How to Broken Access Control – Neighbour – THM – Write-Up En

Check out our new cloud service, Authentication Anywhere — log in from anywhere you would like! Users can enter their username and password, for a totally secure login process! You definitely wouldn’t be able to find any secrets that other people have in their profile, right?

Neigbhour from Tryhackme, is a very simple CTF, ideal to learn simply the “Broken Access Control” flaw, TOP 1 OWASP 2021.


Here, it is not necessary to make an enumeration as for a classic CTF. You have to go directly to the web page on port 80

Accès site web 

It is possible to use a guest account to access the website. You have to go to the source code of the page to get the password. ( Ctrl+U)



With the guest/guest credentials, you can access this page.


As the URL of the site tells us that we are connected with the guest user. (user=guest)

It is probably possible to put another username. Still need to know it.

If we look in the source code of the page, we can see a note concerning the Admin account.

<!– admin account could be vulnerable, need to update –>

Get the Flag !!!

Now that the account name is known, you must replace guest with admin in the URL.

That’s all folks

Thank you for having taken the trouble to come on the site to read this Write-Up

I hope you enjoyed it and that it taught you some new things.

Feel free to leave a comment or share this article.