Room: Advent Of Cyber 3 2021

[Day 1] Web Exploitation Save The Gifts

Story

The inventory management systems used to create the gifts have been tampered with to frustrate the elves. It's a night shift, and McStocker comes to McSkidy panicking about the gifts all being built wrong. With no managers around to fix the issue, McSkidy needs to somehow get access and fix the system and keep everything on track to be ready for Christmas!

On the first day of christmas my true friend gave to me ........ an IDOR ?

Hey, seasons greetings! It has been a while but I am back and let's kick straight into it with this years Advent Of Cyber from TryHackMe! The first day appears to be an IDOR or Insecure Direct Object Reference, this is a nice easy room to start with and is one of the OWASP Top 10 under Broken Access Control.

Ok, if you do not know what IDOR do some reading..... I will wait....

.... All read up ? Let's get cracking .......

After finding Santa's account, what is their position in the company?

Ok so after we launch the site we see the follwing in the URL

https://inventory-management.thm/activity?user_id=11

As we know from our research the user_id parameter can be changed by us but if the developer has secured their code we should not be able to see anyone elses activity...... but lets try changing the value from 11 to 1 and test this.

Success!!! Looks like the developer has not protected against and website is vulnerable to IDOR attacks.

After finding McStocker's account, what is their position in the company?

After finding the account responsible for tampering, what is their position in the company?

What is the received flag when McSkidy fixes the Inventory Management System?

Click revert on the activities to fix the system.

If you want to learn more about IDOR vulnerabilities, we suggest trying out this room https://tryhackme.com/room/idor

No answer needed

Tasks released each day get progressively harder (but are still guided with walkthrough videos). Come back tomorrow for Day 2's task!

No answer needed, see you tomorrow :D