Exploitation of Web Application Vulnerabilities in Support System

The user brute-forced the login as help@support.thm and accessed api.php by modifying the isITUser cookie. They exploited an IDOR vulnerability to retrieve emails and admin statuses of specialadmin@support.thm and IT@support.thm, then used LFI on dashboard.php’s skin parameter to extract the master password support@110 from config.php. Attempts to log in as specialadmin@support.thm with the master password failed, and a PUT request to update help@support.thm’s admin status was blocked, possibly due to an undisclosed hidden field like password.