Light

Welcome to the Light database application!

LightTryHackMe

For this challenge, we will bypass conducting an Nmap scan as the room description explicitly directs us to connect to port 1337. Additionally, we are provided with a starting user. The service running on port 1337 is likely the Light database application mentioned earlier.

Given that this is a database-focused challenge, we test a simple SQL Injection payload ('). The response returns an error, indicating that the service might be vulnerable to SQL Injection. The error message specifies an unrecognized token in ''' LIMIT 30", suggesting that the single quote (') broke the string syntax, causing the application to fail.

Next, we attempt to gather more information by employing a UNION SELECT SQL injection. However, the query fails due to an issue with the comment syntax used in our payload.

' UNION SELECT 1 -- -

This suggests that the database may not be accepting standard inline comments or the payload requires adjustments to match the query structure.

Alternatively, we switch to using the # symbol for comments, which avoids the error encountered earlier. However, certain keywords like UNION and SELECT appear to be blocked by the application, likely as a security measure to prevent straightforward SQL injection attempts.

We attempt switching between capitalized and non-capitalized versions of keywords, but we still encounter errors. This suggests that the application might also be filtering or blocking the SELECT statement itself, in addition to UNION.

After modifying the SELECT statement using the same capitalization technique, we encounter a different error. This time, the error indicates that the token # is not recognized, suggesting that the comment syntax might not be supported or is being filtered.

We URL-encode #, but it doesn't work. Instead, we get a new error related to the ' character.

It’s possible the statement resembles this format, which breaks when a ' is inserted:

SELECT * FROM users WHERE username = '{input}' LIMIT 30; 

Our SQL Injection leading to:

SELECT * FROM users WHERE username = ''' LIMIT 30;

By closing the statement with an additional ', we successfully execute a UNION-based SQL injection.

' UniOn SeLeCt 1 '

Next, we query the version to determine the DBMS in use, which reveals that the database is SQLite version 3.31.1.

' UniOn SeLeCt sqlite_version() '

We can refer to this for more information:

PayloadsAllTheThings/SQLite Injection.md at master · swisskyrepo/PayloadsAllTheThingsGitHub

Next, we query the sqlite_master table to retrieve the database structure, where we find two tables: admintable and usertable.

We query the username and password fields from the usertable, but we do not find the expected information.

' UniOn SeLeCt group_concat(username) FROM usertable '
' UniOn SeLeCt group_concat(password) FROM usertable '

Next, we query the username and password from the admintable and successfully find the username, password, and the requested flag.