In this walk through, we will be going through the Corridor room from Tryhackme. This room is rated as Easy on the platform and in this we will explore potential IDOR vulnerabilities by examining the URL endpoints to uncover website locations we are not expected to access. So, let’s get started without any delay.

Table of Contents
Machine Info:
Title | Corridor |
IPaddress | 10.10.71.178 |
Difficulty | Easy |
Objective | You have found yourself in a strange corridor. Can you find your way back to where you came? |
Task 1 – Escape the Corridor
Enumeration with Nmap:
- I started with a regular nmap scan and found port 80 opened.
wh1terose@fsociety:~$ sudo nmap -sS -sV 10.10.114.148 Starting Nmap 7.80 ( https://nmap.org ) at 2023-11-20 20:08 IST Nmap scan report for 10.10.114.148 Host is up (0.28s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 53/tcp filtered domain 80/tcp open http Werkzeug httpd 2.0.3 (Python 3.10.2) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 32.12 seconds

- On port 80, we have a an image with a corridor a bunch of doors. Interesting!

Looking into the source code:
- I clicked on one of the doors and it redirected me to a page with an image of an empty room. The URL has a pretty peculiar path. Seems like a hash to me.
http://10.10.114.148/c4ca4238a0b923820dcc509a6f75849b

- I looked into the source code and finds a number of them. These are associated with the images of doors on the main page.

- Decrypted the MD5 hash on the page source code and found numbers equivalent to that.
c4ca4238a0b923820dcc509a6f75849b - 1 c81e728d9d4c2f636f067f89cc14862c - 2 eccbc87e4b5ce2fe28308fd9f2a7baf3 - 3 a87ff679a2f3e71d9181a67b7542122c - 4 e4da3b7fbbce2345d7772b0674a318d5 - 5 1679091c5a880faf6fb5e6087eb1b2dc - 6 8f14e45fceea167a5a36dedd4bea2543 - 7 c9f0f895fb98ab9159f51fd0297e236d - 8 45c48cce2e2d7fbdea1afc51c7c6ad26 - 9 d3d9446802a44259755d38e6d163e820 - 10 6512bd43d9caa6e02c990b0a82652dca - 11 c20ad4d76fe97759aa27a0c99bff6710 - 12 c51ce410c124a10e0db5e4b97fc2af39 - 13

Getting the flag:
- The numbers are sequential, started from no. 1. I generated a MD5hash of number “0” and tried it on our target and it worked and i got the flag.
echo -n 0 | md5sum cfcd208495d565ef66e7dff9f98764da



Question 1 – What is the flag?
flag{2477ef02448ad9156661ac40a6b8862e}

Also Read: Tryhackme – Agent T
Conclusion:

So that was “Corridor” for you. We first started with a nmap scan and found port 80 opened. Next, enumerated the webserver running on port 80 and found a background of corridors with lots of doors. Checked the page source and found bunch of MD5 hashes which represent the door numbers. Calculated the hash of door number 0 and tried it on the target URL. Thus, getting the flag and a tinder date with a Russian supermodel. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.