Imagery HTB Writeup | HacktheBox | Season 9

1. Recon — port 8000: web app (image gallery) and SSH open. 
2. Register a regular account, use bug report / XSS to steal an admin session cookie → access admin panel. 
3. Admin log endpoint has LFI (directory traversal) — retrieve db.json and other app files. 
4. Analyse api_edit.py (image transform handler) — crop operation uses shell=True and concatenates parameters → command injection possible. 
5. Use a privileged account (test user) to upload an image and trigger the crop transform with a command injection payload → reverse shell.
6. On the box: read /var/backup/web_20250806_120723.zip.aes (world-readable) and exfiltrate.
7. Crack / decrypt the AES-Crypt .aes backup offline with a wordlist (rockyou) using pyAesCrypt wrapper → recover archive → inspect db.json to find other credentials/hashes.
8. Use an obtained user credential to SSH/switch to the user account and read user.txt.
9. Privilege escalation: the user can run /usr/local/bin/charcol via sudo — use charcol -R or the interactive charcol shell to reset/pass into a no-password shell, then schedule a recurring task (or set SUID on /usr/bin/bash) to get root → read root.txt.

Access is restricted by HackTheBox rules#

The solution to the problem can be published in the public domain after her retirement.

Look for a non-public solution to the problem in the telegram channel .