Imagery hosts a Flask-based image gallery application. I’ll exploit a stored XSS vulnerability in the bug report feature to steal an admin cookie. From the admin panel, I’ll use directory traversal to read the application source code, finding a command injection vulnerability in the image crop feature that requires access as a test user. After reading the database and cracking the test user’s password hash, I’ll exploit the command injection to get a shell. I’ll find an encrypted backup file and brute-force the pyAesCrypt password, getting access to an older backup with additional hashes. After cracking another user’s hash, I’ll pivot to a user that can run a custom backup utility as root via sudo. I’ll show two ways to abuse this. In Beyond Root, I’ll show why SSH is broken and how to get around it.

0xdf hacks stuff

A Flask-based image gallery application contains multiple vulnerabilities. A stored XSS in the bug report feature allows stealing admin cookies. The admin panel has a directory traversal vulnerability enabling source code and database access. The application uses MD5 password hashing and stores credentials in a JSON file. A command injection vulnerability exists in the image crop feature, exploitable only by test users. An encrypted backup file can be brute-forced to reveal additional password hashes. After cracking credentials and pivoting through users, a custom backup utility can be exploited via sudo to gain root access.

HTB: Imagery