[Day 1] Save The Gifts

{Web Exploitation = Insecure Direct Object Reference vulnerability}

Story

The inventory management systems used to create the gifts have been tampered with to frustrate the elves. It's a night shift, and McStocker comes to McSkidy panicking about the gifts all being built wrong. With no managers around to fix the issue, McSkidy needs to somehow get access and fix the system and keep everything on track to be ready for Christmas!

Challenge

Accessing the site reveals an Inventory Management System.

Heading to the Your Activity tab reveals the current user's Name, Employee ID and Position.

Modifying the user_id request parameter in the URL exposes the IDOR (Insecure Direct Object Reference) vulnerability exsistent on the website as shown below. Using this vulnerability we are able to fish out the user ids of the staff in the company

santa = 1
McStocker = 3

Repeating this, we find the employee's profile that had made the rogue changes.

Grinch = 9

Hitting revert on all actions fixes the problem and reveals the flag as shown below.

Last updated

Was this helpful?