To solve the lab, use the stock check functionality to scan the internal 192.168.0.X range for an admin interface on port 8080, then use it to delete the user carlos

Solution :So this is a very simple lab as they have already described that you need to find the IP of the admin interface on port 8080

Step 1 :Setup the proxy on burp suite ,click on any products view details button ,when the product is displayed ,click on check stock button ,make sure your burp suite interception is on to intercept the request.

Step 2: Send the request to intruder ,change the stock API URL to 192.168.0.$$:8080/admin ,from the payload type select the brute forcer, set the character set to 0 to 9,and min length 1 and the max length to 3, start the attack and sort the responses by status code, you'll find a status code with 200.

Step 3:Copy the Ip and send it in the StockApi, you'll see and admin interface, click on the delete Carlos button, note the api endpoint it is calling and add it to the end of your stockAPI, do these steps in repeater tab. The user Carlos will be deleted ,refresh the lab and it will be solved.

Step 4:Click on follow redirection and the user Carlos will be deleted.