HTB— Imagery Writeup

9 min readSep 30, 2025

(XSS → LFI → RCE → PrivEsc)

Recon & service discovery

A quick nmap reconnaissance revealed the machine is running SSH and a Python-based web service:

nmap -T4 -A -v 10.10.11.88

Key results

22/tcp — SSH (OpenSSH)
8000/tcp — HTTP (Werkzeug/Python)

I visited http://imagery.htb:8000/ and found an image gallery application with Login / Register and an image upload feature.

Initial web interaction

I registered a low-privilege user and verified image upload worked. The transform operations (crop/resize) were restricted to privileged users.

XSS → Session cookie theft → Admin access

Create an account to read the full story.

The author made this story available to Medium members only.
If you’re new to Medium, create a new account to read this story on us.

Continue in app

Or, continue in mobile web

Already have an account? Sign in

Written by Amish kumar

61 followers

0 following

Penetration tester & SOC analyst focused on threat detection, vulnerability research, and practical approaches to strengthening security.

Responses (1)

Write a response

What are your thoughts?

Oct 5

I knew the db.json path in the LFI-read sensitive files part and proceeded with LFI.
Did this path use wfuzz to proceed with directory traversol??
So the route exists and has been read through LFI??
I've read all your posts, and thank you so much.

Recommended from Medium

Imagery HTB WriteUp: Season 9 Machine 2

This is not a proper walkthrough it is just a writeup or you can say some personal notes i made while solving the machine.

Oct 5

Signed — HTB — Walkthrough

Gain initial access via MSSQL — obtain service credentials — forge a Kerberos Silver Ticket — and escalate to full domain/root access

Oct 13

Top 15 Misconfigurations That Lead to Instant Server Pwn: Master Server Security Now

✨ Link for the full article in the first comment

Oct 17

Authenticated RCE in PhpMyAdmin via SQL File Write and Shell Upload

Misconfigurations in widely used tools like PhpMyAdmin can lead to critical vulnerabilities when overlooked. In this post, I demonstrate…

Sep 26

Puppy Writeup (HackTheBox Medium Machine)

As is common in real life pentests, you will start the Puppy box with credentials for the following account: levi.james / KingofAkron2025!

Sep 28

How a Simple SSTI Turned Into $1,000 and RCE

📌 Free Link

3d ago

See more recommendations

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech

HTB— Imagery Writeup

Recon & service discovery

Initial web interaction

XSS → Session cookie theft → Admin access

Create an account to read the full story.

Written by Amish kumar

Responses (1)

More from Amish kumar

Signed — HTB — Walkthrough

Gain initial access via MSSQL — obtain service credentials — forge a Kerberos Silver Ticket — and escalate to full domain/root access

DarkZero — HTB — Walkthrough

(MSSQL → RCE → Local PrivEsc → Kerberos Ticket Theft → Domain Compromise)

HTB HackNet Walkthrough

Compromising Chain: SSTI rendered by likes widget + IDOR → credential harvest → SSH as mikey → Django FileBasedCache RCE for sandy → exfil…

Hercules — HTB — Walkthrough

Hercules is an AD box designed to force Kerberos-first techniques. The chain covers: host/krb5 setup → username enumeration → LDAP-filter…

Recommended from Medium

Imagery HTB WriteUp: Season 9 Machine 2

This is not a proper walkthrough it is just a writeup or you can say some personal notes i made while solving the machine.

Signed — HTB — Walkthrough

Gain initial access via MSSQL — obtain service credentials — forge a Kerberos Silver Ticket — and escalate to full domain/root access

Top 15 Misconfigurations That Lead to Instant Server Pwn: Master Server Security Now

✨ Link for the full article in the first comment

Authenticated RCE in PhpMyAdmin via SQL File Write and Shell Upload

Misconfigurations in widely used tools like PhpMyAdmin can lead to critical vulnerabilities when overlooked. In this post, I demonstrate…

Puppy Writeup (HackTheBox Medium Machine)

As is common in real life pentests, you will start the Puppy box with credentials for the following account: levi.james / KingofAkron2025!

How a Simple SSTI Turned Into $1,000 and RCE

📌 Free Link