Surfer

SSRF Exploitation

Writeup

  • Only 2 ports was open - HTTP and SSH

  • Disallowed Entry: /backup/chat.txt

Admin: I have finished setting up the new export2pdf tool.
Kate: Thanks, we will require daily system reports in pdf format.
Admin: Yes, I am updated about that.
Kate: Have you finished adding the internal server.
Admin: Yes, it should be serving flag from now.
Kate: Also Don't forget to change the creds, plz stop using your username as password.
Kate: Hello.. ?

  • Which confirms the credentials to be admin:admin

  • Logging in, we find an export2pdf functionality

  • Noticed in Burp, fetches contents from an internal server

  • Bruteforcing directory /internal -> /admin.php

  • Visiting that, it says This page can only be accessed locally

  • Modifying the POST data via Burp from url=http://127.0.0.1/service-info.php to url=http://127.0.0.1/internal/admin.php

  • Gives us the flag !

PreviousVulnnet - The End GameNextCorridor

Last updated