A challenge from tryhackme.com with the introduction:
Woah, check out this radical app! Isn’t it narly dude? We’ve been surfing through some webpages and we want to get you on board too! They said this application has some functionality that is only available for internal usage — but if you catch the right wave, you can probably find the sweet stuff!
From the introduction it’s obvious that the whole challenge is revolving around the use of a webserver.
But to be sure we don’t miss certain ports or information, it’s a good idea to run a port-scan.
PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.38 ((Debian)) | http-robots.txt: 1 disallowed entry |_/backup/chat.txt |_http-server-header: Apache/2.4.38 (Debian) | http-title: 24X7 System+ |_Requested resource was /login.php | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set
From the scan we can see there is a
robots.txt file with some interesting content.
Admin: I have finished setting up the new export2pdf tool. Kate: Thanks, we will require daily system reports in pdf format. Admin: Yes, I am updated about that. Kate: Have you finished adding the internal server. Admin: Yes, it should be serving flag from now. Kate: Also Don't forget to change the creds, plz stop using your username as password. Kate: Hello.. ?
That’s a nice clue on how to continue.
After successfully logging in, we can see there is a activity telling us the flag is in
/internal/admin.php. But when trying to visit that page there is an error.
This page can only be accessed locally.
On the main page there is a function to export a report as pdf.
When looking at the source we can see that it collects input from a local resource.
Let’s try to change this value.
Press the export button and voila