxy authentication required

Service virtualization proxy. Requires authentication to use.

Port 8888 - Service Virtualization Admin Dashboard

curl -sI http://$TARGET:8888/
# HTTP/1.1 200 OK → Dashboard (Angular app)

curl -sv http://$TARGET:8888/api/v2/hoverfly 2>&1 | grep HTTP
# HTTP/1.1 401 Unauthorized

The admin API requires Bearer token authentication.

JAR Analysis

Extract and decompile the downloaded JAR:

mkdir extracted && cd extracted
jar xf ../employee-service.jar

# Find application classes (under the HTB package namespace)
find . -path "*/devarea/*.class"

# Decompile to inspect
javap -c -p <package>/ServerStarter.class
# Binds to http://0.0.0.0:8080/employeeservice