TryHackMe WriteUp: Corridor

Write Up Describing the steps to Solve Corridor

Challenge Name: Corridor by John Hammond

Corridor Challenge

For individuals who wish to learn more about IDOR vulnerability, this is a pretty simple challenge.

What is IDOR?

Using the parameters specified in the HTTP request, a web server identifies the resource requested when it executes a user’s request. To find and access a certain resource, you need to know the direct object reference. In the event that there is insufficient server-side validation, attackers may modify these arguments and access internal implementation object details while the server is accessing a resource. An Insecure Direct Object Reference (IDOR) vulnerability is what this attack uses.

You can refer this article to know more about IDOR vulnerability.

Now let’s get back to the challenge. Most of the information needed to complete the challenge is provided in the challenge description.

You will see some doors when you initially access the website. Each door has a clickable link that displays some image. But the key here is to pay attention to the browser’s address bar, where the URL is shown.

When you click on each of the doors you can see the URL in this format http://<IP>/<some random string>

You may have noticed that HASH was mentioned in the task description. Take any one of those random strings and try to determine what kind of hash it is as we move along. Use one of the many online hash identifiers you may get by searching for “hash identifier” on Google.

The next step is to decrypt the MD5 hash after its type has been determined to be MD5. Use the online MD5 hash cracker. You will discover that the numbers like 7, 4, 6, etc. are used in the hashes contained in the URLs. So, try to determine which special number is missing from those random hashes. (Note: Only 1 or 2 hashes need to be cracked; the others can be ignored.) Just consider which number might be relatively unique.

Numbers like -1,0,1 are typically unique when referring to the IDOR vulnerability because admin or test accounts are frequently present at these endpoints. Just try to visit those endpoints by obtaining the MD5 hash of these individual integers(https://<IP>/md5-string-of- [-1,0,1]). You will get your flag.

Hope you were able to solve reading this.

Thank You for reading. Knowledge is power, so keep gaining! 😈

Follow me on GitHub!

From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 GitHub Repos and tools, and 1 job alert for FREE!