Info 📌

This website has an unauthenticated admin panel at /admin, but a front-end system has been configured to block external access to that path. However, the back-end application is built on a framework that supports the X-Original-URL header.

🎯 Goal:

To solve the lab, access the admin panel and delete the user carlos.

1. First form the description of this lab we will use a new header in request
2. i will start the lab and click on the admin panel
3. it gives me block → access denied
4. ok i will intercept the request
5. After searching in stack overflow about X-Original-URL

**https://stackoverflow.com/questions/57759419/x-original-for-header-whats-its-purpose**

1. i know that this header tell the server what’s the original URL the users Come from it so if i will add /admin
2. this meaning i come from /admin this meaning i am admin now and to delete carlos i need to get /admin-panel to see what’s the Endpoint Deleted carlos

now i know what’s the endpoint i need to go it to remove the carlos user

so we will add in X-Original-URL /admin/delete

and in real query string i will add /delete?username=carlos

here we go we deleted carlos and solve the lab 🎉