We visited the /my-account directory and set the id parameter in the url to administrator and was able to get admin access to the page :
We tried to change the password of the administrator and login but failed. So we used the source code to see the hidden password and was able to grab the password :
We were able to login as administrator using that password and access the Admin panel and delete the carlos user, thus solving the lab :
