Advent of Cyber 2025: Day 5 IDOR this IDOR that| TryHackMe
Source: Dev.to
Setup
- If you have OpenVPN Connect running on your machine, start only the Target box.
- Otherwise, start both boxes.
- In your browser, navigate to the challenge URL and log in using the credentials provided in Task 2.
What is IDOR?
Insecure Direct Object Reference (IDOR) is an authorization vulnerability.
When a system is vulnerable to IDOR, an attacker can access resources they are not supposed to by modifying HTTP request parameters.
- Horizontal privilege escalation – accessing other users’ accounts.
- Vertical privilege escalation – performing actions reserved for higher‑privilege users (e.g., admin operations).
IDOR is a form of horizontal privilege escalation.
Follow the TryHackMe (THM) literature to learn more about IDOR.
Note: The instructions to “navigate to the Storage tab and expand the Local Storage dropdown” actually refer to Inspect → Storage → Local storage in the browser dev tools.
Relevant Question
Exploiting the IDOR found in the view_accounts parameter, what is the user_id of the parent that has 10 children?
- Open the browser’s dev tools (
Inspect). - Go to Storage → Local storage.
- Expand the dropdown and locate the entry that starts with
http:/10.48…. - Examine the stored data to find the parent with 10 children and note its
user_id.
Using Burp Suite
Initial Steps
- Open the Target tab in the AttackBox and click Open Browser.
- If you see an error, click the Settings icon (top‑right) and try again.
- After the browser opens, paste the Target box URL and log in as usual.
- The page may appear to “load forever” because Burp’s intercept is on.
- In Burp Suite, go to Proxy → Intercept and toggle Intercept is on.
Intercepting Requests
- Refresh the page with the dev tools open to see the HTTP requests.
- Identify the request that loads the child data (e.g., the request triggered by the eye or edit icon on a child card).
- When Burp pauses the request, you can modify parameters (e.g., change
user_id) and forward the request to see the response.
Finding a Child’s Birthdate
Task: Use either the base64 or md5 child endpoint to find the id_number of the child born on 2019‑04‑17.
- On the dashboard, click a child’s edit icon.
- Burp will pause the request; forward it after modifying the payload if needed.
- If the birthdate isn’t shown in the UI, inspect the response body in the browser’s dev tools – the date is present there.
Automating with Intruder
- In Burp, after pausing the request for a child’s view, highlight the relevant part and choose Send to Intruder.
- In the Intruder tab, create a payload list (e.g., numbers
1‑20). - Add a Payload Processing task: Base64 Encode.
- Start the attack.
- Scan the results for the
2019‑04‑17date. In my run,child_id:1xreturned the correct birthdate.
Bonus Question 1
Using the /parents/vouchers/claim endpoint, find the voucher that is valid on 20 November 2025.
- The vouchers use UUID version 1, which encodes a timestamp.
- By generating UUID v1 values for every minute between 20:00 – 24:00 UTC on 20 Nov 2025, you can brute‑force the correct voucher.
Generating UUID v1 Values
You can ask an AI (e.g., Claude) to produce JavaScript code that uses the uuid npm package to generate UUID v1 for each minute in the desired range. Example prompt:
Generate JavaScript code using the `uuid` npm package to create UUID v1 values for every minute between 20:00 and 24:00 UTC on 20 November 2025.Run the script locally, feed the generated UUIDs to the claim voucher request (via Burp), and look for a 200 response with a positive claim.
Correct voucher (THM answer): 22643e00-c655-11f0-ac99-026ccdf7d769
Bonus Question 2
Using the /parents/vouchers/claim endpoint, find the voucher that is valid on 20 November 2025. (re‑statement)
- After generating the UUID list, send each as the
voucherparameter in a claim request. - Filter the Burp results for status 200 and a successful claim message.
The valid voucher returned by TryHackMe is:
22643e00-c655-11f0-ac99-026ccdf7d769Both the correct voucher and the one you generate will share the same timestamp prefix, confirming the UUID‑v1 timing attack.
Feel free to comment with any observations or alternative approaches.