Access the room: https://tryhackme.com/room/idor-aoc2025-zl6MywQid9
.png)
The elves of Wareville are on high alert since McSkidy went missing. Recently, the support team has been receiving many calls from parents who can’t activate vouchers on the TryPresentMe website. They also mentioned they are receiving many targeted phishing emails containing information that is not public. The support team is wary and has enlisted the help of the TBFC staff. When looking into this peculiar case, they discovered a suspiciously named account named Sir Carrotbane, which has many vouchers assigned to it. For now, they have deleted the account and retrieved the vouchers. But something is going on. Can you help the TBFC staff investigate the TryPresentMe website and fix the vulnerabilities?
Learning Objectives
- Understand the concept of authentication and authorization
- Learn how to spot potential opportunities for Insecure Direct Object References (IDORs)
- Exploit IDOR to perform horizontal privilege escalation
- Learn how to turn IDOR into SDOR (Secure Direct Object Reference)
Connecting to the Machine
Start your target VM by clicking the Start Machine button below. The machine will need about 2 minutes to fully boot. Additionally, start your AttackBox by clicking the Start AttackBox button below. The AttackBox will start in split view. In case you can not see it, click the Show Split view button at the top of the page. Inside your AttackBox, open a web browser and navigate to the TryPresentMe application at http://MACHINE_IP.
Overview
This lab centers around Insecure Direct Object Reference (IDOR), a critical access control vulnerability where an application exposes direct references to objects (like user accounts, packages, or files) without verifying the requester’s authorization. Attackers can manipulate these references to access unauthorized data, often resulting in horizontal privilege escalation. The lab uses the TryPresentMe website as a practical example to illustrate the discovery, exploitation, and remediation of IDOR vulnerabilities.
What is IDOR?
- IDOR (Insecure Direct Object Reference): A vulnerability where a web application uses identifiers (like
user_id,package_id, orvoucher_id) to reference objects in its database. If the application fails to verify that the requester is authorized to access the object, attackers can simply change the identifier to view or modify another user's data. - Privilege Escalation: IDOR typically leads to horizontal privilege escalation, where a user gains access to data of other users at the same privilege level, rather than gaining administrative privileges (vertical escalation).
Step-by-Step Walkthrough
1. Setup & Authentication
Start the target machine and AttackBox.
Access the TryPresentMe website at http://MACHINE_IP
and authenticate using the provided credentials to access the dashboard.
2. Identifying IDOR Vulnerability
After logging in, open your browser’s Developer Tools then go to the Network tab and refresh the page.
Identify the view_accountinfo request, which contains a user_id parameter (e.g.user_id=10).
This parameter is used to fetch account details for a specific user.
3. Exploiting the Basic IDOR
In Developer Tools, navigate to the Storage tab and locate the auth_user entry in Local Storage.
Double‑click the Value column, update the key value user_id from 10 to 11 and refresh the page., and reload the page. The parent’s profile will refresh with the new data.
When you reach the profile that displays 10 children, you’ll know you’ve found the correct answer.
