I have become admin, manipulator of users

Process:

It was a page with Username (prefilled) and Password fields.

Entering any password and submitting. It shows a button to reset the password. But it also had a hidden field username.

Click on Request Reset button and it sends a request to server with your username in POST data. It returns the password in response as a hidden input field.

Ek taraf se username daalo, dusri taraf se password nikalo.

Solution:

Intercept this request and change the username to admin. It will give admin’s new password.

Now again submit the login form with username admin and password you got from response.

And we got the flag!