Unprotected admin functionality with unpredictable URL

Description

This lab has an unprotected admin panel. It’s located at an unpredictable location, but the location is disclosed somewhere in the application.

Reproduction and proof of concept

Review the lab home page’s source using Burp Suite or your web browser’s developer tools.
It contains some JavaScript that discloses the URL of the admin panel.

<script>
var isAdmin = false;
if (isAdmin) {
   var topLinksTag = document.getElementsByClassName("top-links")[0];
   var adminPanelTag = document.createElement('a');
   adminPanelTag.setAttribute('href', '/admin-srvink');
   adminPanelTag.innerText = 'Admin panel';
   topLinksTag.append(adminPanelTag);
   var pTag = document.createElement('p');
   pTag.innerText = '|';
   topLinksTag.appendChild(pTag);
}
</script>

Load the admin panel and delete carlos.

Exploitability

An attacker will need to access the admin panel, and use it to delete the user carlos.