TryHackMe: Corridor CTF Walkthrough
Corridor is an intentionally vulnerable web application introduced by TryHackMe. This machine has an IDOR Vulnerability and it is hinted by the TryHackMe. The machine’s difficulty is Easy.
After connecting the Access VPN provided by TryHackMe, join the room.
Lets start information gathering phase. For that we’ve to do some port scanning in the IP. To do that I use Nmap tool and the command I used is
nmap -sV -A -Pn 10.10.21.137
The only open port is 80 and the service running on the port is HTTP. So lets visit the IP address in a web browser.
I did some Directory Listing and I couldn’t find anything. Then I tried to see the page source code by clicking View Source Page.
That’s when I noticed that there are “13 doors” in the home page. And also there’s “13 hash values corresponding to the 13 doors”.
So I copied those 13 hash values to hash.txt file.
I copied one of these hashes and used a tool called Hash-Identifier in Kali Linux.
One of these hashes were in MD5 format and other 12 hashes were in same length as this. So I confirmed that all of the hashes are in MD5 digest. Then I used Hashcat to crack these hashes. For that I used the command
hashcat -a 0 -m 0 hash.txt /usr/share/wordlists/rockyou.txt
Actually, the numerical values from 1–13 were hashed using MD5 hashing algorithm.
We have a hint which is “IDOR Vulnerability”. So I thought hashing some numerical values might help to exploit IDOR vulnerbility. For that I wrote a Python Script and it is available in my Github.
import hashlib
def main():
with open(“MD5_Hashes.txt”, ‘w’) as f:
print(“[+] File created”)
print(“[+] File name — MD5_Hashes.txt”)
for i in range(-100, 1):
hash_object = hashlib.md5(str(i).encode())
hash_value = hash_object.hexdigest()
f.write(hash_value+’\n’)
print(“[+] Successfully completed. Please check the file.”)
if __name__ == “__main__”:
main()
After running this script, it’ll create a text file which contains MD5 hash digests created from numerical values -100 to 1.
Then I used Dirsearch tool to do directory bruteforcing. For that, I used
dirsearch -u http://10.10.40.110 -w /home/z0mbi3w0rm/MD5_Hashes.txt
And it was successful. Then I visited the newly discovered page in my web browser.
Finally got the flag. Lets submit our flag.
Hooray. Successfully completed this machine.
P.S - First I wrote the Python Script to hash numerical values from 1 to 100000 and the flag wasn’t in one of these hashes. That’s when I changed the values from -100 to 1 and it worked. The web page contains flag has the hash digest of 0.
