[Day 1] Save The Gifts

{Web Exploitation = Insecure Direct Object Reference vulnerability}


The inventory management systems used to create the gifts have been tampered with to frustrate the elves. It's a night shift, and McStocker comes to McSkidy panicking about the gifts all being built wrong. With no managers around to fix the issue, McSkidy needs to somehow get access and fix the system and keep everything on track to be ready for Christmas!


Accessing the site reveals an Inventory Management System.

Heading to the Your Activity tab reveals the current user's Name, Employee ID and Position.

Modifying the user_id request parameter in the URL exposes the IDOR (Insecure Direct Object Reference) vulnerability exsistent on the website as shown below. Using this vulnerability we are able to fish out the user ids of the staff in the company

santa = 1

After finding Santa's account, what is their position in the company?

  • The Boss!

McStocker = 3

After finding McStocker's account, what is their position in the company?

  • Build Manager

Repeating this, we find the employee's profile that had made the rogue changes.

Grinch = 9

After finding the account responsible for tampering, what is their position in the company?

  • Mischief Manager

Hitting revert on all actions fixes the problem and reveals the flag as shown below.

What is the received flag when McSkidy fixes the Inventory Management System?

  • THM{AOC_IDOR_********}

Last updated