HTB Academy SQLMap Essentials: Skill Assessment issues

I spent a while doing this even with the hints. Here are my tips:
First find the POST on the website:

Open dev tools F12 or burpe->open browser from burp. Click around the website. One of them will show a POST (in network for dev tools or In target->sitemap in burp).
When you find the POST, save the file in burp so you can use in sqlmap -r.

I was only using --batch --dump
But you can find tables using other commands ie --schema

Find the Technique that finds the injection
You only need to use 1 technique. (I just did it one at a time until I found an injection)

After running the sqlmap -r sqlmap logs suggests some commands, it tells you some useful commands to use
ie —no-cast

Don’t forget Risk and level
I set these both, I don’t 100% sure know if it was needed but I just set them as a high value just in case.

Find the correct tamper so the injections work correctly
You only need 1 tamper. I found this hard because I was using --parse-errors -v 3 then seeing a bunch of errors, so I tried a tamper one by one until I reduced the errors, but even with 1 tamper I was getting some errors, but it’s ok to see the odd error in the v3 log. I wasn’t sure how many I needed.
I think sqlmap actually told me the correct tamper too.

This should be enough and you will get the flag. But you can also filter results further to reduce time, ie if you know the database name and table. I had some weird issue where it said it couldn’t find any results in the tables,I’m not sure how I fixed it, I just tried again the next day but maybe --flush-session can fix it?

Tip: When you use all the commands sqlmap tells you, the correct tamper, the correct Technique with dump and batch, it should just find the flag in the log.

2 Likes

Hi Everyone, how you doing?

Got kinda a flag, but it seems wrong, from a certain_database.final_flag, but it content just does not feels right. any hint?

Thanks in advance!

Hi! I can’t find the POST query even after hints

Make sure you have either :

  • Dev tools open (F12 in browser) go to network
  • Burp suite and open browser through that

Look for POST (not GET) in your network or burp while clicking different things on the site. Normally POST will send some data so what can send data on that site?

  • Adding an item to the cart
  • Posting a message on the blog
  • Submiting a feedback form
  • Typing in a seach bar.

See which of those result in a POST.

Hope that helps.

2 Likes

Using Burpsuite first has been successful for me. It is straightforward to intercept the request and then write it to a file. The rest can then be solved with ONE

–tamper

technique and -r for the file.

Happy Hacking :slight_smile:

I found the post and the request,all is everything, I just stuck with the --tamper, none of them works, I tried one-by-one

Adjust the -v level and keep an eye on the output, sqlmap is very helpful…

[01:48:31] [WARNING] it appears that {redacted}. You are strongly advised to rerun with the --tamper=‘{redacted}

Dumping the final_flag table results in a blank output, is anyone else getting this?

Oh my goodness. I just spend probably 10 hours on this assessment just to find out that it was really easy. To list my mistake in case anyone else runs into the same thing. I thought I would use a ZAP spider to look for requests and found another post request that looked plausibly injectable. I spent so much time trying to figure it out with probably hundreds of options. Just to find out that there was a completely other post request that the spider didn’t find. However, I am now a lot more proficient at sqlmap. lol Some things I learned that were cool were that you can pre-answer prompts if you already know what’s going to be asked with --answer=“last_word_in_prompt=answer” another cool thing that saved me a lot of time was grepping output to filter for warnings (however, this can only be done if you preanwer the questions.) Lastly, don’t hack colorlib. It appears to be non-related. lol

So I finally finished this after about 10 hours. My biggest problem was I was making a very stupid mistake. I was making assumptions about the database schema based on the previous databases in this module. Don’t do that!

Finding the right payload was extremely easy; finding the injection point from start to finish was “easy” too, but at the time it became pretty frustrating.

I spent hours skimming through the network tab in dev tools AND using burp to try to find something that takes user input to the server. For those of you who were successful with this, please pm me to explain exactly where you found the right path.

smh at myself. Totally rattled my confidence. I ended up using FFUF to brute possible files, then possible parameters. I had to try with the application/x-www-form-urlencoded and json content types before I got a response that actually made sense.

PS: Quotes in json data MATTER!

I am struggling with this one. I think I am pretty close.

I was able to find the attack vector. I think I have found the correct --tamper as well, because the behavior changed with that one, and it started saying that the attack vector was injectable.

I have captured the request, and saved it to a file. I am using sqlmap -r [filename] to run the attack and have added --batch --dump --no-cast and the --tamper which I have found works

Then I get an error saying [ERROR] unable to retrieve the number of databases
Soon after I get an error saying [ERROR] unable to retrieve the database names

I have cleared everything out and verified I am not getting a false positive, and respun up the VM

-v and --level --risk have not been very fruitful at this stage. -v helped me find the right --tamper but I am not seeing much more at this point.

Does someone have any idea’s of things I might try at this point?

Nvm, I got it. I was using the wrong --tamper, -v and a lot of digging helped me find the right one.

any clue? i cant get it

Have you gotten it… inobx me if you haven’t

I was stuck as well and it took some time to decipher.
Managed to get it with the hints. Pay close attention to the posts about Burp and finding the right post. Page 4 Running SQLMap on an HTTP Request will be the foothold to get you in.
-v was my friend and indicated the correct tamper.

HAVE PATIENCE…this one will take a long time to pull the information you are looking for from the data base.

im hoping this helps my own situation i am also stuck. but i know i can do it :smile:

I just love not getting any errors indicating what should i do using verbose, and the time based sqli gave me an incorrect flag haha

I found JSON POST, I found time-base blind injection, I used two tamper scripts and I am not getting any errors (at least I think so). I am starting to gain some basic information about db, but it all take so long. Literally half a minute to two minutes for one letter. Is there something I am doing wrong? Can it be done faster? (I tried using threads, but i do not think it changes anything)

After some time somehow i did it, but I still wonder could it be done faster?(I did not see any other technique)

I did find the flag in the final_flag table.
Parts of the flag is: n07_
The partial table name is prod*
When I submit the flag the system responds with: ERROR Incorrect Answer.

There is a post from 2 years ago that says to replace the 4 (which is part of the flag) with a 1 because of “leet” error.

Does anybody have any thoughts on this?

Thanks