This is a challenge from OWASP Security Shepherd.
If you look at the POST request, there is a parameter “userData”. We can try to brute-force the values in the parameter to see if we can access the data from admin perspective.
After trying this, we will find that this brute-force does not help much as other userData values are invalid. So we need to rethink our strategy. Let’s look at the source-code now to see if we can observe any useful information.
In this snippet code, we can see that there is a submission form that is for a normal user and an admin account. Looking carefully, we can see the URL is different.
Change the URL of the POST request to the URL found in the admin account submission form and we can see that the result key will appear.