On this page
Unprotected Admin Functionality
Lab
Unprotected admin functionality · Apprentice
Solution
Given
This lab has an unprotected admin panel.
Solve the lab by deleting the user carlos.
Analyzing the task
Short and clear: an unprotected admin panel. Delete the user carlos.
Recon
Let's see what's going on. Worth paying attention to JS files and code. The site lists products — if we're talking admin, it makes sense to look at the product card.
Ah, looks like the wrong direction.
This is more about brute-forcing admin names:
- Try
/admin. - Check
robots.txt. - Brute-force the admin path with a wordlist.
/admin didn't work, but robots.txt has a surprise:
Disallow: /administrator-panel
We go there — /administrator-panel. Delete the user. Lab solved!
More in this category
Web Shell Upload via Extension Blacklist Bypass (PortSwigger Lab)
.php is blacklisted, but .htaccess uploads without complaint — we slip our own Apache config in and make the server execute shell.bug as PHP.
Web Shell Upload via Obfuscated File Extension (PortSwigger Lab)
Extension blacklist rejects .php and a double-extension shell.php.jpg is served as an image — a null byte in shell.php%00.jpg bypasses both checks.
Remote Code Execution via Web Shell Upload (PortSwigger Lab)
Avatar upload has no validation — drop a PHP web shell and read /home/carlos/secret.