Surfer TryHackMe walkthrough


Musyoka Ian
5 min readOct 14, 2022

Hello guys back again with another walkthrough this time we are going to be tackling surfer from tryhackme which teaches about server side request forgeries or commonly known as SSRF. We are going to utilize this attack to gain access to internal infrastructure of the system and retrieve the flag. We are going to use ffuf as the main tool for fuzzing. Without much say let’s jump in

As always we are going to start with an nmap scan of the box and looking at the result below we see that only two ports are open:

  1. SSH (secure shell) used to access the server but requires valid credentials
  2. HTTP (Probably a web application running)

Given we don’t have valid credentials i started by enumerating port 80. Through the hint given on the tryhackme page its also seen as the approach we should take to get the flag for this specific challenge

On opening the website we get a standard web application that has a login page. But if you remember the nmap scan it gave us some really important information like

  1. Server is running PHP though the PHPSESSID leaked
  2. There was robots.txt present.

The robots.txt sometimes gives useful information that can be used when attaching a web application since sometimes it reveals hidden paths.

Looking at robts.txt we get one hidden path


Navigating to that path we get a conversation between two users

  1. Admin
  2. Kate

And through the conversations we can notice that kate is telling admin to change his password which is the same as his username. This makes us believe that probably the login credentials for the login portal might be


Going back the login portal

Then trying this credentials we see that they work!. Sweet we are authenticated to the web application

We get an export functionality that the web application has. The main function is to provide Hosting Server Information.

On clicking export to PDF

We get a PDF with some information

This makes us believe that the web application is vulnerable to a Server Side request forgery since we are able to specify an internal IP address and still fetch the contents. But we are trying to get the flag. Given we don’t know where exactly the flag is we resort to fuzzing. Fuzzing is an automated software testing method that injects invalid, malformed, or unexpected inputs into a system to reveal software defects and vulnerabilities. In our case we are going to be using a tool called ffuf which is a fast web fuzzer written in Go that allows typical directory discovery, virtual host discovery (without DNS records) and GET and POST parameter fuzzing. To configure ffuf we need to understand how the request are being sent to the backed. So i intercepted a single request used for exporting to PDF

We can see that it sends data using a HTTP POST method with a parameter called URL

We’ll specify this parameters when running ffuf. The command i used to start the fuzzing was

ffuf -u -d "url=" -H "Content-Type: application/x-www-form-urlencoded" -H "Cookie: PHPSESSID=2905206e024706693b9b970155055af4" -w ~/Desktop/git/SecLists/Discovery/Web-Content/raf
t-small-words.txt -e .txt,.php -fw 354

-u specifies the HOST url
-d specifies the POST parameters to use
-H represent the headers to use while running the requests
-w specifies the wordlists to use
-e specifies the extensions to include
-fw specifies the number of words to use as a filter

After running the fuzzer for a while i got a directory /internal/

I decided to run a second fuzzer on that specific endpoint using the command

ffuf -u -d "url=" -H "Content-Type: application/x-www-form-urlencoded" -H "Cookie: PHPSESSID=2905206e024706693b9b970155055af4" -w ~/Desktop/git/SecLists/Discovery/Web-Co
ntent/raft-small-words.txt -e .txt,.php -fw 354

And looking at the screenshot below i got a page called admin.php

I navigated to that page using my browser after editing the request with burpsuite

And looking at the screenshot below we get the flag

We can now submit it and get the points. This is a classic SSRF buit in real life scenarios you’ll need to bypass some blacklist using techniques like IP Address encoding and DNS rebinding attacks.

I hope you liked the walkthrough if so clap for me down below and follow me so that you won’t miss any upcoming walkthroughs