Post

Tryhackme Corridor Writeup

Posted
By bdobbert
3 min read
Tryhackme Corridor Writeup

Tryhackme Corridor Writeup

Link to Box: Tryhackme.com

This is my first write-up of a Tryhackme Box. The challenge is called Corridor.

Challenge setup

You have found yourself in a strange corridor. Can you find your way back to where you came?
In this challenge, you will explore potential IDOR vulnerabilities. Examine the URL endpoints you access as you navigate the website and note the hexadecimal values you find (they look an awful lot like a hash, don’t they?). This could help you uncover website locations you were not expected to access.

That’s the challenge description and actually contains a few pretty big hints.

  1. We are expecting an IDOR vulnerability.
  2. We should examine the URL endpoints when navigating the website.
  3. The hexadecimal values from the URL endpoints will very likely be a hash.

Let’s go through the hints one after another:

[…] you will explore potential IDOR vulnerabilities.

An IDOR (Insecure Direct Object Reference) vulnerability is a vulnerability where users can access data/websites they shouldn’t have access to. A pretty common appearance of this vulnerability are user accounts. Sometimes when you navigate to your user account on a website the URL could look something like this:
targetwebsite.com/user/1246.
Notice the number at the end? You could change this and potentially view another user’s account.

Examine the URL endpoints […]

This is another hint to look for an IDOR vulnerability as these are pretty common found in URL endpoints.

[…] note the hexadecimal values (they look like a hash)

While hashes are not reversible, we can’t just decode them and see what the original text was. But there actually is a way to find the original text from the hash using rainbow tables.
Rainbow tables are huge tables that store a hash and the text that lead to it. These work because hashes always produce the same output if the input is the same. With these rainbow tables we can search for the hash and find out what the original input was.

Let’s start with the challenge

The first thing I always do is run an nmap scan. I usually use

1

sudo nmap -sV [IP-Address] -p- -vv -oN nmap.txt

What does this do? The -sV tag first scans for open ports and tries to examine the version of the running service after. The tag -p- means all ports are being scanned instead of the 1.000 most common ports. -vv just makes the output more verbose, so you get more data. And finally -oN writes the output to a text file you specify. I usually always name the file nmap.txt because I already structure my documents in named files.

The target machine only has port 80 open, which is usually used for unencrypted websites. I obviously immediately opened my browser and entered the IP-Adress into the address bar. I was greeted with an image of a corridor with a few doors that I can click on. All of them redirect to a webpage with an image of an empty room.

I typed view-source: in front of the URL. This let’s me view the raw html-code of the webpage. We can now see all of the URLs we are redirected to in a list. This makes it much easier to copy them, pasting them into a website like crackstation.net (a website that uses rainbow tables to look up hashes) and seeing a pattern in the hashes. I did exactly that and the looked up hashes were numbers counting upwards. Also the used hashes were MD5 hashes.
As the first sentence of the challenge text says we should find our way back to where we came from…

Can you find your way back to where you came?

… I did use CyberChef to generate the MD5 hash for the preceeding number and went to http://[IP-Address]/[MD5-hash] and was greeted with an image containing the flag.

I copied the flag to the THM website and the flag was correct.

Writeups
This post is licensed under CC BY 4.0 by the author.

© bdobbert. Some rights reserved.

Using the Chirpy theme for Jekyll.