Surfer

https://tryhackme.com/room/surfer

We start scanning the ports:

We see there's only two open ports on this box. Let's head to port 80.

If we try to log in with common credentials we'll get an easy access, but to know for sure what the credentials are we can go to /backup/chat.txt (We got that url from the nmap report)

Let's log in

In the backup chat we read there's a export2pdf tool so let's play with it

If we catch the request with burp suit we see this:

it looks like a SSRF vulnerability. If we forward the request we obtain a PDF with the content of the server-info.php file

Now we only have to find the file that contains our flag. If we take a look again to the main page we can see something that looks interesting:

Let's repeat the process with the /internal/admin.php url and see what happens

That's it. We got our flag.