TryHackMe - Corridor

We're hinted to look for IDOR (Insecure direct object references) vulnerabilities, and that we're going to be crawling a web page.

Walk Through

  1. Inspect the output of curl $TARGET
  2. Convert a few of the hashes with crackstation
  3. Notice the hashes are a sequence
  4. Re-create a few of the existing hashes using gromweb
  5. Use gromweb to generate a special element of the sequence
  6. Use the result of 5 to obtain flag!

Write Up

Alright, let's see what rustscan turns up:

rustscan -a $TARGET -- -A -sC
...
Open 10.10.54.170:80

Nothing but a web server on port 80, cool. Nikto:

nikto --host $TARGET --port 80
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.54.170
+ Target Hostname:    10.10.54.170
+ Target Port:        80
+ Start Time:         2022-11-10 19:59:05 (GMT-5)
---------------------------------------------------------------------------
+ Server: Werkzeug/2.0.3 Python/3.10.2
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: HEAD, GET, OPTIONS

Server Werkzeug, what is that?! 1 I'm not sure, but it's vulnerable to path traversal and the hint is we need to traverse some paths so let's go! There's also an RCE apparently, I assume that's going to be a local prev esc Bad news, the Path traversal isn't compatible with the hosted version. Before I leap to tossing random exploits at this, I'll try dirb. First, I'll just load the index: 2 Cool it has a picture with a bunch of doors, each has a link. dirb though seems to fail. Well, time to actually look closer at the index:

curl $TARGET
curl $TARGET | grep href
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  3213  100  3213    0     0  19220      0 --:--:-- --:--:-- --:--:-- 19125
    <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css"
    <link rel="stylesheet" href="/static/css/main.css">
        <area target="" alt="c4ca4238a0b923820dcc509a6f75849b" title="c4ca4238a0b923820dcc509a6f75849b" href="c4ca4238a0b923820dcc509a6f75849b" coords="257,893,258,332,325,351,325,860" shape="poly">
        <area target="" alt="c81e728d9d4c2f636f067f89cc14862c" title="c81e728d9d4c2f636f067f89cc14862c" href="c81e728d9d4c2f636f067f89cc14862c" coords="469,766,503,747,501,405,474,394" shape="poly">
        <area target="" alt="eccbc87e4b5ce2fe28308fd9f2a7baf3" title="eccbc87e4b5ce2fe28308fd9f2a7baf3" href="eccbc87e4b5ce2fe28308fd9f2a7baf3" coords="585,698,598,691,593,429,584,421" shape="poly">
        <area target="" alt="a87ff679a2f3e71d9181a67b7542122c" title="a87ff679a2f3e71d9181a67b7542122c" href="a87ff679a2f3e71d9181a67b7542122c" coords="650,658,644,437,658,652,655,437" shape="poly">
        <area target="" alt="e4da3b7fbbce2345d7772b0674a318d5" title="e4da3b7fbbce2345d7772b0674a318d5" href="e4da3b7fbbce2345d7772b0674a318d5" coords="692,637,690,455,695,628,695,467" shape="poly">
        <area target="" alt="1679091c5a880faf6fb5e6087eb1b2dc" title="1679091c5a880faf6fb5e6087eb1b2dc" href="1679091c5a880faf6fb5e6087eb1b2dc" coords="719,620,719,458,728,471,728,609" shape="poly">
        <area target="" alt="8f14e45fceea167a5a36dedd4bea2543" title="8f14e45fceea167a5a36dedd4bea2543" href="8f14e45fceea167a5a36dedd4bea2543" coords="857,612,933,610,936,456,852,455" shape="poly">
        <area target="" alt="c9f0f895fb98ab9159f51fd0297e236d" title="c9f0f895fb98ab9159f51fd0297e236d" href="c9f0f895fb98ab9159f51fd0297e236d" coords="1475,857,1473,354,1537,335,1541,901" shape="poly">
        <area target="" alt="45c48cce2e2d7fbdea1afc51c7c6ad26" title="45c48cce2e2d7fbdea1afc51c7c6ad26" href="45c48cce2e2d7fbdea1afc51c7c6ad26" coords="1324,766,1300,752,1303,401,1325,397" shape="poly">
        <area target="" alt="d3d9446802a44259755d38e6d163e820" title="d3d9446802a44259755d38e6d163e820" href="d3d9446802a44259755d38e6d163e820" coords="1202,695,1217,704,1222,423,1203,423" shape="poly">
        <area target="" alt="6512bd43d9caa6e02c990b0a82652dca" title="6512bd43d9caa6e02c990b0a82652dca" href="6512bd43d9caa6e02c990b0a82652dca" coords="1154,668,1146,661,1144,442,1157,442" shape="poly">
        <area target="" alt="c20ad4d76fe97759aa27a0c99bff6710" title="c20ad4d76fe97759aa27a0c99bff6710" href="c20ad4d76fe97759aa27a0c99bff6710" coords="1105,628,1116,633,1113,447,1102,447" shape="poly">
        <area target="" alt="c51ce410c124a10e0db5e4b97fc2af39" title="c51ce410c124a10e0db5e4b97fc2af39" href="c51ce410c124a10e0db5e4b97fc2af39" coords="1073,609,1081,620,1082,459,1073,463" shape="poly">

Alrighty then, we have a bunch of href's that we're already aware are hashes. There's nothing useful at those URL's, but perhaps this is happening:

  • URL Path is being used in a query to lookup a file by it's hash
  • URL Path is being placed into a system command to find a file? I messed with the URL but didn't find anything useful... I don't notice anything particularly interesting about the serious of hashes. Hmmmm, I created a list of the hashes:
c4ca4238a0b923820dcc509a6f75849b
c81e728d9d4c2f636f067f89cc14862c
eccbc87e4b5ce2fe28308fd9f2a7baf3
a87ff679a2f3e71d9181a67b7542122c
e4da3b7fbbce2345d7772b0674a318d5
1679091c5a880faf6fb5e6087eb1b2dc
8f14e45fceea167a5a36dedd4bea2543
c9f0f895fb98ab9159f51fd0297e236d
45c48cce2e2d7fbdea1afc51c7c6ad26
d3d9446802a44259755d38e6d163e820
6512bd43d9caa6e02c990b0a82652dca
c20ad4d76fe97759aa27a0c99bff6710
c51ce410c124a10e0db5e4b97fc2af39

And studied the response from an endpoint, but never saw anything overly interesting.

curl -v $TARGET/c4ca4238a0b923820dcc509a6f75849b

So, I decided to try some random hashes. Here's a function for generating a random hash:

echo $RANDOM | md5sum | head -c 32; echo;
fd2209e3e541aebb5171d597362afc7a

I dropped this into the browser, and nothing. Well, Just for shits I may as well try to fuzz:

while [ 1 ]; do; echo $(shuf -i 1-100000 -n 1) | md5sum | head -c 32; echo; done | wfuzz -z stdin --hc 404 http://$TARGET/FUZZ

This generates a random hash and slaps it into wfuzz, hiding the 404s. I'll just let that run while I keep thinking. I decided to stick the hashes into crackstation... and there we are, it's just a series! 3 Now, If I can re-construct any of the hashes I should be able to generate the hash for 14 and so on and get some more files. For some reason md5sum on my CLI wasn't generating the correct values, but I found this site that works: https://md5.gromweb.com/?string=1 So, the hash for 14 is c4ca4238a0b923820dcc509a6f75849b which just returned the same image page... 15 == 9bf31c7ff062936a96d3c8bd1f8f2ff3 == Not Found 16 == c74d97b01eae257e44aa9d5bade97baf == Not Found 0 == cfcd208495d565ef66e7dff9f98764da == Flag! GG!