Insecure direct object references lab

This lab requires us to acquire the password of the user "carlos".

Once we are inside the lab, we have the option to enter the "Live chat".

We can then send a message and see the transcript.

If we intercept the request to download the transcript, we can notice "2.txt" on the url of the request.

If we change this file to "1.txt" and send the request, we can see a different transcript with a password on it.

Now we just need to login as "carlos" with the stolen credentials.