We logged in using the credentials given to us and was able to see a cookie named session :
We were able to decode the cookie using jwt.io :
We were not able to access the /admin :
We opened the request in Repeater → JSON Web Token Extension and was able to edit eh request easily :
We changed the sub to ‘administrator’ and was able to access the admin panel :
We send the user deleting request with the modified token and solved the lab :
