Initial Reconnaissance
Even though this is an IDOR-focused room, I started with a quick Nmap scan to check exposed services.
~$ nmap -sV 10.49.151.21
The scan completed cleanly and confirmed that the host was reachable. Only two TCP ports were open.
PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.580/tcp open http Apache httpd 2.4.53
SSH was open, but the web service on port 80 was clearly the main attack surface.
Web Exploitation
I navigated to the web application running on port 80 and was presented with a simple login interface.
At first glance, the page looked intentionally minimal. One detail stood out immediately: a message below the login form referencing a guest account, along with a hint to inspect the …
Initial Reconnaissance
Even though this is an IDOR-focused room, I started with a quick Nmap scan to check exposed services.
~$ nmap -sV 10.49.151.21
The scan completed cleanly and confirmed that the host was reachable. Only two TCP ports were open.
PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.580/tcp open http Apache httpd 2.4.53
SSH was open, but the web service on port 80 was clearly the main attack surface.
Web Exploitation
I navigated to the web application running on port 80 and was presented with a simple login interface.
At first glance, the page looked intentionally minimal. One detail stood out immediately: a message below the login form referencing a guest account, along with a hint to inspect the page source (Ctrl+U).
Get Death Esther’s stories in your inbox
Join Medium for free to get updates from this writer.
Opening the source code revealed a commented line that hadn’t been removed during development:
Press enter or click to view image in full size
<!-- use guest:guest credentials until registration is fixed. "admin" user account is off limits!!!!! -->
That single comment explained the next step without needing any guesswork. I logged in using the provided guest credentials.
Press enter or click to view image in full size
Once authenticated, I was redirected to a profile page associated with the guest user.
Capturing the Flag
While reviewing the page, I noticed the structure of the URL in the address bar:
http://10.49.151.21/profile.php?user=guest
The application was directly referencing the username as a request parameter. I modified the value of the user parameter in the URL and loaded the page again.
Press enter or click to view image in full size
The response changed immediately, and the protected content became visible. The flag was displayed directly on the page.
flag{66be95c478473d91a5358f2440c7af1f}
Press enter or click to view image in full size
Conclusion
This room was short and straightforward, but it highlights a real-world issue that often gets overlooked. A simple lack of proper authorization checks was enough to expose another user’s data. Challenges like this reinforce why access control matters just as much as authentication in web applications.
Thanks for taking the time to read this walkthrough.
For more TryHackMe labs and writeups, check out my GitHub repository: 🔗 THM Walkthroughs
More walkthroughs will be added as I continue solving new rooms.