I'm struggling a lot with this one.
I've tried various sql injections by hand and with different tools, checked robots.txt etc... but am not good enough to know other vectors of attack. Any other hints than just getting (or fooling) the download token?
I've tried against voting get requests, recover password and basically anywhere you can click to create requests. Just need the tiniest bit of help