# PLATFORM . THM# CTF NAME .# DESCRIPTION .# DIFFICULTY .# CTF LINK .sudo nmap -p- IP -T5 -vvPORT STATE SERVICE REASON22/tcp open ssh syn-ack ttl 6380/tcp open http syn-ack ttl 625000/tcp open upnp syn-ack ttl 62-
After some poking around the webpage at port 80, I decided to look at port 5000.
-
It wasn’t of much help, so I’ve decided to bruteforce for endpoints.
-
It turns out, the
/adminpage is available on port 5000 but it can be accessed only internally. -
I tried accessing it from Burp and Curl via the X-Forwarded-For parameter but I wasn’t successful so I started digging more.
-
I came across this iframe documentation showcasing accessing another page so I tried replicating
<iframe src="http://127.0.0.1:5000/admin" height=1000 width=1000></iframe>- the flag is written in the PDF.