TryHackMe - Neighbour

Introduction

We have a little introduction text:

Check out our new cloud service, Authentication Anywhere — log in from anywhere you’d like! Users can enter their username and password for a totally secure login process! You definitely wouldn’t be able to find any secrets that other people have in their profile, right?

Access this challenge by deploying both the vulnerable machine by pressing the green “Start Machine” button located within this task, and the TryHackMe AttackBox by pressing the “Start AttackBox” button located at the top-right of the page.

Flag

Upon visiting the provided website we are presented with the login form and we are instructed to check the source code

And we receive our guest credentials

After logging in we can see that URL has changed to guest

Let’s try to change it to admin

Well that was too easy but at least we can see how easy is IDOR vulnerability to exploit and just by basic brainstorm we can grant access which we shouldn’t have