[Day 1] Advent of Cyber 3 (2021) | TryHackMe

Web Exploitation

Save The Gifts 

 

 

 

 

---

 

Story

The inventory management systems used to create the gifts have been tampered with to frustrate the elves. It's a night shift, and McStocker comes to McSkidy panicking about the gifts all being built wrong. With no managers around to fix the issue, McSkidy needs to somehow get access and fix the system and keep everything on track to be ready for Christmas!

 

Learning Objectives

1. What is an IDOR vulnerability?
2. How do I find and exploit IDOR vulnerabilities?
3. Challenge Walkthrough.

Answer the questions below

Q.) After finding Santa's account, what is their position in the company?

A.)  The Boss! 

Process:- I am opening the site by clicking the green "view site" button and clicking on the " Your Activity " tab,

Now, I noticed that there is a query in the URL "user_id=11",

I changed the user id 11 to 1, just guessing,

Woo, I found the Santa.

 

---

 

Q.) After finding McStocker's account, what is their position in the company?

A.)  Build Manager 

Process:- Just randomly changed the user id like 2, 3, and I got the McStocker's account.

 

---

Q.) After finding the account responsible for tampering, what is their position in the company?

A.)  Mischief Manager 

Process:- Again randomly changed the user id and I got an account that is responsible for tampering.

 

---

Q.) What is the received flag when McSkidy fixes the Inventory Management System?

A.)  THM{AOXXXXXXXXXXXXXXX3} 

Process:- Clicked all the "Revert" buttons to revert all the tampering and I got the flag.

 

Thanks for reading.

Have a lovely day :-)