Woah, check out this radical app! Isn't it narly dude? We've been surfing through some webpages and we want to get you on board too! They said this application has some functionality that is only available for internal usage -- but if you catch the right wave, you can probably find the sweet stuff!

SSRF is an attack where you abuse one application to interact with one you couldn’t otherwise access.

admin:admin is enough to get past the login page

the most interesting part of our dashboard is a big “Export to PDF” button that redirects us to /export2pdf.php

the “Recent activity” section hints at /internal/admin.php being the page we want to access

by clicking this button and intercepting the request with burp, we can see that the page redirects us to /export2pdf.php with the body url=http://127.0.0.1/server-info.php

this is also apparent if we look at the html

all we need to do is intercept the request and replace /server-info.php with /internal/admin.php