Unprotected Admin Functionality with Unpredictable URL Lab

The objective of this lab is to find an unprotected admin panel located in an unpredictable location and then delete the user carlos. The lab gives access to a shopping site as shown below.

Take a look at the source code to see if you might find any useful information. You can do this by right-clicking on the site and then clicking on View Page Source

You are presented with multiple lines of code but lines 73-83 hold information that is relevant to this lab. In those lines is a JavaScript script that defines logic for the admin panel. In line 77, in particular, you see the admin directory indicated towards the end of the line as /admin-p2yvns

Let’s go ahead and access this directory. You’ll find that it takes you to the administrator panel.

Once there, you can delete the user carlos