Post

Extract

Extract

πŸš€ I think this is my second hard challenge. It was a good challenge for me.

πŸ” As usual, I started with an nmap scan: Pasted image 20260619185446.png This is the only open port: Pasted image 20260619185604.png

πŸ’‘ I checked the source code while Feroxbuster was running: Pasted image 20260619185841.png

Pasted image 20260619190009.png

πŸ•΅οΈ As you can see, it sends a GET request to this URL with a PDF file:

1
http://10.81.170.31/preview.php?url=http://cvssm1/pdf/dummy.pdf

πŸ’» I checked what kind of filters were in place and if we could access other URLs: Pasted image 20260619190518.png I started a Python HTTP server on my local machine and checked. It turned out it sends a GET request to any URL: Pasted image 20260619190615.png

πŸ“Œ I put that aside for a moment. Pasted image 20260619190649.png As you can see, there is a management system: Pasted image 20260619191246.png We cannot access it directly, so let’s try requesting it via the preview URL:

1
http://10.81.170.31/preview.php?url=http://10.81.170.31/management/

πŸ”‘ It fails directly, but if we change the target host to localhost (127.0.0.1), we can access it because the application makes the request from its own IP address:

1
http://10.81.170.31/preview.php?url=http://127.0.0.1/management/

Pasted image 20260619191657.png

This post is licensed under CC BY 4.0 by the author.