{ JSON:SEC }

Cyber Security Training, Career and Tech

recent posts

Link Tree

Responsible Disclosure: INE Skilldive Solutions Publicly Accessible via IDOR

Responsible Disclosure: INE Skilldive Solutions Publicly Accessible via IDOR

Overview

In March 2025, I discovered that lab solution PDFs on INE’s Skilldive platform (Formally PenTester Academy) could be accessed without authentication, simply by modifying a number in the URL. These appeared to be detailed walkthroughs for INE’s Cyber Security SkillDive labs.

I disclosed the issue to INE in good faith. After reviewing, they responded that the documents were intentionally public, describing them as legacy material from a pre-acquisition period, makes sense as all newer labs have the solutions on the web page, not as a PDF.

If that’s the case, then there’s no issue, anyone is apparently welcome to download the full set of lab solutions.

Vulnerability Summary

  • Issue Type: Insecure Direct Object Reference (IDOR)
  • URL Format: https://assets.ine.com/labs/ad-manuals/walkthrough-<ID>.pdf
  • Authentication Required: ❌ No
  • Range Identified: walkthrough-1.pdf to walkthrough-2420.pdf
  • Observed Content: SkillDive lab walkthroughs

Reproduction Steps

  1. Visit:
    https://assets.ine.com/labs/ad-manuals/walkthrough-1151.pdf
  2. Increment or decrement the ID in the URL:
    • walkthrough-1152.pdf
    • walkthrough-1153.pdf
    • … and so on
  3. Files are served without any login or authorization checks.

INE’s Response

“The report has been looked at by our infrastructure team and it was concluded that the files that are fed from that URL were put there to be publicly available.”

“I have also reviewed a couple of the PDFs and it does appear to be walkthroughs for legacy practice labs from Pentester Academy before the INE acquisition.”

Given that, it seems these solutions are available for anyone to download, no subscription required.

Reflections

While you don’t get access to the labs, the materials still appear valuable, especially for learning new things. Whether it was intentional or a legacy oversight, it’s a good reminder for security teams to review public asset exposure, particularly when dealing with acquisitions and inherited infrastructure.

Either way, if it’s not considered an issue, enjoy the walkthroughs.

Automated POC

I wrote a simple POC which you can grab from my github, this will iterate through and grab all the solutions

https://github.com/jsonsec/INE-Skilldive/blob/main/GetSkillDiveSolutions.py

Disclosure Timeline

DateAction
20 Mar 2025Initial responsible disclosure sent to INE
8 Apr 2025Follow-up email sent
8 Apr 2025INE response: “Legacy writeups – not an issue”
26 June 2025Public Disclosure

Enjoy

Posted in

Leave a comment