TryHackMe-Neighbour
A very easy ctf dealing with IDOR | IDOR is a broken access control vulnerability where invalidated user input can be used to perform unauthorized access to application functions.
Room link :: https://tryhackme.com/room/neighbour
Let's Solve the Challenge ---
1. First get to the login page by visiting the <IP>
2. Now as you dont have the credentials, you can view the page source or press CTRL+U to get the guest login credentials( use the guest account!(CTRL+U) ) written below the Login button.
3. Now visiting the page source, you get the Guest credentials > guest:guest 
4. Then Getting back to the login page you put in the credentials.
5. yaay! Now you're a guest and the page says not to peep your neighbour’s profile. Mmmmmmm!
6. So again we can view the page source.
7. And now here you got some hints for the admin page and we know we are still logged in as guest.
8. So now as we know that this challenge is IDOR , so try to change the ‘guest’ with ‘admin’ to login as admin.
9. aaaaaa! You're now logged in as admin and you have got the flag > flag{***************}
10. Now submit the flag.Thus using IDOR vulnerability, we bypassed the authentication.What is IDOR vulnerability ?
- Insecure direct object references are common, potentially devastating vulnerabilities resulting from broken access control in web applications. IDOR bugs allow an attacker to maliciously interact with a web application by manipulating a “direct object reference,” such as a database key, query parameter, or filename.
Hope this was helpful. thank you!
Answer the questions below :
Find the flag on your neighbor's logged in page!
-- flag{66be95c478473d91a5358f2440c7af1f}