Machine Info
Difficulty: Easy🟩
Link:Â HERE
Avg time: 35 Minutes
OS: Linux
Description:Â Surf some internal webpages to find the flag!
Recon
INFO: We're told to go straight at website so no nmap scan is needed
On website there is just login page nothing interesting in source code so Ferox at beginning
sudo feroxbuster -u 'http://10.114.163.12' -r -C 404
200 GET 8l 63w 365c http://10.114.163.12/backup/chat.txt
200 GET 319l 837w 9266c http://10.114.163.12/assets/js/main.js
200 GET 6l 17w 1040c http://10.114.163.12/assets/img/logo.png
200 GET 8l 17w 840c http://10.114.163.12/assets/img/favicon.png
200 GET 173l 366w 3067c http://10.114.163.12/assets/vendor/simple-datatables/style.css
200 GET 7l 32w 1862c http://10.114.163.12/assets/img/apple-touch-icon.png
200 GET 85l 210w 2731c http://10.114.163.12/assets/vendor/php-email-form/validate.js
200 GET 952l 2306w 25273c http://10.114.163.12/assets/vendor/quill/quill.bubble.css
200 GET 1084l 2366w 21109c http://10.114.163.12/assets/css/style.css
200 GET 945l 2297w 24743c http://10.114.163.12/assets/vendor/quill/quill.snow.css
200 GET 7l 1031w 78129c http://10.114.163.12/assets/vendor/bootstrap/js/bootstrap.bundle.min.js
200 GET 12l 528w 37864c http://10.114.163.12/assets/vendor/simple-datatables/simple-datatables.js
200 GET 1l 133w 65758c http://10.114.163.12/assets/vendor/boxicons/css/boxicons.min.css
200 GET 1556l 7713w 73271c http://10.114.163.12/assets/vendor/bootstrap-icons/bootstrap-icons.css
200 GET 7l 2006w 163873c http://10.114.163.12/assets/vendor/bootstrap/css/bootstrap.min.css
200 GET 2317l 11522w 110438c http://10.114.163.12/assets/vendor/remixicon/remixicon.css
200 GET 13l 2708w 194890c http://10.114.163.12/assets/vendor/chart.js/chart.min.js
200 GET 8l 5631w 216333c http://10.114.163.12/assets/vendor/quill/quill.min.js
200 GET 9l 7014w 391863c http://10.114.163.12/assets/vendor/tinymce/tinymce.min.js
200 GET 45l 13299w 1012551c http://10.114.163.12/assets/vendor/echarts/echarts.min.js
200 GET 14l 6109w 488297c http://10.114.163.12/assets/vendor/apexcharts/apexcharts.min.js
200 GET 6135l 12251w 183063c http://10.114.163.12/assets/vendor/bootstrap-icons/
200 GET 113l 291w 4774c http://10.114.163.12/login.php
INFO: I got lucky and guessed credentials in first try, but feroxbuster is shown here as good practice
Found backup/chat.txt , it contained a chat log.
Admin: I have finished setting up the new export2pdf tool.
Kate: Thanks, we will require daily system reports in pdf format.
Admin: Yes, I am updated about that.
Kate: Have you finished adding the internal server.
Admin: Yes, it should be serving flag from now.
Kate: Also Don't forget to change the creds, plz stop using your username as password.
Kate: Hello.. ?
This reveals the export2pdf functionality and admin credentials: admin:admin.
Exploiting SSRF
As this room is SSRF targeted so i'll simply explain what SSRF is.
SSRF (Server-Side Request Forgery) tricks the server into making requests for you. This way you can reach internal resources like localhost or internal network servers that normally aren't accessible from the outside.
Where unexpected destination is localhost or some server from internal network. To learn about all kinds of web security go on Portswigger Academy
After logging in there is a dashboard with some dummy data but there are two important pieces of info in Recent Activity and Reports.
Recent Activity contains information:
Internal pages hosted at /internal/admin.php. It contains the system flag.
Trying to visit this URL it returns
This page can only be accessed locally.
Reports got more interesting data about Hosting Server Information such as OS , IP or Hostname and more. Under this data there is an Export to PDF option. After clicking it, the request goes to export2pdf.php , looking in Burp this endpoint takes a url parameter.
url=http%3A%2F%2F127.0.0.1%2Fserver-info.php
It's URL-encoded. After decoding it decodes to
url=http://127.0.0.1/server-info.php
Changing this value to
url=http://127.0.0.1/internal/admin.php
and using Burp's RMB -> Request in browser -> In current browser session

Copy the URL paste it in browser and there will be beautiful response with flag.
In this case server fetched provided URL and exported it to PDF even the files that are supposed to be internal only. That's how SSRF works.

Top comments (0)