Web Attacks - Skills Assessment

Hey there. Has anyone else run into this? I’m trying to exploit the IDOR to change the administrator password. When I submit the request to /reset.php I get access denied. When I change the verb I get missing parameters. I’m including headers Content-Type:application/x-www-form-urlencoded and PHPSESSID:SESS_ID. I’m also including parameters uid, token, password, username, full_name, and company. What other parameters could I be missing?

Also: (Not sure if this is how it’s supposed to be, but the button on the page itself is broken so it doesn’t send any requests from the browser. I’m having to recreate everything using curl using the info from settings.php)

Oh my goodness. I had been working on this for hours and it was because the box was broken. lol After refreshing the target about 10 times the button started to work so I could work through burp instead of curl again. Gonna leave the post here though in case anyone else is facing the same.

I’m getting the same “Access Denied”. Please can you help?

Never mind. I changed the HTTP method and it worked.