In Level 17 of OverTheWire's Natas CTF wargame, we are able to leverage the SLEEP() statement in SQL to infer a blind response for our SQL injection in order to brute force the correct password.
OverTheWire: https://overthewire.org/wargames/
Writeups: https://github.com/odacavo/overthewire/tree/main/01_natas
0:00 - Introduction
0:33 - Source Code Walkthrough
1:57 - Demonstration and Solution
4:40 - Python Solution
11:10 - Conclusion
