The interwebs? You can hack that?.
Postman is the swiss-army knife communicating with websites.
With Postman you can hand-craft every packet sent to a web server, so you can exploit to your hearts desire.
NOTE: The original Postman was a google chrome app but was deprecated and made into a standalone program.
Along with this extension was Interceptor, a google chrome app that would allow postman to use all the real requests you make to websites and allow you to edit them directly.
This takes a lot of hassle out of making the packet yourself, the only downside is the new-flashy postman doesn't support it.
FYI, I use both.
If Postman is the swiss-army knife of communicating with websites, then Burp-Suite is the swiss-army knife of intercepting web traffic.
Burp Suite does everything you've ever wanted to do to a website. It's got a proxy, web-crawler, brute-forcer, spider etc.
The most used tool for CTF challenges is it's proxy. You can get pretty far with just intercepting your own web traffic and manipulating it on the fly.
Making a Blind SQL Injection a Little Less Blind
SQL Injection challenges can be hard to initially jump into.
This guide attempts to make that first-step easier. It's also a great intro to sql-injections.