Surfer
SSRF Exploitation
Writeup
Only 2 ports was open -
HTTP
andSSH
Disallowed Entry:
/backup/chat.txt
Admin: I have finished setting up the new export2pdf tool.
Kate: Thanks, we will require daily system reports in pdf format.
Admin: Yes, I am updated about that.
Kate: Have you finished adding the internal server.
Admin: Yes, it should be serving flag from now.
Kate: Also Don't forget to change the creds, plz stop using your username as password.
Kate: Hello.. ?
Which confirms the credentials to be
admin:admin
Logging in, we find an
export2pdf
functionalityNoticed in Burp, fetches contents from an
internal server
Bruteforcing directory
/internal
->/admin.php
Visiting that, it says
This page can only be accessed locally
Modifying the POST data via Burp from
url=http://127.0.0.1/service-info.php
tourl=http://127.0.0.1/internal/admin.php
Gives us the flag !
Last updated