Extract
Extract
π I think this is my second hard challenge. It was a good challenge for me.
π As usual, I started with an nmap scan:
This is the only open port: 
π‘ I checked the source code while Feroxbuster was running: 
π΅οΈ As you can see, it sends a GET request to this URL with a PDF file:
1
http://10.81.170.31/preview.php?url=http://cvssm1/pdf/dummy.pdf
π» I checked what kind of filters were in place and if we could access other URLs:
I started a Python HTTP server on my local machine and checked. It turned out it sends a GET request to any URL: 
π I put that aside for a moment.
As you can see, there is a management system:
We cannot access it directly, so letβs try requesting it via the preview URL:
1
http://10.81.170.31/preview.php?url=http://10.81.170.31/management/
π It fails directly, but if we change the target host to localhost (127.0.0.1), we can access it because the application makes the request from its own IP address:
1
http://10.81.170.31/preview.php?url=http://127.0.0.1/management/

