HackTheBox - Imagery

The video walks through the Hack The Box "Imagery" machine, a Flask‑based web application exposing a gallery, login, and bug‑report functionality. The presenter begins with standard port scanning, identifies HTTP on port 8000, and confirms the service runs WorkZug on Python, hinting at a Flask stack. Key insights include a cross‑site scripting flaw in the bug‑report description field, an HttpOnly‑disabled session cookie, and the ability to decode that cookie with the Flask‑unsign utility to assume the admin identity. Once admin, the analyst exploits a file‑disclosure endpoint to download the application source, locates a vulnerable endpoint that permits remote code execution, and ultimately escalates to root. Notable examples feature a crafted XSS payload that exfiltrates document.cookie via a fetch request, the use of curl with "--path-as-is" to traverse directory structures, and the extraction of "app.py" revealing the secret key generation method. The presenter also demonstrates how client‑side JavaScript reveals hidden API routes such as /admin/delete_user and /api/upload, which become further attack vectors. The walkthrough underscores the criticality of proper cookie flags, thorough sanitization of user‑generated content, and the value of inspecting client‑side scripts for hidden endpoints. For defenders, it illustrates how seemingly minor misconfigurations in Flask apps can cascade into full system compromise, reinforcing the need for secure defaults and regular code audits.