TryHackMe - Corridor

We’re hinted to look for IDOR (Insecure direct object references) vulnerabilities, and that we’re going to be crawling a web page.

Walk Through

1. Inspect the output of curl $TARGET
   
2. Convert a few of the hashes with crackstation
   
3. Notice the hashes are a sequence
   
4. Re-create a few of the existing hashes using gromweb
   
5. Use gromweb to generate a special element of the sequence
   
6. Use the result of 5 to obtain flag!
   

Write Up

Alright, let’s see what rustscan turns up:

rustscan -a $TARGET -- -A -sC
...
Open 10.10.54.170:80

Nothing but a web server on port 80, cool. Nikto:

nikto --host $TARGET --port 80
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.54.170
+ Target Hostname:    10.10.54.170
+ Target Port:        80
+ Start Time:         2022-11-10 19:59:05 (GMT-5)
---------------------------------------------------------------------------
+ Server: Werkzeug/2.0.3 Python/3.10.2
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: HEAD, GET, OPTIONS

Server Werkzeug, what the fuck is that?!

I’m not sure, but it’s vulnerable to path traversal and the hint is we need to traverse some paths so let’s go! There’s also an RCE apparently, I assume that’s going to be a local prev esc

Bad news, the Path traversal isn’t compatible with the hosted version. Before I leap to tossing random exploits at this, I’ll try dirb. First, I’ll just load the index:

Cool it has a picture with a bunch of doors, each has a link. dirb though seems to fail.

Well, time to actually look closer at the index:

curl $TARGET
curl $TARGET | grep href
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  3213  100  3213    0     0  19220      0 --:--:-- --:--:-- --:--:-- 19125
    <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css"
    <link rel="stylesheet" href="/static/css/main.css">
        <area target="" alt="c4ca4238a0b923820dcc509a6f75849b" title="c4ca4238a0b923820dcc509a6f75849b" href="c4ca4238a0b923820dcc509a6f75849b" coords="257,893,258,332,325,351,325,860" shape="poly">
        <area target="" alt="c81e728d9d4c2f636f067f89cc14862c" title="c81e728d9d4c2f636f067f89cc14862c" href="c81e728d9d4c2f636f067f89cc14862c" coords="469,766,503,747,501,405,474,394" shape="poly">
        <area target="" alt="eccbc87e4b5ce2fe28308fd9f2a7baf3" title="eccbc87e4b5ce2fe28308fd9f2a7baf3" href="eccbc87e4b5ce2fe28308fd9f2a7baf3" coords="585,698,598,691,593,429,584,421" shape="poly">
        <area target="" alt="a87ff679a2f3e71d9181a67b7542122c" title="a87ff679a2f3e71d9181a67b7542122c" href="a87ff679a2f3e71d9181a67b7542122c" coords="650,658,644,437,658,652,655,437" shape="poly">
        <area target="" alt="e4da3b7fbbce2345d7772b0674a318d5" title="e4da3b7fbbce2345d7772b0674a318d5" href="e4da3b7fbbce2345d7772b0674a318d5" coords="692,637,690,455,695,628,695,467" shape="poly">
        <area target="" alt="1679091c5a880faf6fb5e6087eb1b2dc" title="1679091c5a880faf6fb5e6087eb1b2dc" href="1679091c5a880faf6fb5e6087eb1b2dc" coords="719,620,719,458,728,471,728,609" shape="poly">
        <area target="" alt="8f14e45fceea167a5a36dedd4bea2543" title="8f14e45fceea167a5a36dedd4bea2543" href="8f14e45fceea167a5a36dedd4bea2543" coords="857,612,933,610,936,456,852,455" shape="poly">
        <area target="" alt="c9f0f895fb98ab9159f51fd0297e236d" title="c9f0f895fb98ab9159f51fd0297e236d" href="c9f0f895fb98ab9159f51fd0297e236d" coords="1475,857,1473,354,1537,335,1541,901" shape="poly">
        <area target="" alt="45c48cce2e2d7fbdea1afc51c7c6ad26" title="45c48cce2e2d7fbdea1afc51c7c6ad26" href="45c48cce2e2d7fbdea1afc51c7c6ad26" coords="1324,766,1300,752,1303,401,1325,397" shape="poly">
        <area target="" alt="d3d9446802a44259755d38e6d163e820" title="d3d9446802a44259755d38e6d163e820" href="d3d9446802a44259755d38e6d163e820" coords="1202,695,1217,704,1222,423,1203,423" shape="poly">
        <area target="" alt="6512bd43d9caa6e02c990b0a82652dca" title="6512bd43d9caa6e02c990b0a82652dca" href="6512bd43d9caa6e02c990b0a82652dca" coords="1154,668,1146,661,1144,442,1157,442" shape="poly">
        <area target="" alt="c20ad4d76fe97759aa27a0c99bff6710" title="c20ad4d76fe97759aa27a0c99bff6710" href="c20ad4d76fe97759aa27a0c99bff6710" coords="1105,628,1116,633,1113,447,1102,447" shape="poly">
        <area target="" alt="c51ce410c124a10e0db5e4b97fc2af39" title="c51ce410c124a10e0db5e4b97fc2af39" href="c51ce410c124a10e0db5e4b97fc2af39" coords="1073,609,1081,620,1082,459,1073,463" shape="poly">

Alrighty then, we have a bunch of href’s that we’re already aware are hashes. There’s nothing useful at those URL’s, but perhaps this is happening:
- URL Path is being used in a query to lookup a file by it’s hash
- URL Path is being placed into a system command to find a file?

I messed with the URL but didn’t find anything useful… I don’t notice anything particularly interesting about the serious of hashes.

Hmmmm, I created a list of the hashes:

c4ca4238a0b923820dcc509a6f75849b
c81e728d9d4c2f636f067f89cc14862c
eccbc87e4b5ce2fe28308fd9f2a7baf3
a87ff679a2f3e71d9181a67b7542122c
e4da3b7fbbce2345d7772b0674a318d5
1679091c5a880faf6fb5e6087eb1b2dc
8f14e45fceea167a5a36dedd4bea2543
c9f0f895fb98ab9159f51fd0297e236d
45c48cce2e2d7fbdea1afc51c7c6ad26
d3d9446802a44259755d38e6d163e820
6512bd43d9caa6e02c990b0a82652dca
c20ad4d76fe97759aa27a0c99bff6710
c51ce410c124a10e0db5e4b97fc2af39

And studied the response from an endpoint, but never saw anything overly interesting.

curl -v $TARGET/c4ca4238a0b923820dcc509a6f75849b

So, I decided to try some random hashes. Here’s a function for generating a random hash:

echo $RANDOM | md5sum | head -c 32; echo;
fd2209e3e541aebb5171d597362afc7a

I dropped this into the browser, and nothing.

Well, Just for shits I may as well try to fuzz:

while [ 1 ]; do; echo $(shuf -i 1-100000 -n 1) | md5sum | head -c 32; echo; done | wfuzz -z stdin --hc 404 http://$TARGET/FUZZ

This generates a random hash and slaps it into wfuzz, hiding the 404s. I’ll just let that run while I keep thinking.

I decided to stick the hashes into crackstation… and there we are, it’s just a series!

Now, If I can re-construct any of the hashes I should be able to generate the hash for 14 and so on and get some more files.

For some reason md5sum on my CLI wasn’t generating the correct values, but I found this site that works: https://md5.gromweb.com/?string=1

So, the hash for 14 is c4ca4238a0b923820dcc509a6f75849b which just returned the same image page…

15 == 9bf31c7ff062936a96d3c8bd1f8f2ff3 == Not Found
16 == c74d97b01eae257e44aa9d5bade97baf == Not Found
0 == cfcd208495d565ef66e7dff9f98764da == Flag! GG!