corridor

https://tryhackme.com/room/corridor

CORRIDOR WRITEUP

By Jacvbtaylor

       Used openvpn and Kali Linux 
                 https://tryhackme.com/room/corridor
         completed Oct 4, 2022

"You have found yourself in a strange corridor. Can you find your way back to where you came?

In this challenge, you will explore potential IDOR vulnerabilities. Examine the URL endpoints you access as you navigate the website and note the hexadecimal values you find (they look an awful lot like a hash, don't they?). This could help you uncover website locations you were not expected to access."

STEP 1: Recon

First trying my nmap script, my results showed the ports were in ignored states:

so I resulted to the -sS flag. Good indicator that I should add this to my script in the near future. Now that I see port 80 is open, I checked out the webpage

The webpage has a big, pixelated image on it so I opted to viewing the source code instead

STEP 2: OSINT

The biggest take away here are the pages being referenced in the <area target= > fields . It seems I can navigate these links manually or I can click in specific points in the indexed image to direct me there.

Out of curiosity, I copied the map code and used awk and sed to grab the information I wanted

These links looks like hashes, so I want to know if they hold valuable information

I ran john the ripper on these hashes using MD5 format and got some numbers 1-13 as results.

This is a good indicator that there is a hidden directory, most likely an md5 hash from a value of 0,14-20 that I should try and locate.

STEP 3: Enumeration

Using command line, I ran the following commands

echo "<number>" | md5sum >> numbers (replacing <number> with a real integer)

cat numbers | sed 's/ -//g' > num && mv num numbers

gobuster dir -u http://10.10.44.176 -w numbers

but I didn't get any hits this way. I wasn't sure why, so after fumbling around some more, I tried using this online tool to generate md5 hashes for me. Using the same numbers but a different generator is what granted me the correct hash to put in the URL.

Out of my own curiosity, I wanted to know why my hash was different from the online tool and discovered it was due to using echo in my command as opposed to printf. Below is an example:

In conclusion, don't use insecure direct object references in your URL and don't use echo when creating hashes unless you use the -n flag to remove the newline from the echo output

Last updated 2 years ago

Was this helpful?