Surfer

Introduction

A challenge from tryhackme.com with the introduction:

Woah, check out this radical app! Isn’t it narly dude? We’ve been surfing through some webpages and we want to get you on board too! They said this application has some functionality that is only available for internal usage — but if you catch the right wave, you can probably find the sweet stuff!

Enumeration

From the introduction it’s obvious that the whole challenge is revolving around the use of a webserver.
But to be sure we don’t miss certain ports or information, it’s a good idea to run a port-scan.

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
| http-robots.txt: 1 disallowed entry 
|_/backup/chat.txt
|_http-server-header: Apache/2.4.38 (Debian)
| http-title: 24X7 System+
|_Requested resource was /login.php
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set

Recon

From the scan we can see there is a robots.txt file with some interesting content.

Admin: I have finished setting up the new export2pdf tool.
Kate: Thanks, we will require daily system reports in pdf format.
Admin: Yes, I am updated about that.
Kate: Have you finished adding the internal server.
Admin: Yes, it should be serving flag from now.
Kate: Also Don't forget to change the creds, plz stop using your username as password.
Kate: Hello.. ?

That’s a nice clue on how to continue.

After successfully logging in, we can see there is a activity telling us the flag is in /internal/admin.php. But when trying to visit that page there is an error.

This page can only be accessed locally.

On the main page there is a function to export a report as pdf.
When looking at the source we can see that it collects input from a local resource.

Exploitation

Let’s try to change this value.

Press the export button and voila

The flag.