A JS function takes a uid parameter from the POST body.
What you did was simply incrementing that integer, manually.
The script provided by @emdeh is doing just that.
There is no hash…
I also confirm that curl -O $url/$link took me out of my misery. For some mysterious reason the .TXT flag was empty when using wget.
Also, the phrasing is wrong. The question implies that the PDF document contains a TXT file, or a flag perhaps.
Repeat what you learned in this section to get a list of documents of the first 20 user uid’s in /documents.php, one of which should have a ‘.txt’ file with the flag.
[…] a list of documents […] one of which should have a .TXT file […]
A document does not HAVE a .TXT file…
A document is of .TXT file format.
A document is a .TXT file.
While I was stuck fixing my script the phrasing of that question weirded me out. If you are pernickety like me, don’t look no more. You are looking for a TXT file, not a PDF document.
My issue is I expect the question to be what’s covered in the section. At no point did they mention anything about how to do it through POST requests. Yeah think out of the box and all that but for someone that’s a beginner it’s very difficult to think outside of the box until you understand how to think inside of the box first. And while it only took me 5 minutes to find this flag it’s still bad teaching practice to structure a lesson like this.
For anyone who is also stuck and is sick of trying to fix the errors the script throws at you:
Burp Intruder → fuzz where the “id” should be found (make sure you check what method the web app uses to transmit the uid) → check which response has largest size, open manually via browser → open flag → gg
For my fellow ethical hackers here, you might correct or adjust my approach if anything is unnecessary, I am just a noob myself who got the flag.