# Level 2: Unprotected Admin Functionality with Unpredictable URL

## <mark style="color:purple;">Objective</mark>

Solve the lab by accessing the admin panel and deleting the user carlos.

## <mark style="color:purple;">Explanation</mark>

This lab has an unprotected admin panel, but its location is not directly predictable. The URL of the admin panel is hidden or obfuscated within the application. The goal is to find this URL and exploit the unprotected functionality to delete the user "carlos."

## <mark style="color:purple;">Resolution</mark>

1. Start by inspecting the home page's source code using `Ctrl + U`.
2. In the page’s source code, look for a fragment or comment that may disclose the URL of the admin panel.

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXc4SiLAz5-OXfaTKPl6LsdjM_9pOvuyQilIhyz5zSLEgn5wHi-NSwb2htioVP_YzRLiW7Rs2rXXCkRKmBByGtgIBvoINg3zVrfmWY9ji5PB3Cuaq2CnITFcoH4W2cny9WnP0PqUDw?key=fa42owF2aOzdeWltlyWxs3tn" alt="" width="375"><figcaption></figcaption></figure>

3. Once the URL is found, simply visit the corresponding directory (admin panel) and delete the user "carlos" as instructed.

## <mark style="color:purple;">Mitigation</mark>

* **Authentication**: Always secure admin panels by requiring proper authentication before granting access.
* **Access Control**: Implement access control mechanisms to ensure only authorized users can access sensitive areas, such as admin panels.
* **URL Obfuscation Is Not Enough**: Relying on URL obfuscation is not a valid security measure. Always apply proper access control and validation.
* **Logging**: Enable logging of administrative actions to detect any unauthorized access attempts or suspicious behavior.