We logged in as administrator, and in the admin panel we were able to see that we can select and upgrade and downgrade any user to Standard and Administrator
Clicking the upgrade button gives us the request and response below:
Clicking the Yes button gives us the request below and upgrades the user
We tried the initial upgrade request again by replacing the session cookie after logging in as wiener (low-priv user), but got the response as Unauthorized:
We captured and edited the second confirmation request (originally sent as administrator) by replacing the username with wiener and using wiener’s session cookie, and upgraded the user wiener to Administrator and solved the lab as we promoted ourselves — the second request lacked access control measures
