In this exercise, the attacker has admin access already so there is nothing more to be done. However, looks like the admin access does lead to a cross site request forgery attack attack. So you can try to find this cross site request forgery attack as purely academic exercise.

The solution for this lab can be found in the following manual: https://assets.ine.com/labs/ad-manuals/walkthrough-291.pdf