HTB Academy SQLMap Essentials: Skill Assessment issues

The 4 is correct, worked for me. You can PM your flag chars (randomised if you want) and I could help.

Otherwise try again, the 1337 reads right to me.

Finally got it, whooa a lot of requests to be made. Be patient, if anyone needs help, DM me.

It will seem that the protection is not present till you get struck in errors
just use -v 6to see whats going on and see what was taught for such scenarios
see what is being send and recieved

For anyone who is still struggling: do not tamper with the POST request you get. Save the original one and use it with -r switch. Everything from then on should be straight-forward. If it’s not, something is wrong with the request. I tampered with it and made me absolutely crazy not being able to figure out what’s wrong and how to fix it.

Here are some tips to keep in mind:

  1. Take things one step at a time and don’t try to apply all the hints and tips at once.

  2. If you find yourself struggling to make progress, ensure that you are executing the hints in the right context and with the correct command.

  3. If you can’t seem to make any progress, start from scratch and begin with the basics.

  4. Remember that the two most important things to keep in mind are the techniques and the tamper option.

1 Like

Very nicely put, dont forget you dont need to apply everything SQLMAP suggests, you can try one thing at a time and check the results after, in short:

if SQLMAP suggests adding 2 things, just add 1 of them and check.

sqlmap -r --tamper= -T table name --dump --batch (This is a format not an answer)

Also flag you will find will throw some error for that just remove b and put _ over there in flag
Happy hacking

This one was difficult, get the post request manually, and use the ‘between’ tamper.


Tips After Finding the Flag:

  1. Identify the Website Technology:

    • After visiting the website, use a tool like Wappalyzer to identify the programming language being used.
  2. Analyze Each Page Source Code:

    • For each page, open its source code.
    • Use CTRL + F to search for files with the website’s file extension (e.g., .php).
  3. Understand the Page Actions:

    • Once you find a page of interest, read through its functionality.
    • Look for actions being performed on the page. Experiment by interacting with the page until you see a request in the network tab or in Burp Suite.
  4. Intercept and Save the Request:

    • Intercept the request that interests you and save it to a file.
  5. Use SQLMap with the Tamper Script:

    • Run the command: sqlmap -r <file> --batch --tamper=<tamper script used in the module>
      • Example tamper scripts: between, space2comment
    • You can use multiple tampers by separating them with commas: --tamper=<tamper1>,<tamper2>
  6. Wait for Results:

    • Be patient; it might take 10 to 15 minutes. During this time, look for detection of a payload being used.
  7. Determine the Payload Type:

    • Identify the type of payload (e.g., Time-based, Union-based, etc.). This can often be deduced from the behavior of the payload.
    • If unsure, you can ask ChatGPT or rely on your knowledge.
  8. Run Multiple Tabs for Faster Analysis:

    • Open at least 5 tabs in your terminal or command line.
    • Add to your command: --technique=<types> --no-cast --dbs
    • Run this command in all 5 tabs to analyze the output of the databases.
    • About the technique rely on the payload technique being used by sqlmap
  9. Analyze and Extract Data:

    • Review the results to identify the correct database based on its name or structure.
    • Continue by using -D <database_name> --tables for each tab to list the tables and proceed with further steps as needed.

I hope it helps you other than to be useless words
mdso999

The solution :

  • Check the source code of the page : /shop.html

  • At the bottom, you will find a js script which call the file “/action.php” with the JSON payload {id:1}

  • The sqli payload : {“id”:“1, 313, 1,712,IF(1=(SELECT 1 FROM final_flag WHERE content LIKE ‘HTB{N07\_50\_H4RD\_R16H7?!}’), SLEEP(2), 1 ))#”}

  • Flag : HTB{N07_50_H4RD_R16H7?!}

Guys, copy the request in JSON format (where the id parameter is) and use it for scanning with the -r request.txt flag. Also, add --tamper=between,space2comment, and everything will work.

sqlmap.py -r req.txt --batch --tamper=between,space2comment --dbs