Tryhackme Room Walkthrough


3 min readNov 19, 2022

Room link ::


Easy-rated machine dealing with IDOR, created by cmnatic. This is a very very easy machine that can be solved within minutes.

What is IDOR?

An Insecure direct object reference is a type of access control vulnerability in digital security. This can occur when a web application or application programming interface uses an identifier for direct access to an object in an internal database but does not check for access control or authentication.

!! Before reading the following content, just try to find the flag yourself by understanding IDOR vulnerability.!!

  • Understand IDOR
  • Start the challenge
  • Look at the URL
  • Solve it

Solving the Challenge

Let’s start with our challenge

When we access the challenge URL, we get a login page without a signup, and also refers to use the guest account.


We can see the page gives hints to refer the source code section (Ctrl + U).

Source Code

We got the guest userid:passwd

Login with the given credentials

Guest account

We logged into the guest account, it warns us not to peep your neighbour’s profile. Just because of that we can check the source code again

guest page : source code

Hints about the admin page.

Now look at the URL

It looks like something interesting, just try to change the ‘guest’ with ‘admin’ to login as admin.

admin page

Wow.. we logged in as admin and got the flag.

Yes, we bypassed the authentication using idor vulnerability.

flag submission

Submit the flag.

Thank You for Reading…

Happy Hacking ..!!