Web Attacks

A JS function takes a uid parameter from the POST body.
What you did was simply incrementing that integer, manually.
The script provided by @emdeh is doing just that.

There is no hash…

I also confirm that curl -O $url/$link took me out of my misery. For some mysterious reason the .TXT flag was empty when using wget.

Also, the phrasing is wrong. The question implies that the PDF document contains a TXT file, or a flag perhaps.

Repeat what you learned in this section to get a list of documents of the first 20 user uid’s in /documents.php, one of which should have a ‘.txt’ file with the flag.

[…] a list of documents […] one of which should have a .TXT file […]

A document does not HAVE a .TXT file…

A document is of .TXT file format.
A document is a .TXT file.

While I was stuck fixing my script the phrasing of that question weirded me out. If you are pernickety like me, don’t look no more. You are looking for a TXT file, not a PDF document.

Thanks for that, I could not get it right!

My issue is I expect the question to be what’s covered in the section. At no point did they mention anything about how to do it through POST requests. Yeah think out of the box and all that but for someone that’s a beginner it’s very difficult to think outside of the box until you understand how to think inside of the box first. And while it only took me 5 minutes to find this flag it’s still bad teaching practice to structure a lesson like this.

1 Like

is there anyone who knows i can do business with so we can make some income together

nice… then just added

–include=“*.txt”

hi guys

after long time for way the code not work
wget -q $url/$link

  • curl -O and wget -q handle URLs differently. wget may fail if the URL is improperly formatted or if the quiet mode hides important error messages.
  • By removing the -q flag and adding verbose output, you can get more feedback and identify where the issue lies.
1 Like

yeah, you are absolutely right… had the same experience too many times. Yet, one convinces himself of “I am just about to finish this”…

For anyone who is also stuck and is sick of trying to fix the errors the script throws at you:
Burp Intruder → fuzz where the “id” should be found (make sure you check what method the web app uses to transmit the uid) → check which response has largest size, open manually via browser → open flag → gg

For my fellow ethical hackers here, you might correct or adjust my approach if anything is unnecessary, I am just a noob myself who got the flag.