Love Letter Locker
π Love at First Breach 2026 - Love Letter Locker
| Category | Author |
|---|---|
| π Web | TryHackMe |
Challenge Prompt
My Dearest Hacker,
Welcome to LoverLetterLocker, where you can safely write and store your Valentineβs letters. For your eyes only?
You can access the web app here: http://MACHINE_IP:5000
Problem Type
- Web
- IDOR
Solve
Upon visitng the page, we have 2 options to log in or create an account.
So, letβs make a new account.
I made my account and was presented with the dashboard. The βTip from Cupidβ that states every love letter gets a unique message made me instantly think this might be an Insecure Direct Object Reference (IDOR) problem.
We can also see there are already 2 other letters in the archive.
Next I made a new letter with the title and message of Test.
When we save our letter, we are taken to the view page where we can see we are letter #3 and that is refected in the URL. If we change the 3 to 2, can we see another letter?
When we change the 3 to a 2 in the URL and submit we do in fact see a different letter:
When we look at letter #1, we see the flag: