# Unprotected admin functionality

#### [Unprotected functionality](https://portswigger.net/web-security/learning-paths/server-side-vulnerabilities-apprentice/access-control-apprentice/access-control/unprotected-functionality)

## Description

This lab has an unprotected admin panel.

Solve the lab by deleting the user `carlos`.

## Solution

<figure><img src="/files/tGp8D7dAIA6AQGJCMwiN" alt=""><figcaption></figcaption></figure>

The idea is access to the admin panel, trying some path there're not results, then we can try to see the robots.txt file: <https://0acf00c003d580aedfc3cb23003400e9.web-security-academy.net/robots.txt>

<figure><img src="/files/YRgk2NijT8o6mUbLEq9H" alt=""><figcaption></figcaption></figure>

here was inserted the admin panel page to disallow it on google searches.

Then go there: <https://0acf00c003d580aedfc3cb23003400e9.web-security-academy.net/administrator-panel>

<figure><img src="/files/vCZeN9CTG4wFkZZEIWR6" alt=""><figcaption></figcaption></figure>

and eliminate user Carlos clicking to Delete

<figure><img src="/files/gqImGmoa1uB1vbbknWHJ" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dev-angelist.gitbook.io/writeups-and-walkthroughs/portswigger-web-security-academy/server-side-vulnerabilities/access-control/unprotected-admin-functionality.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.