Ottergram is a social-media-style web application on Bugforge.io where users browse otter photos. The attack chain is two-stage: first, find functionality you shouldn't be able to reach. Then, find a way past the gate that's supposed to stop you.
Objetivo: Identify endpoints or functionality that are intended to be restricted to admin users only.
Contexto: You are authenticated as a standard user. The application likely has administrative endpoints that are not linked from the regular user UI but may still be accessible.
Revela solo las que necesites. Claude lleva la cuenta de cuántas usaste para calibrar la retroalimentación.
Look in the captured traffic for endpoints that reference admin roles, user management, or moderation. Try navigating to those paths directly — see how the server reacts.
This is a Broken Access Control (BAC) scenario. Try accessing admin-related URL paths directly, or look for endpoints in the captured traffic that reference admin roles, user management, or moderation.
Try navigating to paths such as /admin, /api/admin, /admin/users, or similar. Alternatively, look at the captured Burp requests for any endpoint that returns a 403 or redirects you away — those are your targets.
Chatea con un tutor anti-spoiler para este paso. Usa solo la especificación de este lab y empieza por la pista más pequeña que sirva.
Cuéntale qué probaste, dónde te atoraste, o pega la respuesta/error que estás viendo.
¿Te gusta Hintru? Buy me a coffee ☕ ☕