Advent Of Cyber 3 - Day 1

using the “view site” , it’s possible to play around with the mockup browser/webpage.

https://inventory-management.thm/activity?user_id=11

here we quickly see that the “user_id” variable can be tampered with. After a quick enumeration where we try to go from 0 up to 11 (which is our own ID) we find that

user_id=1  is Santa , position: The Boss!
user_id=3 is McStocker , position: Build Manager
user_id=9 is Grinch , position: Mischief Manager 

reverting all the changes that the Grinch has made, reveals the flag:

THM{AOC_IDOR_2B34BHI3}

to play more with IDOR there’s a good [room](https://tryhackme.com/room/idor on tryhackme.com

EOF