# Plant Photographer

* I enumerated the website and found a Download Resume button on the homepage.

<figure><img src="https://697415701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGOxHHc65JQOToz8nkPKh%2Fuploads%2FnnjqblFLBHfvMBUWNT3W%2Fimage.png?alt=media&#x26;token=7b4402a2-f1c7-45ba-bdc8-56c56277c410" alt=""><figcaption></figcaption></figure>

* I viewed the source code of the website.

<figure><img src="https://697415701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGOxHHc65JQOToz8nkPKh%2Fuploads%2F1lUmr4vIdrAa2eFcef8X%2Fimage.png?alt=media&#x26;token=6e6c575a-676a-49aa-8964-c95232fafcd5" alt=""><figcaption></figcaption></figure>

* The Download Resume button was calling a `/download` API endpoint to fetch the file. I could use this to carry out an SSRF attack on the target.
* I tried using a custom script hosted on my machine via SSRF but failed to do so. I tinkered around with the endpoint and triggered error messages to learn more about the infrastructure being used in the backend.&#x20;
* While I was conducting manual enumeration Gobuster was running a directory scan on the target. The following subdirectories were found.

```
/admin
/console
/download
```

* The admin page gave the following error.

<figure><img src="https://697415701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGOxHHc65JQOToz8nkPKh%2Fuploads%2FseBEnFAMZ1eCTqZ68ZvT%2Fimage.png?alt=media&#x26;token=0ebc1403-5d2c-41a0-b8b9-937936e8af78" alt=""><figcaption></figcaption></figure>

* The console page was locked behind a PIN.

<figure><img src="https://697415701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGOxHHc65JQOToz8nkPKh%2Fuploads%2Fik2Iuq7BETHsFIQwAfCw%2Fimage.png?alt=media&#x26;token=7d484cee-6614-4f0a-a5c1-657a050092cd" alt=""><figcaption></figcaption></figure>

* I viewed it's page source and found the following.

<figure><img src="https://697415701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGOxHHc65JQOToz8nkPKh%2Fuploads%2FaIbRfYTf99m2xnWQjlts%2Fimage.png?alt=media&#x26;token=e792d100-67d9-400b-bbdf-21accf67849f" alt=""><figcaption></figcaption></figure>

* I didn't really understand it's significance here and whether it could be of any use to me but I still took note of it.&#x20;
* Next I kept working the `/download` endpoint and triggered a pycurl error by modifying the port to an invalid value.

<figure><img src="https://697415701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGOxHHc65JQOToz8nkPKh%2Fuploads%2F2paBGjxvd8sHYgkXJV9K%2Fimage.png?alt=media&#x26;token=ab304ce4-c863-4bf3-99ea-a941655cbe33" alt=""><figcaption></figcaption></figure>

* This revealed that the website was running Python's Flask framework in the backend. I looked through the errors and found the following

<figure><img src="https://697415701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FGOxHHc65JQOToz8nkPKh%2Fuploads%2Fo9Ld1YM3Kt4the05oH8Z%2Fimage.png?alt=media&#x26;token=d5e2385e-1ee7-4599-8b14-c90b0da07550" alt=""><figcaption></figcaption></figure>

* The API Key was left in the open and hence the first flag was obtained. This was easy.
* The next objective was to gain access to the admin portal.&#x20;