Open in app

Sign in

Write

Sign in

TryHackMe Surfer Writeup

Hiteshverma
3 min readJul 8, 2024

--

As information states, there is web app running so doing nmap is a waste of time. Let’s directly jump into port 80.

So there is a login page. Whenever I visit any website, I first check two directories

/robots.txt and /sitemap.xml

Because if they exit they always lead some path.

I got /backup/chat.txt file. It states that stop using username as password, means username and password are same, which makes easy for us to bruteforce the login page.

I tried admin : admin and got successful.

Recent activity says : Internal pages hosted at /internal/admin.php. It contains the system flag. So we have to access it.

The word locally slightly leads us towards SSRF as we can make internal connection to localhost(127.0.0.1) via SSRF.

On clicking export to pdf, it downloads the file which may be coming from third party website, So intercepted the “export to pdf” request using Burpsuite.

I changed the url and tried to acces /internal/admin.php.

After forwarding I got the flag yay!!!.

If you think how I learnt about it, I followed

https://portswigger.net/web-security/learning-paths/ssrf-attacks

Thanks For reading. Please do follow, clap and comment if there is any doubt.

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Tryhackme
Tryhackme Walkthrough
Tryhackme Writeup
Surfer Tryhackme
Surfer

--

--

Hiteshverma
Hiteshverma

Written by Hiteshverma

4 Followers
6 Following

Cybersecurity learner.

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams