Context

The objective of this room is to hack a website in a safe and legal environment, in order to experience what the job of an ethical hacker looks like in practice.

Offensive Security is fundamentally about adopting the mindset of an attacker. Instead of defending blindly, you think like someone who wants to break the system. The goal is to identify weaknesses before malicious actors exploit them. In this lab, the idea is not to use advanced exploitation techniques, but to understand how simple logic flaws can completely break an application’s security.

Starting hypothesis

This room demonstrates that:

• Hacking is often about observation and logic rather than complex code.
• Many vulnerabilities come from poor access control.
• A small weakness can lead to a large impact.

You are not exploiting a complex CVE or writing custom payloads. You are simply analyzing how the application behaves and identifying what it trusts too much.

Method / Used Tools

This TryHackMe room is clearly beginner-level. The website contains almost no security mechanisms. However, that is intentional. The purpose is to highlight how dangerously simple some real-world vulnerabilities can be.

No advanced programming knowledge is required. There is no need for:

• Custom exploit development
• Reverse engineering
• Complex CVE chaining

Instead, the focus is on a basic but critical vulnerability: IDOR (Insecure Direct Object Reference).

An IDOR occurs when an application exposes a reference to an internal object (such as a user ID) without properly verifying whether the current user is authorized to access it. For example, if a URL looks like:

/profile?id=1

And changing it to: