Corridor Room: A TryHackMe 101 Walkthrough
Introduction:
Welcome to the Corridor room on Try Hack Me, tailored for beginners with an easy difficulty level. Today, we explore the virtual challenge “Corridor,” delving into the complexities of Insecure Direct Object Reference (IDOR) vulnerabilities. Uncover hidden secrets by deciphering hexadecimal values scattered across digital corridors, where URL endpoints are pivotal. Join us on this journey of exploration and cybersecurity discovery.
Understanding IDOR Vulnerabilities:
Insecure Direct Object Reference (IDOR) vulnerabilities occur when an application provides unauthorized access to objects, such as files or database records, by failing to properly validate user permissions. Attackers exploit these weaknesses to access sensitive information or manipulate data without proper authorization.
Example:
Imagine a website where users can view their private documents by accessing URLs like “example.com/documents?id=123.” In a secure system, users should only be able to access their own documents. However, if the application has an IDOR vulnerability, a malicious user might change the “id” parameter to access someone else’s documents. For instance, by modifying the URL to “example.com/documents?id=456,” they could gain unauthorized access to another user’s confidential files.
Tools Used:
BurpSuite is the only tool we will be using in this room, we will be using burpsuite to capture requests and manipulate URL endpoints using different payloads so let’s get started.
Our Task:
Our task in this challenge is to navigate through a peculiar corridor, examining URL endpoints for potential Insecure Direct Object Reference (IDOR) vulnerabilities. Pay special attention to hexadecimal values resembling hashes as you explore the website. Uncovering these values may lead you to unexpected website locations, revealing potential security risks.
Step 1: Connecting With TryHackMe VPN
Before starting, ensure your Try Hack Me VPN is connected and working. If you need assistance with a VPN connection, refer to this article.
Step 2: Launch the Machine
Start the machine provided in the room and let it run for 3–4 minutes before proceeding, a box will appear like below indicating that the machine is working and you will have the IP Address of the newly deployed machine.
Step 3: Ping the Machine
Ensure the machine is responsive by pinging it using the terminal of your Kali Linux machine.
Use the command: ping <Machine_IP>.
example:-
ping 10.10.161.202If successful, proceed to the next step.
Step 4: Loading Up The Website And Making Observations
Upon initiating the machine, we can access the website by entering the assigned machine IP in a web browser. The website reveals a layout comprising a total of 13 rooms — 6 on each side and 1 centrally located on the screen.
Clicking on the first room on the left side leads to a new page with the URL http://10.10.161.202/c4ca4238a0b923820dcc509a6f75849b. Notably, each room has a unique hash embedded in its URL, such as “c4ca4238a0b923820dcc509a6f75849b.” It is crucial to note the presence of these hashes for further investigation.
By analyzing the cracked hash using a dedicated website, we discern that the hash type is md5, and the value “c4ca4238a0b923820dcc509a6f75849b” corresponds to the number 1. Similarly, each room’s hash corresponds to a distinct number upon cracking, forming a discernible sequence such as eg 1, 2, 5, 7. This suggests a systematic ordering of the rooms, prompting a deeper exploration in the subsequent steps.
Step 5: BurpSuite Analysis and URL Manipulation
To delve deeper into our investigation, we utilized BurpSuite to capture and analyze the request generated upon opening the first room on the left. This information was then forwarded to the Repeater tool for further testing.
Our initial hypothesis involved altering the hash in the URL to its simplest cracked form, in this case, ‘1’. Surprisingly, this modification did not yield the expected results.
To refine our understanding, we decided to test the theory by transforming the number ‘2’ into its corresponding hash value. Using the command ‘echo -n 2 | md5sum’ in the terminal, we obtained the hash for ‘2’. Subsequently, we replaced the default hash in the URL with this newly generated hash. Encouragingly, this adjustment proved successful, allowing access to the corresponding room.
Command:
echo -n 2 | md5sumThis observation suggests a dynamic relationship between the numerical sequence and the hash values in the URL, supporting the notion that each room’s hash is linked to a specific numerical representation. Further exploration and testing are essential to decipher the underlying pattern and its implications for navigating the website effectively.
Step 6: Payload Testing with Intruder
We used the Intruder tool to systematically explore the relationship between numerical values and hash representations. The goal was to test a range of numerical payloads (0–255) converted into hash values as endpoints in the URL, observing which hash would return a status code of 200.
we utilized the Intruder tool to systematically analyze the correlation between numerical values and hash representations in the website’s URLs. First, we accessed the Intruder tool and configured the payload settings by selecting “numbers” as the payload type, ranging from 0 to 255, with each number converted to its corresponding md5 hash.
The objective was to identify the hash returning a status code of 200, revealing a sequential pattern that correlates numerical values with hash representations. This information is crucial for effective navigation on the website.
Step 7:Finding the Final Flag
Following the completion of the scan, it was noted that 14 endpoints were returning a status code of 200, while the website only displayed 13 rooms. A closer examination of the hashes revealed that the hash corresponding to the number 0, “cfcd208495d565ef66e7dff9f98764da,” also resulted in a status code of 200.
Subsequently, accessing the URL with this hash in a web browser unveiled the final flag, completing our room exploration successfully.
Conclusion:
In conclusion, our meticulous exploration of the website showcased the strategic use of tools such as BurpSuite and the Intruder tool to unravel its structure and discover hidden rooms. The systematic analysis of hash values and their correlation with numerical sequences led us to identify an additional endpoint, bringing the total room count to 14. This journey not only underscored the critical importance of hash analysis in cybersecurity practices but also emphasized the need for a thorough investigation to uncover all potential entry points within complex systems. If you found this article insightful and informative, please consider following for more in-depth explorations and analyses in the realm of cybersecurity. Your support is greatly appreciated!
