Tryhackme |Surfer Walkthrough
Enum:
We find two open ports 22 and 80… also find robots.txt and /backup/chat.txt ;
Lets check open 80 port on login.php ;
Okey find login page but we don’t have credentials for this page; lets check another directories : robots.txt and /backup/chat.txt
Hmm disallowed entry but find /backup/chat.txt lets check this;
Hmmm we read the chat and okey we find lazy admin because use login page username and password default admin : admin ; check this)
Finally login the admin page and and searching this page for find any hints;
We get an export functionality that the web application has. The main function is to provide Hosting Server Information.
On clicking export to PDF
This is interesting we search system flag and find it on the /internal/admin.php okey click this;
Hmm failed to find flag but we find there is SSRF vuln and check this with burpsuite back the login page turn on foxy proxy extension and click the export to PDF again and intercept the post request;
Remember flag only show in the local network okey lets try change the URL with local 127.0.0.1 or http://localhost/ and directory is /internal/admin.php ;
I navigated to that page using my browser after editing the request with burpsuite;
And looking at the screenshot below we get the flag;
We can now submit it and get the points. This is a classic SSRF buit in real life scenarios you’ll need to bypass some blacklist using techniques like IP Address encoding and DNS rebinding attacks.
