July 4, 2026
TryHackMe โ Corridor CTF Writeup
hi guys, aryan here!

By Aryan Vij
3 min read
Welcome to another TryHackMe walkthrough!
Today I will be walking you guys through a room called Corridor.
First, we will cover two fundamental concepts required to understand this room: Nmap and IDOR vulnerabilities.
Once we establish a baseline, I will go through the steps to solve the room.
So, let's get started. :)
Nmap- the Network Mapper
Nmap is one of the most common open-source tools used in cybersecurity and it focuses on one word: discovery.
This discovery is conducted through the command line interface. There is a GUI version as well and it's called Zenmap.
Nmap is particularly strong and versatile as it allows cybersecurity professionals to examine many things including:
- networks
- ports
- hosts
- services
- versions
- and operating systems
In order to conduct a penetration test machine or network, you need to understand the attack surface.
This includes mapping the network to see:
- what ports are open for me?
- what potential hosts have outdated services with known exploits?
- what networks do these hosts reside on and are there other devices within this particular network?
and most importantly: who and what am i getting into?
That is where Nmap comes in.
Now that we know how to find what you can access, let's learn how to use IDOR vulnerabilities to look for things we shouldn't be able to reach.
IDOR Vulnerabilities- Checking Your Neighbour's Mail
If I can access my house door, I can move not too far over and access yours as well.
Why? Because we are in the same neighbourhood.
Let's cover the technical details.
IDOR stands for Insecure Direct Object Reference.
This is an access control vulnerability that exposes internal information without checking whether someone can access it?
How? By assuming that if you can access file A on a website, then there is no need to check again when you try to access file B.
Remember this. Please.
Just because you can access http://10.51.24.3/?id=1000, doesn't mean you should be able to access http://10.51.24.3/?id=1002.
But, on many insecure sites you can.
But I'm sure you wouldn't want to live in a neighbourhood that enables people to check your mail locker because they live in the house next to you.
We will be leveraging IDOR vulnerabilities in this room by manipulating the URL itself to allow access to rooms we shouldn't be able to enter.
So, let's get into the hack itself.
Corridor Walkthrough Process
First, we are going to use Nmap to scan the target IP address of the machine.
This will tell us what is running on the host.
Then, we are going to leverage IDOR vulnerabilities to manipulate the URL in the hidden webpage to retrieve the flag.
Our target IP is 10.64.189.153.
You'll get a different one for yours but same steps regardless.
First, open up the terminal in the Lab Machine and enter nmap -sS 10.64.189.153.
- -sS is the stealth scan flag. It is called stealthy because you don't complete the full TCP 3-way handshake.
- Keep in mind though that modern enterprise SIEMs will still detect this traffic immediately
As you can see, port 80 is open. Let's access the target IP's web server.
When you do, you'll find that it looks like this.
When you click the door in the middle, it opens a webpage with this URL: http://10.64.189.153/8f14e45fceea167a5a36dedd4bea2543
Notice how the string following the IP address is an MD5 hash?
When I clicked each one of the rooms, the corresponding URL was the hashed numerical room value.
So, the door in the middle is door number 7. The one closest to the left is 1, and the one closest to the right is 13.
Why is this relevant? Because if we can directly map each URL to a room based on a hashed numbers 1โ13, what other numbers grant access?
This is why IDORs are so dangerous. Now all I have to do is add the number 14 in the form of an MD5 hash to the end of the target IP's URL and see if it unlocks a door.
It didn't.
However, if 14 and 15 don't work, maybe 0 will.
Let's enter http://10.64.189.153/cfcd208495d565ef66e7dff9f98764da into our browser and see what happens.
There you go. :)
That's the flag. ๐ฉ