Corridor TryHackMe Walkthrough

introduction

Musyoka Ian
5 min readOct 1, 2022

Hello guys back again with another walkthough this time we are going to be tackling Corridor from TryHackMe. The box demonstrates an Insecure direct object reference vulnerability but with a bit of twists. The images we are trying to access have been md5 hashed so they look totally random but when we pass the hashes to an online hash cracker like crackstation they are just numeric numbers. So we create a little python script that creates hashes, compares them to the hashes already present in the website’s HTML source code and if they don’t match it tries to access the URL and if the URL returns 200 OK requests gives us the hash and asks us to try it against the site. We try one of the hashes and get the flag. Without much say let’s jump in

As always we begin with a nmap scan of the box and looking at the screenshot below we discover that it’s running an HTTP service on port 80.

On opening the site we get a standard web page with just a single image

On opening the HTML source code we see that we can access more images

But from the links they looks MD5 hashes and totally random given they are hashes

My next option was maybe to try and see if the hashes can be cracked. I took all the hashes and passed them to a online hash cracker called crackstation. It’s always faster compared to cracking given this online tools uses rainbow tables or some might say precomputed hashes meaning the results are always received almost instantaneously after sending the hash. The downside to this technique is that if the hash wasn’t cracked earlier it will not exists in the table. That when I’d try using a hash cracker like hashcat or john.

Passing those obtained hashes to crackstation we see that we managed to crack all of them

The hashes are just numeric values. So i ended up creating a python script that creates numeric values from 0 to 100 and hashes those values and then tries each of them against the URL endpoint and once it gets a successful response asks the end user to try the hash. Below is a screenshot of the exploit code

But let’s explain what’s happening under the hood then later on run the script and get the flag (The code will be available in my GitHub Repository)

The first line is just to tell our session that we are going to run this specific file using python3

After that we import three libraries namely

  1. hashlib (which will help us in generating MD5 hashes)
  2. requests (which will help us make HTTP requests to the web application)
  3. re (which is used to perform regular expression and try to match to a specific dataset and see if it’s get a successful response)
\

Next three line we make an HTTP request to the web application and capture the response returned. Then using re we fish out all the hashes and save them in an array

The next highlighted lines are just used to generate numeric values from 1 to 100 and creates an md5 hashes from then

Then compares if the hash already exists in the ones embedded in the source of the web application. If they match it skips the hash (Just for optimization purpose…….why try a hash which we already know it doesn’t contain the password)

If the hash is unique, it makes another HTTP request with the hash as the endpoint and if the endpoint doesn’t return a 404 it displays the hash to the end user

Now that we understand how the code works. Let’s run it and see if we’ll get some new endpoints

Looking at the screenshot below we get two more hashes

Let’s try then against the site and see what those images contain

The first one gives us the flag. Sweet

We can now submit the flag and get the points. The script is still crood and might need some improvements like it takes like between 1 minutes to ran as you can see from the screenshot below

We might decided to thread and get instant results within 5 seconds this greatly optimizes the script if you want to see this let me know in the comments and I’ll create a walkthrough on how to thread script to make them faster. But aside from that, this is it.

You can find the exploit on my GitHub page

Hope you liked the walkthrough if so clap for me down below and follow me so that you don’t miss any upcoming walkthoughs

--

--

Musyoka Ian
Musyoka Ian

Written by Musyoka Ian

Penetration Tester/Analytical Chemist who Loves Cybersecurity. GitHub(https://github.com/musyoka101), ExploitDB(https://www.exploit-db.com/?author=10517)

Responses (1)