Unprotected admin functionality

https://portswigger.net/web-security/access-control/lab-unprotected-admin-functionality

We can go to the /robots.txt file to check is any pages are disallowed for web crawler.

As we can see, the /administrator-panel page is blocked. Let's visit it through the browser.

We can now delete the carlos user.

We have solved the lab.