Advanced SQL Injection Skills Assessment

I know this is a fairly new module but hopefully someone is able to help :slight_smile: I’m currently stuck on the first assessment question Identify and exploit the unauthenticated SQL injection.

I’ve downloaded and decompiled Pass2-1.0.3-SNAPSHOT.jar and i believe that the injection point is in an API endpoint used during the auth process. Going through the code i can see that there is a replace function that removes spaces and a number of other keywords/ special characters. I’ve managed to put together a payload which i thought would bypass this and should allow unauth login but its currently not working. I’ve done some tests in a java sandbox and its showing the bypass working //**//Or//**//1=1----//**//

Has anyone attempted this yet? would really appreciated some pointers!