Ottergram is a social-media-style web application on Bugforge.io where users browse otter photos. The attack chain is two-stage: first, find functionality you shouldn't be able to reach. Then, find a way past the gate that's supposed to stop you.
Objective: Identify endpoints or functionality that are intended to be restricted to admin users only.
Context: You are authenticated as a standard user. The application likely has administrative endpoints that are not linked from the regular user UI but may still be accessible.
Only reveal the ones you need. Claude tracks how many you used to calibrate the feedback.
Look in the captured traffic for endpoints that reference admin roles, user management, or moderation. Try navigating to those paths directly — see how the server reacts.
This is a Broken Access Control (BAC) scenario. Try accessing admin-related URL paths directly, or look for endpoints in the captured traffic that reference admin roles, user management, or moderation.
Try navigating to paths such as /admin, /api/admin, /admin/users, or similar. Alternatively, look at the captured Burp requests for any endpoint that returns a 403 or redirects you away — those are your targets.
Chat with a spoiler-safe tutor for this step. It uses only this lab spec and gives the smallest useful nudge first.
Tell the tutor what you tried, where you got stuck, or paste the response/error you are seeing.
Enjoying Hintru? Buy me a coffee ☕ ☕