Hello guys,
This is my first CTF writeup so please let me know how I can improve the writeups in the future. You can contact me through the contact us page any time. So, lets get jump right in.

Based on the description that we have in the room, it mentions a website. So, instinctively I tried to access it through the browser. Lucky enough, it loads a web page with a login form.
So, as the first task, I inspected the code with the browsers "Inspect" option to see if there are any hints commented in the code, but I couldn't find anything.
Then, I tried some manual SQL Injection attacks to see if I can get through the login page, but I was unable to.

Then I proceeded to run a "NMAP" scan on the target to see what ports are open, and it revealed port 80 and 22 are open. It also revealed that "robots.txt" file might have some interesting data.
After, visiting the robots.txt file, I found a path to another hidden text file "/backup/chat.txt".

By visiting the hidden file, I found out that it contains a chat between a user called "Admin" and "Kate". In this chat, "Kate" mentions that "Admin" should stop using the username as the password.
From this I guessed that the username and the password should be the same, and it should be either "Admin" or "admin".

Using these credentials, I was able to login to the target system and access the dashboard. Sweet!!

When looking around the dashboard, I noticed in the top left corner in "Recent Activity", there is a mention about the location of the system flag.

Internal pages hosted at /internal/admin.php. It contains the system flag.

Well, this must be it, but that page is not accessible through the browser. Also, I noticed, that there is a "Export to PDF" button at the bottom of the page. When inspecting the element using the browsers "Inspect" tool, I saw that the browser actually submits a form on the button click and there is a hidden input field with a URL as the value.

From this, I noticed the value of the hidden input field is the page that used to generate the PDF. And this is susceptible to SSRF (Server Side Request Forgery) as I can pass value of my choice to the backend.
Because the above entry in the "Recent Activity" reveals the location of the system flag, I should be able to exploit this vulnerability and pass that file path to retrieve the system flag.

I used BurpSuit, to capture the request and change the value in the URL parameter to retrieve the system flag.

System generates the PDF file with the system flag.

I hope you liked the writeup and enjoyed exploiting SSRF vulnerability. BIG thanks to TryHackMe and the creators of the "Surfer CTF" challenge. Let's meet through another writeup in the future.

Happy Hacking..! :)