Upload Form

🎯 What You'll Learn

• Multipart form uploads
• How HTML file forms work
• Using curl -F option

📖 The Concept

When you upload a file through a web form, it uses multipart/form-data encoding.

HTML File Upload Form

<form action="/upload" method="POST" enctype="multipart/form-data">
    <input type="file" name="document">
    <button type="submit">Upload</button>
</form>

What Gets Sent

POST /upload HTTP/1.1
Content-Type: multipart/form-data; boundary=----FormBoundary

------FormBoundary
Content-Disposition: form-data; name="document"; filename="file.txt"
Content-Type: text/plain

(file contents here)
------FormBoundary--

curl -F (Form Upload)

# Upload a file
curl -F "document=@file.txt" http://example.com/upload

# Upload with custom filename
curl -F "document=@file.txt;filename=custom.txt" http://example.com/upload

# Multiple fields
curl -F "document=@file.txt" -F "name=John" http://example.com/upload

The @ Symbol

• @file.txt - Upload file contents
• file.txt - Send literal string "file.txt"

🚀 Your Challenge

Create a text file with a secret password, then upload it to get the flag!

# Step 1: Create the file
echo "password123" > secret.txt

# Step 2: Upload it
curl -F "file=@secret.txt" http://challenge/upload

Good luck! 🍀

Upload Raw

🎯 What You'll Learn

• PUT method for file uploads
• Sending raw file content
• Direct file transfer to servers

📖 The Concept

Besides form uploads, you can send files directly using PUT or POST with raw body.

PUT vs POST for Uploads

• POST: "Here's some data, process it" (forms, API calls)
• PUT: "Store this exactly at this location" (direct file upload)

Raw Upload with curl

# PUT with file content
curl -X PUT --data-binary @file.txt http://example.com/files/file.txt

# PUT from stdin
echo "content" | curl -X PUT -d @- http://example.com/files/file.txt

# POST raw body
curl -X POST -H "Content-Type: text/plain" --data-binary @file.txt http://example.com/upload

--data-binary vs -d

-d @file.txt          # Strips newlines
--data-binary @file.txt  # Preserves exact content

Common Raw Upload Scenarios

• WebDAV file servers
• Cloud storage APIs (S3, etc.)
• REST APIs that accept file bodies

🚀 Your Challenge

Upload a file using PUT to the correct path. The server expects the file at /files/flag.txt.

# Create a file
echo "upload-me" > myfile.txt

# Upload with PUT
curl -X PUT --data-binary @myfile.txt http://challenge/files/flag.txt

Good luck! 🍀

Upload Base64

🎯 What You'll Learn

• Base64 encoding for file uploads
• Why base64 is used in APIs
• Encoding files for JSON payloads

📖 The Concept

Some APIs require files as base64-encoded strings, especially in JSON payloads.

Why Base64?

• JSON doesn't support raw binary data
• Safe for text-based protocols
• Can embed files in JSON/XML

How Base64 Works

Original:   Hello
Binary:     01001000 01100101 01101100 01101100 01101111
Base64:     SGVsbG8=

Encoding Files

# Encode a file
base64 file.txt > file.b64
cat file.txt | base64

# Decode
base64 -d file.b64 > file.txt
echo "SGVsbG8=" | base64 -d

Upload in JSON

# Encode and send in JSON
content=$(base64 file.txt)
curl -X POST -H "Content-Type: application/json" \
  -d "{\"file\": \"$content\"}" http://example.com/upload

Common Use Cases

• Email attachments (MIME)
• Data URLs: data:image/png;base64,iVBOR...
• JSON APIs that accept file uploads

🚀 Your Challenge

Encode the word "secret-upload" in base64 and send it as JSON!

# Step 1: Encode your secret
echo -n "secret-upload" | base64

# Step 2: Send as JSON
curl -X POST -H "Content-Type: application/json" \
  -d '{"data": "YOUR_BASE64_HERE"}' http://challenge/upload

Good luck! 🍀