# Level 1: Unprotected Admin Functionality

## <mark style="color:purple;">Objective</mark>

Solve the lab by deleting the user carlos.

## <mark style="color:purple;">Explanation</mark>

This lab presents a vulnerability where an admin panel is exposed without proper access control mechanisms. The goal is to exploit the lack of protection to delete a specific user, in this case, "carlos." Typically, unprotected admin panels are not secured by authentication mechanisms like login or access control, allowing attackers to directly interact with the administrative functions.

## <mark style="color:purple;">Resolution</mark>

1. First, access the target URL provided in the lab.
2. Check the `robots.txt` file to see if there are any paths or hidden endpoints related to the admin panel.
3. You may discover the admin panel located at `/administrator-panel`.
4. Once there, use the available functionality to delete the user "carlos."

## <mark style="color:purple;">Mitigation</mark>

* **Authentication**: Implement authentication mechanisms for administrative panels to ensure that only authorized users can access them.
* **Access Control**: Use role-based access control (RBAC) to restrict access to sensitive areas, ensuring that only users with the necessary privileges (such as administrators) can perform sensitive actions like deleting users.
* **Input Validation**: Always validate and sanitize user input to prevent unauthorized access or manipulation.
* **Logging and Monitoring**: Set up logging for administrative actions to detect any unauthorized or suspicious activities.