TryHackMe - Corridor

We’re hinted to look for IDOR (Insecure direct object references) vulnerabilities, and that we’re going to be crawling a web page.

Walk Through

  1. Inspect the output of curl $TARGET
  2. Convert a few of the hashes with crackstation
  3. Notice the hashes are a sequence
  4. Re-create a few of the existing hashes using gromweb
  5. Use gromweb to generate a special element of the sequence
  6. Use the result of 5 to obtain flag!

Write Up

Alright, let’s see what rustscan turns up:

rustscan -a $TARGET -- -A -sC

Nothing but a web server on port 80, cool. Nikto:

nikto --host $TARGET --port 80
- Nikto v2.1.6
+ Target IP:
+ Target Hostname:
+ Target Port:        80
+ Start Time:         2022-11-10 19:59:05 (GMT-5)
+ Server: Werkzeug/2.0.3 Python/3.10.2
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: HEAD, GET, OPTIONS

Server Werkzeug, what the fuck is that?!


I’m not sure, but it’s vulnerable to path traversal and the hint is we need to traverse some paths so let’s go! There’s also an RCE apparently, I assume that’s going to be a local prev esc

Bad news, the Path traversal isn’t compatible with the hosted version. Before I leap to tossing random exploits at this, I’ll try dirb. First, I’ll just load the index:

Cool it has a picture with a bunch of doors, each has a link. dirb though seems to fail.

Well, time to actually look closer at the index:

curl $TARGET
curl $TARGET | grep href
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  3213  100  3213    0     0  19220      0 --:--:-- --:--:-- --:--:-- 19125
    <link rel="stylesheet" href=""
    <link rel="stylesheet" href="/static/css/main.css">
        <area target="" alt="c4ca4238a0b923820dcc509a6f75849b" title="c4ca4238a0b923820dcc509a6f75849b" href="c4ca4238a0b923820dcc509a6f75849b" coords="257,893,258,332,325,351,325,860" shape="poly">
        <area target="" alt="c81e728d9d4c2f636f067f89cc14862c" title="c81e728d9d4c2f636f067f89cc14862c" href="c81e728d9d4c2f636f067f89cc14862c" coords="469,766,503,747,501,405,474,394" shape="poly">
        <area target="" alt="eccbc87e4b5ce2fe28308fd9f2a7baf3" title="eccbc87e4b5ce2fe28308fd9f2a7baf3" href="eccbc87e4b5ce2fe28308fd9f2a7baf3" coords="585,698,598,691,593,429,584,421" shape="poly">
        <area target="" alt="a87ff679a2f3e71d9181a67b7542122c" title="a87ff679a2f3e71d9181a67b7542122c" href="a87ff679a2f3e71d9181a67b7542122c" coords="650,658,644,437,658,652,655,437" shape="poly">
        <area target="" alt="e4da3b7fbbce2345d7772b0674a318d5" title="e4da3b7fbbce2345d7772b0674a318d5" href="e4da3b7fbbce2345d7772b0674a318d5" coords="692,637,690,455,695,628,695,467" shape="poly">
        <area target="" alt="1679091c5a880faf6fb5e6087eb1b2dc" title="1679091c5a880faf6fb5e6087eb1b2dc" href="1679091c5a880faf6fb5e6087eb1b2dc" coords="719,620,719,458,728,471,728,609" shape="poly">
        <area target="" alt="8f14e45fceea167a5a36dedd4bea2543" title="8f14e45fceea167a5a36dedd4bea2543" href="8f14e45fceea167a5a36dedd4bea2543" coords="857,612,933,610,936,456,852,455" shape="poly">
        <area target="" alt="c9f0f895fb98ab9159f51fd0297e236d" title="c9f0f895fb98ab9159f51fd0297e236d" href="c9f0f895fb98ab9159f51fd0297e236d" coords="1475,857,1473,354,1537,335,1541,901" shape="poly">
        <area target="" alt="45c48cce2e2d7fbdea1afc51c7c6ad26" title="45c48cce2e2d7fbdea1afc51c7c6ad26" href="45c48cce2e2d7fbdea1afc51c7c6ad26" coords="1324,766,1300,752,1303,401,1325,397" shape="poly">
        <area target="" alt="d3d9446802a44259755d38e6d163e820" title="d3d9446802a44259755d38e6d163e820" href="d3d9446802a44259755d38e6d163e820" coords="1202,695,1217,704,1222,423,1203,423" shape="poly">
        <area target="" alt="6512bd43d9caa6e02c990b0a82652dca" title="6512bd43d9caa6e02c990b0a82652dca" href="6512bd43d9caa6e02c990b0a82652dca" coords="1154,668,1146,661,1144,442,1157,442" shape="poly">
        <area target="" alt="c20ad4d76fe97759aa27a0c99bff6710" title="c20ad4d76fe97759aa27a0c99bff6710" href="c20ad4d76fe97759aa27a0c99bff6710" coords="1105,628,1116,633,1113,447,1102,447" shape="poly">
        <area target="" alt="c51ce410c124a10e0db5e4b97fc2af39" title="c51ce410c124a10e0db5e4b97fc2af39" href="c51ce410c124a10e0db5e4b97fc2af39" coords="1073,609,1081,620,1082,459,1073,463" shape="poly">

Alrighty then, we have a bunch of href’s that we’re already aware are hashes. There’s nothing useful at those URL’s, but perhaps this is happening:
- URL Path is being used in a query to lookup a file by it’s hash
- URL Path is being placed into a system command to find a file?

I messed with the URL but didn’t find anything useful… I don’t notice anything particularly interesting about the serious of hashes.

Hmmmm, I created a list of the hashes:


And studied the response from an endpoint, but never saw anything overly interesting.

curl -v $TARGET/c4ca4238a0b923820dcc509a6f75849b

So, I decided to try some random hashes. Here’s a function for generating a random hash:

echo $RANDOM | md5sum | head -c 32; echo;

I dropped this into the browser, and nothing.

Well, Just for shits I may as well try to fuzz:

while [ 1 ]; do; echo $(shuf -i 1-100000 -n 1) | md5sum | head -c 32; echo; done | wfuzz -z stdin --hc 404 http://$TARGET/FUZZ

This generates a random hash and slaps it into wfuzz, hiding the 404s. I’ll just let that run while I keep thinking.

I decided to stick the hashes into crackstation… and there we are, it’s just a series!


Now, If I can re-construct any of the hashes I should be able to generate the hash for 14 and so on and get some more files.

For some reason md5sum on my CLI wasn’t generating the correct values, but I found this site that works:

So, the hash for 14 is c4ca4238a0b923820dcc509a6f75849b which just returned the same image page…

15 == 9bf31c7ff062936a96d3c8bd1f8f2ff3 == Not Found
16 == c74d97b01eae257e44aa9d5bade97baf == Not Found
0 == cfcd208495d565ef66e7dff9f98764da == Flag! GG!

$ cd content && tree