I’m also stuck here, any assistance?
I have the 500 error status on request password, can’t figure out any kind of sqli
Why is this machine so slow?
Reading all the hints, it appears the initial foothold is going to be the forgot-password.
But I’ve used Burpsuite with thousands of sqli attempts.
I’ve tested with sqlmap and various risk and level parameters.
And I’ve exported a Burpsuite file for use with sqlmap, and used the sqlmap extension.
All showing that it thought it was exploitable, but not response.
I’m still just getting 500s.
Either the machine is broken and needs fixing, or I’m reallllly on the wrong path?
too many simultaneous requests are being blocked, try changing up the thread count. sqlmap works, make sure you have current tokens too (reset if need be)
You’re on the right path. Just need to understand why you get a 500 vs a 302+200. Think in terms of truth or false or error. What does it do when you feed a known email address? When you use a non-existent address? As I pointed out in an earlier reply, you need to assist sqlmap with some options. You need to tell it how to determine a truthy condition.
The box is rate limited and if you hit the limit you’ll see 503’s, not a 500. 500 is internal server error. 503 is service unavailable. I was fine with just 1 thread. In fact more than 1 thread produced invalid results.
For those who are not using sqlmap and are trying to create their own queries and scripts (OSCP Style). I had a problem that took me ages to figure out. Be careful that in MySQL, it is possible to set the strings to be case insensitive. So when you compare a string, for example, ('select ‘a’=‘A’), it will return 1. This setting is called collation. In this case, to make query comparison case sensitive, you just have to transform our string to binary so it will behave as we were expecting. ('select binary ‘a’=‘A’) will return 0.
Feel free to DM me if you have any question.
Happy Hacking!
3 Likes
Hey, thank you, amazing tip. I understood it perfectly. This SQLi Blind thing has its trick but portswigger explains it very well.
Thanks,
I’m just not getting it.
I’ve tried everything that people have said, so I’m going to assume I’m doing something majorly wrong and stop with this box.
Hi guy for the user flag :
search how to make sqlmap work effectively (looking at f**_ps*** page and follow what you will found to get the good result
I’m not the world’s fastest typist, nor do I have lightning-quick reflexes. It’s difficult enough to get on the box along with the multitudes of users who want resets frequently, and once you do get a shell it dies almost immediately. There’s a quality issue with your system here, if you want to encourage people to learn and develop their skills, you shouldn’t make ‘easy’ boxes so discouraging to attack. Learning attack strategies is next to useless when you can’t implement them because the box is a dysfunctional heap of garbage.
2 Likes
Hello all,
Thank you all again for the help.
I have now read two full write-ups, and had multiple people message me privately.
I can confirm I was on the right path, using the right tools and commands - I even tried using SQLMap Extension in Burpsuite.
Despite the tools running fine, and not getting any 503’s or 416/419 errors - I am not returning the same exploit information.
Literally copy and pasting hasn’t worked either.
I’m seeing the same thing from others on reddit also
There’s something odd going on.
I also encounter this 500 error, if someone can help me, I will be grateful to sort out my mistakes.
Finally ownedthe box. The AU VPN has less traffic for anyone having difficulty with shells and/or SSH.
I managed to confirm that their is something phishy at reset-paswword field. I tried to exploit the web framework L***el using sqlmap to fetch the hash. Any tip further?
Go more with sqlmap you will find something helpful
Don’t take your attack cues from the blog. This is far more simple than decrypting Laravel cookies. Think instead of what a function to register users tells you. Where do new users get stored? There have been tons of clues about which tool is primary for a foothold. Where --help is good, -hh is better, the name of the box is ‘Usage’ after all. Lastly, I found this box so initially frustrating that I’ll be willing to privately help via PMs for about a weeks time from this post.
3 Likes
Thanks.
Really fun box this one, few tricky bits but other wise fairly straight forward!
I learned how to use sqlmap through this BOX!
3 Likes
Only commenting to complain about the SQL injection. very frustrating to constantly get DC’d and ended up spending most of my time just sitting around letting sqlmap do its thing. After that, User was very easy.
also went down a rabbithole with root and a different binary but that wasn’t so bad.
1 Like