One minute
THM: Corridor
Title:Corridor
Description:Can you escape the Corridor?
Difficulty:Easy
Tags:
Nmap
First we scan for open ports
# nmap -p- -T4 -sV -sC 10.10.112.147 -oA nmap
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-21 07:25 BST
Nmap scan report for 10.10.112.147
Host is up (0.019s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Werkzeug httpd 2.0.3 (Python 3.10.2)
|_http-title: Corridor
|_http-server-header: Werkzeug/2.0.3 Python/3.10.2
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.50 seconds
Website
Visiting the website we see an image showing a bunch of doors.
Each of these are clickable, but result in going to page showing an empty room. Looking at the source it looks like the id’s might be MD5 hashes.
Putting them into crackstation reveals they are incremental numbers.
Based on this we can try generating other room numbers. We start with 0. We can generate the number with md5sum, but must remember not to include a newline.
# echo -n 0 | md5sum
cfcd208495d565ef66e7dff9f98764da -
We visit this page and it gives us the flag.
