Shady Oaks

Today our hint is forceful browsing. An example; a normal user should not have access to directories that are meant for administrative purposes. With forceful browsing an attacker attempts to use this technique and hit endpoints they're not authorized to reach. Most of the time developers tighten the security around /admin pretty well. However when the site expands and another dev implements /admin/profiles things can start to go wrong. When another dev then adds /admin/profiles/updateUser/:id, sometimes a security measure will be forgotten.

So after the usual registration of the user shadow:shadowforge, I tried on the homepage something that I never thought would work, but I tried to navigate to /admin . Quick win today, seeing the frontend revealing the flag 🇧🇪