after browsing the website let's check robots.txt if there is any interesting endpoints
let's navigate to /admin
what if we changed the Host header to localhost ? can we become a local user if we came from localhost ? let's try it out
first let's open burp and intercept the request to /admin
if we send the request we get 401 Unauthorized
let change the Host header to localhost to make the server think that we are local users and it worked we recieved 200 OK that means that we areauthorized
now send this request to delete the user carlos (you can find this link in the reponse we get from /admin in an <a> tag)
and the challenge is solved
hope you found this walkthrough easy to understand and follow
