TryHackMe - Corridor Writeup
TryHackMe - Corridor Writeup: This room is about IDOR Vulnerabilities
Link to the Room
This room is about IDOR vulnerabilities.
Insecure direct object references (IDOR) is when you are able to access unauthorized data because the website fails to verify your authority and the server exposes direct references to those objects. Also IDOR allows modification or deletion of the data, it's not limited to access only.
You have to examine the website and URL endpoints hidden inside it to discover the flag.
Navigate to the Target IP address and there you won't find a single link or any written material. Just this image:
At first it's easier to get confused by looking at this but just out of curiosity what I did is I clicked on the first door from the left side. I was then redirected to this page:
Just one complete blank page with no information on it. However, if you observe the address bar there is a strange hash that is present.
At first, I didn't notice that and immediately switched to the Home page. Then I clicked on the 2nd door from left and the same thing happened. Again, there is a hash attached to the IP address of the website and no other information is on the page.
Now, I repeated the same cycle to discover more and clicked the door which is at the center.
This is where I started recognizing a pattern. Now if you didn't know, these are all MD5 hashes. MD5 hashes are used to verify the integrity of the data to ensure it hasn't been altered. There are different types of hashes that exist and to distinguish between them and also to recognize them here is some info on different types of hashes.
| Hash | Length |
|---|---|
| MD5 | 32 hex characters |
| SHA1 | 40 hex characters |
| SHA256 | 64 hex characters |
| SHA512 | 128 hex characters |
So 32 hex = MD5 in most CTF/web contexts.
In order to count the characters, you can use this tool which I used as well to count the number of characters that were present in MD5 hashes given in this challenge:
Character Count Online
As you can see 32 characters in total confirms that this is a MD5 hash.
Now another tool that I want to recommend is Crackstation to find out the string number associated with the hash.
Once you enter the hash it gives out the string number. I checked it once with the hash of the 1st door
and then with the hash of the door in center.
It's now confirmed we are dealing with MD5 hashes associated with different random string numbers. Using MD5 Hash Generator we can generate a hash associated with any string number.
I used the tool to generate the hash for String 1
and then string 7.
If you are wondering now why we are not discussing about the flags, you have to understand the concept of MD5 hashes first so you could easily recognize the pattern if you find the similar thing in any other CTF.
There are 13 doors in general in the image but as we are now able to generate hashes for more numbers we can even reach page 14, 15, 16 and so on. But the numbers can go on and on and this isn't a smart approach to get the flag.
Now, if we go back to the first introduction that was given to us in the starting of the challenge:
This particular line gives us a hint that we might have ignored until now. We all count natural numbers from 1, 2, 3 and so on but whole numbers start from 0, 1, 2, 3, 4..... and here I gave it a thought to create a hash from the string number 0 to see if that can work.
For some reason the website didn't help with that. So I used the good old terminal using the command
to generate the hash for string 1 to confirm what I was doing is correct and then followed by string 0.
which gave a hash which I entered in the address box in this format
and it gives away the flag.
Hope you learned a thing or two from this writeup. We have a lot of blogs on different topics and you can also join the infophreak discord community to connect with us.
Links mentioned in this room
Corridor on Tryhackme: https://tryhackme.com/room/corridor
Character Counter: https://www.charactercountonline.com/
Crackstation Free Password Hash Cracker: https://crackstation.net/
MD5 Hash Generator: https://www.md5hashgenerator.com/
Let's Connect!
