Admin Portal Access Lab

Objective Discover and exploit an exposed admin portal through directory brute-forcing.

Tools Used

• Gobuster
• Web browser (for manual exploitation)

Steps Taken

1. Ran Gobuster to enumerate hidden directories on the target.
2. Identified /bank-transfer endpoint returning status code 200.
3. Accessed the endpoint via a web browser.
4. Executed a $2000 transfer from the admin panel.
5. Verified the new account balance to confirm successful exploitation.

Lessons Learned

• Directory brute-forcing can uncover hidden and sensitive pages.
• Admin portals should be hidden and protected with proper authentication.
• Web application misconfigurations can lead to critical unauthorized access.

Real-World Relevance This type of vulnerability mimics misconfigurations found in poorly secured admin panels across many small-to-mid-scale web apps. It's essential to use secure directory structures, authentication mechanisms, and disable unused endpoints in production.

---

Written by Owais Sarwar