Tryhackme - Corridor

Tryhackme – Corridor

In this walk through, we will be going through the Corridor room from Tryhackme. This room is rated as Easy on the platform and in this we will explore potential IDOR vulnerabilities by examining the URL endpoints to uncover website locations we are not expected to access. So, let’s get started without any delay.

Corridor

Machine Info:

TitleCorridor
IPaddress10.10.71.178
DifficultyEasy
ObjectiveYou have found yourself in a strange corridor. Can you find your way back to where you came?

Task 1 – Escape the Corridor

Enumeration with Nmap:

  • I started with a regular nmap scan and found port 80 opened.

wh1terose@fsociety:~$ sudo nmap -sS -sV 10.10.114.148
Starting Nmap 7.80 ( https://nmap.org ) at 2023-11-20 20:08 IST

Nmap scan report for 10.10.114.148
Host is up (0.28s latency).
Not shown: 998 closed ports
PORT   STATE    SERVICE VERSION
53/tcp filtered domain
80/tcp open     http    Werkzeug httpd 2.0.3 (Python 3.10.2)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.12 seconds

nmap scan

  • On port 80, we have a an image with a corridor a bunch of doors. Interesting!

The corridor

Looking into the source code:

  • I clicked on one of the doors and it redirected me to a page with an image of an empty room. The URL has a pretty peculiar path. Seems like a hash to me.

http://10.10.114.148/c4ca4238a0b923820dcc509a6f75849b

MD5 hash

  • I looked into the source code and finds a number of them. These are associated with the images of doors on the main page.

page source code

  • Decrypted the MD5 hash on the page source code and found numbers equivalent to that.

c4ca4238a0b923820dcc509a6f75849b - 1
c81e728d9d4c2f636f067f89cc14862c - 2
eccbc87e4b5ce2fe28308fd9f2a7baf3 - 3
a87ff679a2f3e71d9181a67b7542122c - 4
e4da3b7fbbce2345d7772b0674a318d5 - 5
1679091c5a880faf6fb5e6087eb1b2dc - 6
8f14e45fceea167a5a36dedd4bea2543 - 7
c9f0f895fb98ab9159f51fd0297e236d - 8
45c48cce2e2d7fbdea1afc51c7c6ad26 - 9
d3d9446802a44259755d38e6d163e820 - 10
6512bd43d9caa6e02c990b0a82652dca - 11
c20ad4d76fe97759aa27a0c99bff6710 - 12
c51ce410c124a10e0db5e4b97fc2af39 - 13

decrypting MD5 hash

Getting the flag:

  • The numbers are sequential, started from no. 1. I generated a MD5hash of number “0” and tried it on our target and it worked and i got the flag.

echo -n 0 | md5sum

cfcd208495d565ef66e7dff9f98764da

md5 hash of 0

flag 0

flag

Question 1 – What is the flag?

Task 1 - Escape the Corridor

Also Read: Tryhackme – Agent T

Conclusion:

Conclusion

So that was “Corridor” for you. We first started with a nmap scan and found port 80 opened. Next, enumerated the webserver running on port 80 and found a background of corridors with lots of doors. Checked the page source and found bunch of MD5 hashes which represent the door numbers. Calculated the hash of door number 0 and tried it on the target URL. Thus, getting the flag and a tinder date with a Russian supermodel. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top