Corridor

Classic IDOR vulnerability via MD5-hashed URL parameters. The corridor presents 13 numbered doors — all MD5 hashes of integers 1–13. The hidden room? md5(0).

IDORMD5WebHash EnumerationTryHackMeEasy

Overview

The Corridor — 13 numbered doors

On visiting the machine's IP, you land on a page showing a corridor with several doors. Each door links to an "empty room" — a URL with a long hexadecimal string in it. The challenge description hints at IDOR and hashing, so the hex strings are the first thing to investigate.

Observation

Here are all the hex values found on the doors:

Input
MD5 Hash (URL)
Function
1
c4ca4238a0b923820dcc509a6f75849b
md5(1)
2
c81e728d9d4c2f636f067f89cc14862c
md5(2)
3
eccbc87e4b5ce2fe28308fd9f2a7baf3
md5(3)
4
a87ff679a2f3e71d9181a67b7542122c
md5(4)
5
e4da3b7fbbce2345d7772b0674a318d5
md5(5)
6
1679091c5a880faf6fb5e6087eb1b2dc
md5(6)
7
8f14e45fceea167a5a36dedd4bea2543
md5(7)
8
c51ce410c124a10e0db5e4b97fc2af39
md5(8)
9
c20ad4d76fe97759aa27a0c99bff6710
md5(9)
10
6512bd43d9caa6e02c990b0a82652dca
md5(10)
11
d3d9446802a44259755d38e6d163e820
md5(11)
12
45c48cce2e2d7fbdea1afc51c7c6ad26
md5(12)
13
c9f0f895fb98ab9159f51fd0297e236d
md5(13)

The pattern is immediately obvious — the URLs are just md5(n) for n = 1 through 13. Since these are predictable, you can compute the hash for any integer and navigate directly to that room, even without being linked there. That's the IDOR vulnerability.

Exploitation

Key insight: The doors are numbered 1–13. There is no door zero — but what if room 0 exists on the server? The application never links you there, but since the IDs are predictable hashes, nothing stops you from going directly.

Compute the MD5 hash of 0 and use it as the URL path:

terminal
$ echo -n 0 | md5sum
cfcd208495d565ef66e7dff9f98764da -

# now visit: http://<MACHINE_IP>/cfcd208495d565ef66e7dff9f98764da
  1. Note that door URLs follow the pattern /<md5(n)> for integers 1–13.
  2. Recognise the IDOR: since IDs are sequential and predictable, you can enumerate rooms that are never linked to.
  3. Compute md5(0) = cfcd208495d565ef66e7dff9f98764da.
  4. Navigate directly to http://<MACHINE_IP>/cfcd208495d565ef66e7dff9f98764da.
  5. The flag is displayed on the page.

Flag

Retrieved from room 0
Visit the page to capture your flag

Key Takeaway

IDOR (Insecure Direct Object Reference) occurs when an application uses predictable, user-controllable values to reference resources. Hashing the ID doesn't help if the hash function is known and the input space is small — an attacker can simply precompute or enumerate every possible hash. Always enforce server-side authorization checks, not just obscure IDs.
Crazy Once — Leetspeak Copypasta
Computer Repair 1