DEV Community

Laach_
Laach_

Posted on

Surfer - THM

Machine Info

Difficulty: Easy🟩
Link: HERE
Avg time: 35 Minutes
OS: Linux

Description: Surf some internal webpages to find the flag!

Recon

INFO: We're told to go straight at website so no nmap scan is needed

On website there is just login page nothing interesting in source code so Ferox at beginning

sudo feroxbuster -u 'http://10.114.163.12' -r -C 404 
Enter fullscreen mode Exit fullscreen mode
200      GET        8l       63w      365c http://10.114.163.12/backup/chat.txt
200      GET      319l      837w     9266c http://10.114.163.12/assets/js/main.js
200      GET        6l       17w     1040c http://10.114.163.12/assets/img/logo.png
200      GET        8l       17w      840c http://10.114.163.12/assets/img/favicon.png
200      GET      173l      366w     3067c http://10.114.163.12/assets/vendor/simple-datatables/style.css
200      GET        7l       32w     1862c http://10.114.163.12/assets/img/apple-touch-icon.png
200      GET       85l      210w     2731c http://10.114.163.12/assets/vendor/php-email-form/validate.js
200      GET      952l     2306w    25273c http://10.114.163.12/assets/vendor/quill/quill.bubble.css
200      GET     1084l     2366w    21109c http://10.114.163.12/assets/css/style.css
200      GET      945l     2297w    24743c http://10.114.163.12/assets/vendor/quill/quill.snow.css
200      GET        7l     1031w    78129c http://10.114.163.12/assets/vendor/bootstrap/js/bootstrap.bundle.min.js
200      GET       12l      528w    37864c http://10.114.163.12/assets/vendor/simple-datatables/simple-datatables.js
200      GET        1l      133w    65758c http://10.114.163.12/assets/vendor/boxicons/css/boxicons.min.css
200      GET     1556l     7713w    73271c http://10.114.163.12/assets/vendor/bootstrap-icons/bootstrap-icons.css
200      GET        7l     2006w   163873c http://10.114.163.12/assets/vendor/bootstrap/css/bootstrap.min.css
200      GET     2317l    11522w   110438c http://10.114.163.12/assets/vendor/remixicon/remixicon.css
200      GET       13l     2708w   194890c http://10.114.163.12/assets/vendor/chart.js/chart.min.js
200      GET        8l     5631w   216333c http://10.114.163.12/assets/vendor/quill/quill.min.js
200      GET        9l     7014w   391863c http://10.114.163.12/assets/vendor/tinymce/tinymce.min.js
200      GET       45l    13299w  1012551c http://10.114.163.12/assets/vendor/echarts/echarts.min.js
200      GET       14l     6109w   488297c http://10.114.163.12/assets/vendor/apexcharts/apexcharts.min.js
200      GET     6135l    12251w   183063c http://10.114.163.12/assets/vendor/bootstrap-icons/
200      GET      113l      291w     4774c http://10.114.163.12/login.php
Enter fullscreen mode Exit fullscreen mode

INFO: I got lucky and guessed credentials in first try, but feroxbuster is shown here as good practice

Found backup/chat.txt , it contained a chat log.

Admin: I have finished setting up the new export2pdf tool.
Kate: Thanks, we will require daily system reports in pdf format.
Admin: Yes, I am updated about that.
Kate: Have you finished adding the internal server.
Admin: Yes, it should be serving flag from now.
Kate: Also Don't forget to change the creds, plz stop using your username as password.
Kate: Hello.. ?
Enter fullscreen mode Exit fullscreen mode

This reveals the export2pdf functionality and admin credentials: admin:admin.

Exploiting SSRF

As this room is SSRF targeted so i'll simply explain what SSRF is.

SSRF (Server-Side Request Forgery) tricks the server into making requests for you. This way you can reach internal resources like localhost or internal network servers that normally aren't accessible from the outside.

SSRF CHART

Where unexpected destination is localhost or some server from internal network. To learn about all kinds of web security go on Portswigger Academy

After logging in there is a dashboard with some dummy data but there are two important pieces of info in Recent Activity and Reports.

Recent Activity contains information:

Internal pages hosted at /internal/admin.php. It contains the system flag.
Enter fullscreen mode Exit fullscreen mode

Trying to visit this URL it returns

This page can only be accessed locally.
Enter fullscreen mode Exit fullscreen mode

Reports got more interesting data about Hosting Server Information such as OS , IP or Hostname and more. Under this data there is an Export to PDF option. After clicking it, the request goes to export2pdf.php , looking in Burp this endpoint takes a url parameter.

url=http%3A%2F%2F127.0.0.1%2Fserver-info.php
Enter fullscreen mode Exit fullscreen mode

It's URL-encoded. After decoding it decodes to

url=http://127.0.0.1/server-info.php
Enter fullscreen mode Exit fullscreen mode

Changing this value to

url=http://127.0.0.1/internal/admin.php
Enter fullscreen mode Exit fullscreen mode

and using Burp's RMB -> Request in browser -> In current browser session

burp
Copy the URL paste it in browser and there will be beautiful response with flag.

In this case server fetched provided URL and exported it to PDF even the files that are supposed to be internal only. That's how SSRF works.

Top comments (0)