Email

TryHackMe Corridor Write-up

This write-up will help you solve the Corridor box on TryHackMe. This box involves IDOR
(Insecure Direct Object References). Having this vulnerability suggests that we should be able to obtain some sort of object while we are not supposed to have access to it. Before we enumerate the box, run the following command to add the host to your /etc/hosts file.

echo "<box_ip>   corridor.thm" >> /etc/hosts

TryHackMe Corridor – Enumeration

Let’s start by checking the open ports for this box. Run the following command to find the open ports:

nmap -sV -sC corridor.thm

You can find the outcome of this port scan below:

PORT   STATE SERVICE REASON  VERSION
80/tcp open  http    syn-ack Werkzeug httpd 2.0.3 (Python 3.10.2)
| http-methods: 
|_  Supported Methods: GET HEAD OPTIONS
|_http-server-header: Werkzeug/2.0.3 Python/3.10.2
|_http-title: Corridor

There is only 1 open port. Port 80 serves as a web server. Let’s browse the URL: http://corridor.thm/. This page shows a clickable image. In this image, you can click all the different doors. The image of the corridor looks as follows:

TryHackMe Corridor

Obtaining the Flag

If you click on one of the doors, you will see:

TryHackMe Corridor - Empty Room

Every room has a different URL. Let’s check the following URL http://corridor.thm/c4ca4238a0b923820dcc509a6f75849b. This URL contains a hash. It seems like an MD5 hash. We might be able to decode this hash using Crackstation. And indeed we find out that the MD5 hash of 1 is c4ca4238a0b923820dcc509a6f75849b. All doors seem to resemble a number. We see 13 different doors. You do not have to open all doors because you will not find the flag in any of these rooms.

Let’s think out of the box. Retrieve the MD5 hash of the value 0. Run the following command on your Linux terminal:

echo -n "0" | md5sum

Browse the outcome of this command. Thus we have to browse: corridor.thm/REDACTED.

And we are in luck! We find the flag! If all went well, you should see the following image:

TryHackMe Corridor - Full room

I had fun rooting this box. The box involved IDOR. This vulnerability arises when an application uses user-supplied input to access objects directly. Here we can fill in a number other than 1 to 13. Using this number, we were able to retrieve the flag. You should implement some sort of access control to hide sensitive information.

About

Twitter | Facebook

Leave a Reply

Your email address will not be published. Required fields are marked *

Social Media

Categories

Popular Posts

  • TryHackMe Team
    Hacking, TryHackMe, Writeups

    TryHackMe Team Writeup

    TryHackMe Glitch
    Hacking, TryHackMe, Writeups

    TryHackMe GLITCH Writeup

    TryHackMe VulnNet
    Hacking, TryHackMe, Writeups

    TryHackMe VulnNet Writeup

    TryHackMe Couch
    Hacking, TryHackMe, Writeups

    TryHackMe Couch Writeup

    tModLoader
    Gaming, Modding

    Modding Terraria – Part 3 Adding a custom pet

    • Instagram