Okay, this challenge was really hard for me, I spent hours of my time doing this POST and GET requests in burp, the challenge was so confusing and it wasn’t about finding which request or using admin and password credentials to get to the /dashboard page with as the admin.
Look what you need to look for is only the cookie, before sending your request to the /dashboard.php just look for the cookie, and in burp suite, it even shows the decoded strings of the cookie, then you need to change the cookie to sth else, of course, decoded version of the cookie, which is guest_XXXX. So just change guest_XXXX to something else, this is sth you need to find, if I tell you this my hint will be deleted.
Don’t overcomplicate this, with /JSON or trying everything with command-line utility “curl”, lol
It took me so much to learn this and try all in the command line, and search for the missing part. The question is too confusing and if you just read the question carefully, you will find the answer in a second.
Thank you all, peace