TyrHackMe | Light | Writeup
Welcome to the Light database application!
Find This Room: Light
If you want to get the Answer directly
Light was a simple room where we exploited an SQL injection in a SQLite database to retrieve the credentials for the admin user and a flag.
Discovering the SQL Injection
As per the room instructions, after connecting to the service on port 1337, we encounter a database application.
The room also instructs us to use the username smokey to begin, and upon entering it, we retrieve the password for the user.
Since it is a database application, if we try a simple SQL injection with ', we see that it is successful as we get the error: Error: unrecognized token: "''' LIMIT 30".
Trying a union-based injection and commenting out the ' LIMIT 30 part with --, we encounter an interesting error stating that /*, --, or %0b are not allowed.
Instead of trying to comment out the last part due to the ' causing errors, since SELECT 1 '' is a valid query, we can turn the query into UNION SELECT 1 '' LIMIT 30 by appending ' to our payload as ' UNION SELECT 1 '. As we can see, this works, but this time we encounter an interesting error about certain words not being allowed.
It seems the UNION and SELECT keywords are not allowed, but we can easily bypass this filter by using capitalization
As we can see now, with the payload ' Union Select 1 ', we are successful with a union-based injection.
Identifying the DBMS
With the union-based injection we have, if we attempt to identify the database management system, we discover it is SQLite.
Dumping Database Structure
Now that we know the DBMS is SQLite, we can use the payload ' Union Select group_concat(sql) FROM sqlite_master ' to extract the database structure, as shown below:
Extracting Data
Since our goal is to find the credentials for the admin user, we can dump the username and password fields from the admintable using the payload ' Union Select group_concat(username || ":" || password) FROM admintable ' and this not only gives us the credentials but also the flag, allowing us to complete the room.
Follow Me : Linkedin , Facebook , Github , Join Us On Community , THM Account
