Open in app

Sign in

Write

Sign in

TyrHackMe | Light | Writeup

Mohamed Ali
3 min readJan 23, 2025

Welcome to the Light database application!

Find This Room: Light

If you want to get the Answer directly

Light was a simple room where we exploited an SQL injection in a SQLite database to retrieve the credentials for the admin user and a flag.

Discovering the SQL Injection

As per the room instructions, after connecting to the service on port 1337, we encounter a database application.

The room also instructs us to use the username smokey to begin, and upon entering it, we retrieve the password for the user.

Since it is a database application, if we try a simple SQL injection with ', we see that it is successful as we get the error: Error: unrecognized token: "''' LIMIT 30".

Trying a union-based injection and commenting out the ' LIMIT 30 part with --, we encounter an interesting error stating that /*, --, or %0b are not allowed.

Instead of trying to comment out the last part due to the ' causing errors, since SELECT 1 '' is a valid query, we can turn the query into UNION SELECT 1 '' LIMIT 30 by appending ' to our payload as ' UNION SELECT 1 '. As we can see, this works, but this time we encounter an interesting error about certain words not being allowed.

It seems the UNION and SELECT keywords are not allowed, but we can easily bypass this filter by using capitalization

As we can see now, with the payload ' Union Select 1 ', we are successful with a union-based injection.

Identifying the DBMS

With the union-based injection we have, if we attempt to identify the database management system, we discover it is SQLite.

Dumping Database Structure

Now that we know the DBMS is SQLite, we can use the payload ' Union Select group_concat(sql) FROM sqlite_master ' to extract the database structure, as shown below:

Extracting Data

Since our goal is to find the credentials for the admin user, we can dump the username and password fields from the admintable using the payload ' Union Select group_concat(username || ":" || password) FROM admintable ' and this not only gives us the credentials but also the flag, allowing us to complete the room.

Follow Me : Linkedin , Facebook , Github , Join Us On Community , THM Account

https://buymeacoffee.com/mohamedali0

Mohamed Ali is I share useful tools and articles to improve Cyber security awareness

Red Teamer | CTF Player

www.buymeacoffee.com

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Tryhackme Walkthrough
Light
Sql Injection
Hacking
Database
Mohamed Ali
Mohamed Ali

Written by Mohamed Ali

50 Followers
5 Following

Security Researcher

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams