Love Letter Locker

1 minute read

🌐 Love at First Breach 2026 - Love Letter Locker

Category	Author
🌐 Web	TryHackMe

Challenge Prompt

My Dearest Hacker,

Welcome to LoverLetterLocker, where you can safely write and store your Valentine’s letters. For your eyes only?

You can access the web app here: http://MACHINE_IP:5000

Problem Type

IDOR

Solve

Upon visitng the page, we have 2 options to log in or create an account.
So, let’s make a new account. 2026-02-15_13-35-10

I made my account and was presented with the dashboard. The “Tip from Cupid” that states every love letter gets a unique number made me instantly think this might be an Insecure Direct Object Reference (IDOR) problem.
We can also see there are already 2 other letters in the archive.
2026-02-15_13-36-11

Next I made a new letter with the title and message of Test. 2026-02-15_13-36-26

When we save our letter, we are taken to the view page where we can see we are letter #3 and that is refected in the URL. If we change the 3 to 2, can we see another letter? 2026-02-15_13-36-38

When we change the 3 to a 2 in the URL and submit we do in fact see a different letter: 2026-02-15_13-36-48

When we look at letter #1, we see the flag: 2026-02-15_13-36-58

Twitter Facebook LinkedIn

Love Letter Locker

🌐 Love at First Breach 2026 - Love Letter Locker

Challenge Prompt

Problem Type

Solve

You May Also Enjoy

heap3

heap2

heap1

heap0