TryHackMe: Light

Harsimran SinghHarsimran Singh
2 min read

For this challenge, we’ll skip the Nmap scan, as the room description already directs us to connect to port 1337. Additionally, we are provided with a username to start with ’smokey’. Based on the challenge description, it appears that the service running on port 1337 might be a database application named Light.

Step 1: Testing for SQL Injection

Since this is a database-related challenge, the first thing to test is the simplest SQL Injection payload: a single ' (quote).

When we input the payload ', an error is returned, confirming that the application might be vulnerable to SQL Injection. The error indicates an unrecognized token, specifically ''' LIMIT 30. It appears that our input broke the string being processed by the database.

Step 2: Trying a UNION SELECT Injection

Next, we attempt a UNION SELECT injection to gather more information.

However, this results in an error related to the comment syntax. It appears the application blocks certain keywords.

Switching to a # for commenting, we try:

This also results in an error. It seems the words UNION and SELECT are being blocked.

Step 3: Bypassing Keyword Restrictions

To bypass keyword filtering, we alternate between capitalized and non-capitalized letters:

This changes the error slightly, indicating that the token # is not recognized.

Step 4: Closing the Statement

To fix the query, we close the string using another ', resulting in:

This successfully executes the injection, confirming that we now have a working payload.

Step 5: Exploring the Database Structure

To identify the tables in the database, we query the sqlite_master table:

This reveals the database structure, including two tables: admintable and usertable.

Step 6: Extracting Data from the Tables

First, we query for usernames and passwords in the usertable:

However, this does not provide the information we need.

Next, we query the admintable, which contains the username, password, and the flag:

Key Takeaways:

  • Test SQL Injection vulnerabilities systematically, starting with simple payloads like '.

  • If keywords like UNION and SELECT are blocked, bypass filters by mixing cases (e.g., UniOn SeLeCt).

  • When errors arise, use URL encoding (e.g., %23 for #) to bypass restrictions.

  • Query the sqlite_master table in SQLite databases to explore the database structure.

  • Use group_concat to retrieve data from tables efficiently.

This approach demonstrates how to enumerate and extract sensitive information from the database to solve the challenge.

0
Subscribe to my newsletter

Read articles from Harsimran Singh directly inside your inbox. Subscribe to the newsletter, and don't miss out.

tryhackmeTryHackMe Walkthrough#sqlinjectionthmTHM writeup

Written by

Harsimran Singh
Harsimran Singh