Hope you are doing well, in this post I want to share with you about my finding in a shopping website, as per their policy and rules I cannot reveal the website’s name, so let’s call it redacted.com.
An insecure direct object reference (IDOR) vulnerability occurs when an attacker can access or modify some reference to an object, such as a file, database record, account, etc. which should actually be inaccessible to them. For example, when viewing your account on a website with private profiles, you might visit www.site.com/user=123. However, if you tried www.site.com/user=124 …
Curling is an intermediate level retired machine on Hack The Box, and its my first write-up on HTB box so feel free to correct me or ask/suggest anything (leave comments below).
To get two flags from ‘user.txt’ and ‘root.txt’ .
So let’s get started ...
The I.P. address for curling machine is 10.10.10.150. First step is to enumerate the machine as shown below:
nmap -sV -p- -T5 10.10.10.150