Lab: User IDs controlled by Request Parameters, with unpredictable User IDs

Once again I am provided the same credentials for accessing a user account and I have to get the API key for user 'carlos' by horizontal privilege escalation.

I visit the webpage to look around:

I go to login with the provided credentials, and it shows me the API key belonging to the current user. And the intercepted response isn't helpful as the website is using a 'globally unique identifier' or 'GUID' for short to identify its users instead of a sequencing system, which makes my job a bit trickier.

This is a website with blogs, meaning the blogs posted by users would have reference to them. So, I go back to the homepage and open the first blog, to find the author is the user I'm looking for:

So I turn on the proxy and refresh the page to capture the request, where I find the GUID of carlos:

I copy the GUID and with my proxy on, I go to 'My Account' and in the request I replace the GUID of 'wiener' with that or 'carlos':

This lead me to the account page for 'carlos' where I find the API key I need:

I submit the API key to successfully complete the LAB.